Protect readLine() against DoS

Author: pixeebot[bot]

flow-server/pom.xml

@@ -170,7 +170,10 @@
             <version>${hibernate.validator.version}</version>
             <scope>test</scope>
         </dependency>
-
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
     </dependencies>
     <build>
         <resources>

flow-server/src/main/java/com/vaadin/flow/server/frontend/TaskRunDevBundleBuild.java

@@ -15,6 +15,7 @@
  */
 package com.vaadin.flow.server.frontend;
 
+import io.github.pixee.security.BoundedLineReader;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
@@ -173,7 +174,7 @@ private void runFrontendBuildTool(String toolName, String executable,
                     new InputStreamReader(process.getInputStream(),
                             StandardCharsets.UTF_8))) {
                 String stdoutLine;
-                while ((stdoutLine = reader.readLine()) != null) {
+                while ((stdoutLine = BoundedLineReader.readLine(reader, 5_000_000)) != null) {
                     logger.debug(stdoutLine);
                     toolOutput.append(stdoutLine)
                             .append(System.lineSeparator());

flow-test-util/pom.xml

@@ -56,6 +56,10 @@
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

flow-test-util/src/main/java/com/vaadin/flow/testutil/net/LinuxEphemeralPortRangeDetector.java

@@ -16,6 +16,7 @@
 // under the License.
 package com.vaadin.flow.testutil.net;
 
+import io.github.pixee.security.BoundedLineReader;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
@@ -65,7 +66,7 @@ public static LinuxEphemeralPortRangeDetector getInstance() {
         int lowPort = defaultRange.getLowestEphemeralPort();
         int highPort = defaultRange.getHighestEphemeralPort();
         try (BufferedReader in = new BufferedReader(inputFil)) {
-            String[] split = in.readLine().split("\\s+", 3);
+            String[] split = BoundedLineReader.readLine(in, 5_000_000).split("\\s+", 3);
             lowPort = Integer.parseInt(split[0]);
             highPort = Integer.parseInt(split[1]);
         } catch (IOException | NullPointerException ignore) {

pom.xml

@@ -146,6 +146,7 @@
         <failsafe.parallel>all</failsafe.parallel>
         <failsafe.threadCount>2</failsafe.threadCount>
         <failsafe.perCoreThreadCount>true</failsafe.perCoreThreadCount>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
     </properties>
 
     <repositories>
@@ -280,6 +281,12 @@
                 <artifactId>hamcrest-all</artifactId>
                 <version>1.3</version>
             </dependency>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>