javaspringrequest-mappingdenial-of-servicecrlf-vulnerability

Denial of Service ReadLine vulnerability for spring java application


In my spring java application, scan tool is showing vulnerability for Denial of Service: ReadLine for ModelAttribute ("someFormBean")

      @RequestMapping(method = RequestMethod.POST)
      public String processForm(@Valid @ModelAttribute("someFormBean") MultipleForm form, /*Source*/
              BindingResult bindingResult, Model model, HttpServletRequest request) {
         return processForm(form, bindingResult, model);
     }

What does it mean? How to fix this?


Solution

  • It seems that this is the answer: https://vulncat.fortify.com/en/detail?id=desc.dataflow.abap.denial_of_service

    To quote:

    code reads a String from a zip file. Because it uses the readLine() method, it will read an unbounded amount of input. An attacker may take advantage of this code to cause an OutOfMemoryException or to consume a large amount of memory so that the program spends more time performing garbage collection or runs out of memory during some subsequent operation.

    Probably your scanner knows (or thinks it knows) how such an attribute is implemented in Spring, so throws this inspection warning. If you could add any details as to: which scanner tool is it, what version it has, which modules/configuration settings, etc. - it would be easier to reason about this message.