Java DoS Update

Happy Valentine’s Day, ASSET blog readers! Bryan here, and while I don’t have any roses or chocolate truffles for you, I do have something sweet for you if you’re still struggling with Java DoS issues. As I noted earlier, Oracle has released a patch tool here; however, if you’re not able to apply this fix for some reason, I have some new malicious value detection code courtesy of Brian Chess (of Fortify/HP) that is greatly improved over my original detection code. Many thanks to Brian and to Jim Manico from OWASP for passing this along.

private static BigDecimal bigBad;
private static BigDecimal smallBad;

static {
  BigDecimal one = new BigDecimal(1);
  BigDecimal two = new BigDecimal(2);
  BigDecimal tiny = one.divide(two.pow(1022));
  bigBad = tiny.subtract(one.divide(two.pow(1076)));   // 2^(-1022)  2^(-1076)
  smallBad = tiny.subtract(one.divide(two.pow(1075))); // 2^(-1022)  2^(-1075)

public static boolean containsMagicDoSNumber(String arg) {

  if (arg == null) return false;  // arg is null?  return.

  String noDot = arg.replace(".", "");

  // magic value not present?  return.
  if (!noDot.contains("2225073858507201")) return false;

  BigDecimal bd;
  try {
    bd = new BigDecimal(arg);
  } catch (NumberFormatException e) {
    return false;  // can't parse?  return.

  // smaller than the smallest bad value,
  // or larger than the largest bad value?  Return
  if (bd.compareTo(smallBad) < 0 || bd.compareTo(bigBad) > 0) return false;

  // if you get here you know you're looking at a bad value.
  // The final value for any double in this range is supposed to be
  // 2.2250738585072014E-308
  return true;