We happened to use IBM appscan http://www-01.ibm.com/software/awdtools/appscan/
against our java codebase, and it returned around 3000 high severity vulnerabilities.
Most of them happen to be System Information Leak, which it thinks is happening when we print stack traces in the catch blocks, but we only print the filename and line number it is happening, enabling us to debug the code better.
And some are about SQL injection, input validation etc.
But, my question was about Resource exhaustion (file descriptor, disk space, sockets, ...), and it lists all instances of java.io.BufferedReader.readLine as places for possible external attacks.
InputStream ins=conn.getInputStream();
String inputLine;
if (!preserveLinefeeds) {
BufferedReader in = new BufferedReader(new InputStreamReader(ins));
while ((inputLine = in.readLine()) != null)
pr.readThreadResponse+=inputLine;
in.close();
ins.close();
}
conn is a HttpURLConnection object.
How do I add safegaurds in the code to prevent this?
Any time you open a stream, ensure that a finally block closes the stream when finished.
If an IOException is thrown while reading from the stream in your code the stream will not be closed, hence the warning
Java 7 makes this easy with the try with resources construct. In java 6 or earlier you need to replicate with lots of boilerplate, eg
InputStream ins = null;
try {
ins = conn.getInputStream();
...
} finally {
IOUtils.closeQuietly(ins);
}
Using the IOUtils class from Apache Commons
You can write your own closeQuietly if you don't want to add the dependency