spring java 应用程序的拒绝服务 ReadLine 漏洞

Denial of Service ReadLine vulnerability for spring java application

在我的 spring java 应用程序中,扫描工具显示了拒绝服务漏洞:ModelAttribute ("someFormBean")

的 ReadLine
      @RequestMapping(method = RequestMethod.POST)
      public String processForm(@Valid @ModelAttribute("someFormBean") MultipleForm form, /*Source*/
              BindingResult bindingResult, Model model, HttpServletRequest request) {
         return processForm(form, bindingResult, model);
     }

这是什么意思?如何解决这个问题?

看来答案是这样的:https://vulncat.fortify.com/en/detail?id=desc.dataflow.abap.denial_of_service

引用:

code reads a String from a zip file. Because it uses the readLine() method, it will read an unbounded amount of input. An attacker may take advantage of this code to cause an OutOfMemoryException or to consume a large amount of memory so that the program spends more time performing garbage collection or runs out of memory during some subsequent operation.

可能您的扫描器知道(或认为它知道)如何在 Spring 中实现这样的属性,因此抛出此检查警告。如果您可以添加任何详细信息:它是哪个扫描仪工具、它有什么版本、哪些 modules/configuration 设置等 - 将更容易推断出此消息。