TechQA.

SV.DOS.ARRSIZE: Unvalidated user input 'sigFileInputStream.available()' in Klocwork for following line

212 views Asked by At

I am using klocwok to review my code. For the given line of code:

byte sigToVerify = new byte[sigFileInputStream.available()];

I am getting the following error report:

SV.DOS.ARRSIZE: Unvalidated user input sigFileInputStream.available() used for array size - attacker can specify a large number leading to high resource usage on the server and a DOS attack

Please help me resolve this issue.

java inputstream fileinputstream klocwork
Original Q&A
1

There are 1 answers

0
nonesuchnick On

Without more of your code snippet to go on, I would think that Klocwork is reporting a valid issue here. You should review the documentation provided for the SV.DOS.ARRSIZE checker, which explains why this is reported. On the Vulnerability and risk:

The use of data from outside the application must be validated before use by the application. If this data is used to allocate arrays of objects in the application, the content of the data must be closely checked. Attackers can exploit this vulnerability to force the application to allocate very large numbers of objects, leading to high resource usage on the application server and the potential for a denial-of-service (DoS) condition.

On the Mitigation and prevention:

The prevention of DoS attacks from user input can be achieved by validating any and all input from outside the application (user input, file input, system parameters, etc.). Validation should include length and content. ... Data used for allocation should also be checked for reasonable values, assuming that user input could contain very small or very large values.

Even the Java InputStream API docs (of which FileInputStream is a subclass) warn that using the return value of the available() method is a bad idea:

Note that while some implementations of InputStream will return the total number of bytes in the stream, many will not. It is never correct to use the return value of this method to allocate a buffer intended to hold all data in this stream.

An example of how to fix your code to avoid this would be to, as suggested above, validate the value returned by available() before using it to allocate the array:

int buffSize = sigFileInputStream.available();
if (buffSize > 0 && buffSize < 100000000) { // 100MB
  byte sigToVerify = new byte[buffSize];
  // do something with sigToVerify ...
} else {
  // error
}

Note that 100000000 or 100MB for sigToVerify may still be way too large for your purposes, or it could be too small. You should determine the most sane value to use here based on what your code is trying to accomplish.

Related Questions in JAVA

Related Questions in INPUTSTREAM

Related Questions in FILEINPUTSTREAM

Related Questions in KLOCWORK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions