Happy Valentine’s Day, ASSET blog readers! Bryan here, and while I don’t have any roses or chocolate truffles for you, I do have something sweet for you if you’re still struggling with Java DoS issues. As I noted earlier, Oracle has released a patch tool here; however, if you’re not able to apply this fix for some reason, I have some new malicious value detection code courtesy of Brian Chess (of Fortify/HP) that is greatly improved over my original detection code. Many thanks to Brian and to Jim Manico from OWASP for passing this along.
private static BigDecimal bigBad;
private static BigDecimal smallBad;
static {
BigDecimal one = new BigDecimal(1);
BigDecimal two = new BigDecimal(2);
BigDecimal tiny = one.divide(two.pow(1022));
bigBad = tiny.subtract(one.divide(two.pow(1076))); // 2^(-1022) 2^(-1076)
smallBad = tiny.subtract(one.divide(two.pow(1075))); // 2^(-1022) 2^(-1075)
}
public static boolean containsMagicDoSNumber(String arg) {
if (arg == null) return false; // arg is null? return.
String noDot = arg.replace(".", "");
// magic value not present? return.
if (!noDot.contains("2225073858507201")) return false;
BigDecimal bd;
try {
bd = new BigDecimal(arg);
} catch (NumberFormatException e) {
return false; // can't parse? return.
}
// smaller than the smallest bad value,
// or larger than the largest bad value? Return
if (bd.compareTo(smallBad) < 0 || bd.compareTo(bigBad) > 0) return false;
// if you get here you know you're looking at a bad value.
// The final value for any double in this range is supposed to be
// 2.2250738585072014E-308
return true;
}
Comments