From b6a1da5d8ef140713284af1c307fc75cce47ac6c Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 08:33:27 -0400 Subject: [PATCH] Protect `readLine()` against DoS (#4) Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> --- xwiki-platform-core/pom.xml | 11 +++++++++++ .../xwiki-platform-mailsender/pom.xml | 4 ++++ .../xwiki/plugin/mailsender/MailSenderPlugin.java | 11 ++++++----- xwiki-platform-core/xwiki-platform-oldcore/pom.xml | 4 ++++ .../hibernate/R35100XWIKI7564DataMigration.java | 3 ++- xwiki-platform-core/xwiki-platform-webjars/pom.xml | 12 ++++++++++++ .../xwiki-platform-webjars-api/pom.xml | 4 ++++ .../internal/FilesystemResourceReferenceCopier.java | 3 ++- 8 files changed, 45 insertions(+), 7 deletions(-) diff --git a/xwiki-platform-core/pom.xml b/xwiki-platform-core/pom.xml index a1dbd0a8392b..44bc83eaa6fc 100644 --- a/xwiki-platform-core/pom.xml +++ b/xwiki-platform-core/pom.xml @@ -46,6 +46,7 @@ org.xwiki.contrib:authservice-backport-api, org.xwiki.contrib:authservice-backport-default + 1.2.0 @@ -380,4 +381,14 @@ + + + + io.github.pixee + java-security-toolkit + + ${versions.java-security-toolkit} + + + diff --git a/xwiki-platform-core/xwiki-platform-mailsender/pom.xml b/xwiki-platform-core/xwiki-platform-mailsender/pom.xml index f1c0e515f97d..f30f863bad1c 100644 --- a/xwiki-platform-core/xwiki-platform-mailsender/pom.xml +++ b/xwiki-platform-core/xwiki-platform-mailsender/pom.xml @@ -56,6 +56,10 @@ pom test + + io.github.pixee + java-security-toolkit + diff --git a/xwiki-platform-core/xwiki-platform-mailsender/src/main/java/com/xpn/xwiki/plugin/mailsender/MailSenderPlugin.java b/xwiki-platform-core/xwiki-platform-mailsender/src/main/java/com/xpn/xwiki/plugin/mailsender/MailSenderPlugin.java index 04326c47444e..55fc7e81a37d 100644 --- a/xwiki-platform-core/xwiki-platform-mailsender/src/main/java/com/xpn/xwiki/plugin/mailsender/MailSenderPlugin.java +++ b/xwiki-platform-core/xwiki-platform-mailsender/src/main/java/com/xpn/xwiki/plugin/mailsender/MailSenderPlugin.java @@ -19,6 +19,7 @@ */ package com.xpn.xwiki.plugin.mailsender; +import io.github.pixee.security.BoundedLineReader; import java.io.BufferedReader; import java.io.File; import java.io.FileOutputStream; @@ -404,17 +405,17 @@ protected void parseRawMessage(String rawMessage, Mail toMail) PrintWriter output = new PrintWriter(result); boolean headersFound = false; - line = input.readLine(); + line = BoundedLineReader.readLine(input, 5_000_000); // Additional headers are at the start. Parse them and put them in the Mail object. // Warning: no empty lines are allowed before the headers. Matcher m = SMTP_HEADER.matcher(line); while (line != null && m.matches()) { String header = m.group(1); String value = m.group(2); - line = input.readLine(); + line = BoundedLineReader.readLine(input, 5_000_000); while (line != null && (line.startsWith(" ") || line.startsWith("\t"))) { value += line; - line = input.readLine(); + line = BoundedLineReader.readLine(input, 5_000_000); } if (header.equals(SUBJECT)) { toMail.setSubject(value); @@ -431,7 +432,7 @@ protected void parseRawMessage(String rawMessage, Mail toMail) // There should be one empty line here, separating the body from the headers. if (headersFound && line != null && StringUtils.isBlank(line)) { - line = input.readLine(); + line = BoundedLineReader.readLine(input, 5_000_000); } else { if (headersFound) { LOGGER.warn("Mail body does not contain an empty line between the headers and the body."); @@ -447,7 +448,7 @@ protected void parseRawMessage(String rawMessage, Mail toMail) do { // Mails always use \r\n as EOL output.print(line + "\r\n"); - } while ((line = input.readLine()) != null); + } while ((line = BoundedLineReader.readLine(input, 5_000_000)) != null); toMail.setTextPart(result.toString()); } catch (IOException ioe) { diff --git a/xwiki-platform-core/xwiki-platform-oldcore/pom.xml b/xwiki-platform-core/xwiki-platform-oldcore/pom.xml index e8b055318076..d470404e215e 100644 --- a/xwiki-platform-core/xwiki-platform-oldcore/pom.xml +++ b/xwiki-platform-core/xwiki-platform-oldcore/pom.xml @@ -638,6 +638,10 @@ xwiki-platform-index-api ${project.version} + + io.github.pixee + java-security-toolkit + diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/migration/hibernate/R35100XWIKI7564DataMigration.java b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/migration/hibernate/R35100XWIKI7564DataMigration.java index ce6e7a82c951..7b5ad376558e 100644 --- a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/migration/hibernate/R35100XWIKI7564DataMigration.java +++ b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/migration/hibernate/R35100XWIKI7564DataMigration.java @@ -20,6 +20,7 @@ package com.xpn.xwiki.store.migration.hibernate; +import io.github.pixee.security.BoundedLineReader; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; @@ -115,7 +116,7 @@ public void execute(Connection connection) throws SQLException new InputStreamReader(this.getClass().getResourceAsStream("R35100XWIKI7564.sql"), StandardCharsets.UTF_8))) { String line; - while ((line = in.readLine()) != null) { + while ((line = BoundedLineReader.readLine(in, 5_000_000)) != null) { stmt.addBatch(line); } } diff --git a/xwiki-platform-core/xwiki-platform-webjars/pom.xml b/xwiki-platform-core/xwiki-platform-webjars/pom.xml index 3002fc8acc71..218e941e29a0 100644 --- a/xwiki-platform-core/xwiki-platform-webjars/pom.xml +++ b/xwiki-platform-core/xwiki-platform-webjars/pom.xml @@ -42,4 +42,16 @@ + + + + io.github.pixee + java-security-toolkit + ${versions.java-security-toolkit} + + + + + 1.2.0 + diff --git a/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/pom.xml b/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/pom.xml index acd691ce98a1..6ee07b32cf44 100644 --- a/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/pom.xml +++ b/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/pom.xml @@ -127,5 +127,9 @@ xwiki-platform-lesscss-api ${project.version} + + io.github.pixee + java-security-toolkit + diff --git a/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/src/main/java/org/xwiki/webjars/internal/FilesystemResourceReferenceCopier.java b/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/src/main/java/org/xwiki/webjars/internal/FilesystemResourceReferenceCopier.java index 7e891984f9bf..0a9f0cc73ede 100644 --- a/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/src/main/java/org/xwiki/webjars/internal/FilesystemResourceReferenceCopier.java +++ b/xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/src/main/java/org/xwiki/webjars/internal/FilesystemResourceReferenceCopier.java @@ -19,6 +19,7 @@ */ package org.xwiki.webjars.internal; +import io.github.pixee.security.BoundedLineReader; import java.io.BufferedReader; import java.io.File; import java.io.FileOutputStream; @@ -152,7 +153,7 @@ private void processCSSfile(String resourcePrefix, String targetPrefix, JarEntry // Limitation: we only support url() constructs located on a single line try (BufferedReader br = new BufferedReader(new InputStreamReader(jar.getInputStream(entry), "UTF-8"))) { String line; - while ((line = br.readLine()) != null) { + while ((line = BoundedLineReader.readLine(br, 5_000_000)) != null) { Matcher matcher = URL_PATTERN.matcher(line); while (matcher.find()) { String url = matcher.group(1);