如何防范资源耗尽等漏洞? [英] How to guard against Resource exhaustion and other vulnerabilities?

问题描述

我们碰巧使用了 IBM appscan http://www-01.ibm.com/software/awdtools/appscan/

We happened to use IBM appscan http://www-01.ibm.com/software/awdtools/appscan/

针对我们的 Java 代码库，它返回了大约 3000 个高危漏洞.

against our java codebase, and it returned around 3000 high severity vulnerabilities.

它们中的大多数碰巧是系统信息泄漏，当我们在 catch 块中打印堆栈跟踪时它认为正在发生，但我们只打印它发生的文件名和行号，使我们能够更好地调试代码.

Most of them happen to be System Information Leak, which it thinks is happening when we print stack traces in the catch blocks, but we only print the filename and line number it is happening, enabling us to debug the code better.

有些是关于 SQL 注入、输入验证等.

And some are about SQL injection, input validation etc.

但是，我的问题是关于资源耗尽(文件描述符、磁盘空间、套接字等)，它列出了 java.io.BufferedReader.readLine 的所有实例作为可能的外部攻击.

But, my question was about Resource exhaustion (file descriptor, disk space, sockets, ...), and it lists all instances of java.io.BufferedReader.readLine as places for possible external attacks.

       InputStream ins=conn.getInputStream();

      String inputLine;

      if (!preserveLinefeeds) {
         BufferedReader in = new BufferedReader(new InputStreamReader(ins));
         while ((inputLine = in.readLine()) != null)
            pr.readThreadResponse+=inputLine;
         in.close();
         ins.close();
      } 

conn 是一个 HttpURLConnection 对象.

conn is a HttpURLConnection object.

如何在代码中添加安全保护来防止这种情况发生?

How do I add safegaurds in the code to prevent this?

推荐答案

无论何时打开流，请确保 finally 块在完成后关闭流.

Any time you open a stream, ensure that a finally block closes the stream when finished.

如果在从代码中读取流时抛出 IOException，流将不会关闭，因此警告

If an IOException is thrown while reading from the stream in your code the stream will not be closed, hence the warning

Java 7 通过 try with resources 构造使这变得容易.在 java 6 或更早版本中，您需要使用大量样板进行复制，例如

Java 7 makes this easy with the try with resources construct. In java 6 or earlier you need to replicate with lots of boilerplate, eg

InputStream ins = null;
try {
  ins = conn.getInputStream();
  ...
} finally {
  IOUtils.closeQuietly(ins);
}

使用 Apache Commons 中的 IOUtils 类

Using the IOUtils class from Apache Commons

如果不想添加依赖，可以自己写closeQuietly

You can write your own closeQuietly if you don't want to add the dependency

这篇关于如何防范资源耗尽等漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！