Protect readLine() against DoS (#4)

pixeebot[bot] · web-flow · commit b6a1da5d8ef1 · 2024-07-19T08:33:27.000-04:00
Co-authored-by: pixeebot[bot] &lt;104101892+pixeebot[bot]@users.noreply.github.com&gt;
diff --git a/xwiki-platform-core/pom.xml b/xwiki-platform-core/pom.xml
@@ -46,6 +46,7 @@
       org.xwiki.contrib:authservice-backport-api,
       org.xwiki.contrib:authservice-backport-default
     </xwiki.platform.oldcore.extension.features>
+    <versions.java-security-toolkit>1.2.0</versions.java-security-toolkit>
   </properties>
   <build>
     <pluginManagement>
@@ -380,4 +381,14 @@
       </build>
     </profile>
   </profiles>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
 </project>
diff --git a/xwiki-platform-core/xwiki-platform-mailsender/pom.xml b/xwiki-platform-core/xwiki-platform-mailsender/pom.xml
@@ -56,6 +56,10 @@
       <type>pom</type>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>
diff --git a/xwiki-platform-core/xwiki-platform-mailsender/src/main/java/com/xpn/xwiki/plugin/mailsender/MailSenderPlugin.java b/xwiki-platform-core/xwiki-platform-mailsender/src/main/java/com/xpn/xwiki/plugin/mailsender/MailSenderPlugin.java
@@ -19,6 +19,7 @@
  */
 package com.xpn.xwiki.plugin.mailsender;
 
+import io.github.pixee.security.BoundedLineReader;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileOutputStream;
@@ -404,17 +405,17 @@ protected void parseRawMessage(String rawMessage, Mail toMail)
             PrintWriter output = new PrintWriter(result);
             boolean headersFound = false;
 
-            line = input.readLine();
+            line = BoundedLineReader.readLine(input, 5_000_000);
             // Additional headers are at the start. Parse them and put them in the Mail object.
             // Warning: no empty lines are allowed before the headers.
             Matcher m = SMTP_HEADER.matcher(line);
             while (line != null && m.matches()) {
                 String header = m.group(1);
                 String value = m.group(2);
-                line = input.readLine();
+                line = BoundedLineReader.readLine(input, 5_000_000);
                 while (line != null && (line.startsWith(" ") || line.startsWith("\t"))) {
                     value += line;
-                    line = input.readLine();
+                    line = BoundedLineReader.readLine(input, 5_000_000);
                 }
                 if (header.equals(SUBJECT)) {
                     toMail.setSubject(value);
@@ -431,7 +432,7 @@ protected void parseRawMessage(String rawMessage, Mail toMail)
 
             // There should be one empty line here, separating the body from the headers.
             if (headersFound && line != null && StringUtils.isBlank(line)) {
-                line = input.readLine();
+                line = BoundedLineReader.readLine(input, 5_000_000);
             } else {
                 if (headersFound) {
                     LOGGER.warn("Mail body does not contain an empty line between the headers and the body.");
@@ -447,7 +448,7 @@ protected void parseRawMessage(String rawMessage, Mail toMail)
             do {
                 // Mails always use \r\n as EOL
                 output.print(line + "\r\n");
-            } while ((line = input.readLine()) != null);
+            } while ((line = BoundedLineReader.readLine(input, 5_000_000)) != null);
 
             toMail.setTextPart(result.toString());
         } catch (IOException ioe) {
diff --git a/xwiki-platform-core/xwiki-platform-oldcore/pom.xml b/xwiki-platform-core/xwiki-platform-oldcore/pom.xml
@@ -638,6 +638,10 @@
       <artifactId>xwiki-platform-index-api</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>
diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/migration/hibernate/R35100XWIKI7564DataMigration.java b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/migration/hibernate/R35100XWIKI7564DataMigration.java
@@ -20,6 +20,7 @@
 
 package com.xpn.xwiki.store.migration.hibernate;
 
+import io.github.pixee.security.BoundedLineReader;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
@@ -115,7 +116,7 @@ public void execute(Connection connection) throws SQLException
                     new InputStreamReader(this.getClass().getResourceAsStream("R35100XWIKI7564.sql"),
                         StandardCharsets.UTF_8))) {
                     String line;
-                    while ((line = in.readLine()) != null) {
+                    while ((line = BoundedLineReader.readLine(in, 5_000_000)) != null) {
                         stmt.addBatch(line);
                     }
                 }
diff --git a/xwiki-platform-core/xwiki-platform-webjars/pom.xml b/xwiki-platform-core/xwiki-platform-webjars/pom.xml
@@ -42,4 +42,16 @@
       </modules>
     </profile>
   </profiles>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <properties>
+    <versions.java-security-toolkit>1.2.0</versions.java-security-toolkit>
+  </properties>
 </project>
diff --git a/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/pom.xml b/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/pom.xml
@@ -127,5 +127,9 @@
       <artifactId>xwiki-platform-lesscss-api</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
 </project>
diff --git a/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/src/main/java/org/xwiki/webjars/internal/FilesystemResourceReferenceCopier.java b/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/src/main/java/org/xwiki/webjars/internal/FilesystemResourceReferenceCopier.java
@@ -19,6 +19,7 @@
  */
 package org.xwiki.webjars.internal;
 
+import io.github.pixee.security.BoundedLineReader;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileOutputStream;
@@ -152,7 +153,7 @@ private void processCSSfile(String resourcePrefix, String targetPrefix, JarEntry
         // Limitation: we only support url() constructs located on a single line
         try (BufferedReader br = new BufferedReader(new InputStreamReader(jar.getInputStream(entry), "UTF-8"))) {
             String line;
-            while ((line = br.readLine()) != null) {
+            while ((line = BoundedLineReader.readLine(br, 5_000_000)) != null) {
                 Matcher matcher = URL_PATTERN.matcher(line);
                 while (matcher.find()) {
                     String url = matcher.group(1);

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@`
`20`	`20`
`21`	`21`	`package com.xpn.xwiki.store.migration.hibernate;`
`22`	`22`
	`23`	`+import io.github.pixee.security.BoundedLineReader;`
`23`	`24`	`import java.io.BufferedReader;`
`24`	`25`	`import java.io.IOException;`
`25`	`26`	`import java.io.InputStreamReader;`
`@@ -115,7 +116,7 @@ public void execute(Connection connection) throws SQLException`
`115`	`116`	`new InputStreamReader(this.getClass().getResourceAsStream("R35100XWIKI7564.sql"),`
`116`	`117`	`StandardCharsets.UTF_8))) {`
`117`	`118`	`String line;`
`118`		`- while ((line = in.readLine()) != null) {`
	`119`	`+ while ((line = BoundedLineReader.readLine(in, 5_000_000)) != null) {`
`119`	`120`	`stmt.addBatch(line);`
`120`	`121`	`}`
`121`	`122`	`}`