Java: Big Decimal DOS #6730
Open
Java: Big Decimal DOS #6730
Conversation
added 2 commits
Sep 22, 2021
atorralba
reviewed
Sep 23, 2021
java/ql/src/experimental/Security/BigDecimalDOS/BigDecimalDOS.ql
Outdated
Show resolved
Hide resolved
| override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } | ||
|
|
||
| override predicate isSink(DataFlow::Node sink) { | ||
| exists(Method method, MethodAccess call | |
Thanks @atorralba for helping review this part of the code.
Yes, I will do more tests and add these methods!
Marcono1234
reviewed
Sep 23, 2021
I am not a member of this project, so feel free to consider these comments only as suggestion, but maybe they are helpful nontheless.
java/ql/src/experimental/Security/BigDecimalDOS/BigDecimalDOS.qhelp
Outdated
Show resolved
Hide resolved
|
|
||
|
|
||
| <overview> | ||
| <p>Directly incorporating user input into an BigDecimal Operation Function without validating the input |
Should probably use the term "method" instead of "function" since that is the commonly used term in the Java context.
(And also a few lines below the term "method" is used as well)
| <recommendation> | ||
|
|
||
| <p>To guard against BigDecimal DOS attacks, you should avoid putting user-provided input | ||
| directly into a BigDecimal Method(like: add(), subtract()). Instead, In some e-commerce payment scenarios, |
Suggested change
| directly into a BigDecimal Method(like: add(), subtract()). Instead, In some e-commerce payment scenarios, | |
| directly into a BigDecimal method (like: add(), subtract()). Instead, in some e-commerce payment scenarios, |
Maybe it would also be worth formatting these methods as code using <code>...</code>?
Thanks @Marcono1234 help review, I will to do some modify about this query rule's help file.
java/ql/src/experimental/Security/BigDecimalDOS/BigDecimalDOS.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/BigDecimalDOS/BigDecimalDOS.qhelp
Outdated
Show resolved
Hide resolved
| @@ -0,0 +1,38 @@ | |||
| /** | |||
| * @id java/BigDecimalDOS | |||
| * @name Java-BigDecimal-DOS-Vulnerability | |||
The name does not have to use hyphens, see query metadata style guide
java/ql/src/experimental/Security/BigDecimalDOS/BigDecimalDOS.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/BigDecimalDOS/BigDecimalDOS.ql
Outdated
Show resolved
Hide resolved
| @ResponseBody | ||
| // GOOD: | ||
| public Long demo02(@RequestParam(name = "num") String num) { | ||
| if (num.length() > 33 || num.matches("(?i)e")) { |
Shouldn't that be:
Suggested change
| if (num.length() > 33 || num.matches("(?i)e")) { | |
| if (num.length() > 33 || num.matches("(?i).*e.*")) { |
(or similar)
| } | ||
| Long startTime = System.currentTimeMillis(); | ||
| BigDecimal num1 = new BigDecimal(0.005); | ||
| System.out.println(num1.add(num)); |
There is no BigDecimal.add(String); you would probably have to convert num it to a BigDecimal first
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Directly incorporating user input into an BigDecimal Operation Function without validating the input
can facilitate DOS attacks. In these attacks, the server
will consume a lot of computing resources, A typical scenario is that the CPU usage rises to close to 100%.
This issue often occurs in scenarios that require scientific computing, such as e-commerce platforms and electronic payments.
The text was updated successfully, but these errors were encountered: