Java console input validation to prevent DOS attack

Question

All,

I have written a java code that needs to check an entered text by the user using the console, I want that the code tests the entered line to not exceed for example 20 letters, I wrote it as follow:

String getName() {

boolean badName = true;
String Name = "";
Scanner console = new Scanner(System.in);


while (badName ){
      System.out.println("Please enter your first name ");
          Name = console.nextLine(); 

     //^ I want to check this string length while the user enters the line 
     // to prevent DOS attack when an attacker tries to enter very large line

    if (console.nextLine().length > 20) {
    //^ I tried  this but could not get the string value after this condition validated, 
    // I dont want to store it in a variable to not cause DOS attack.
           System.out.println("please enter valid name!!!");
           continue;
         }

       if (! Name.matches ("[a-zA-Z_]+")) {
          System.out.println("the name contains invalid character, please try again :");
         continue;
       } 
      if (Name.matches ("[a-zA-Z_]+")){
      badName = false;
        }

     }


    return Name;
}

Not sure if I really need to check that to prevent DOS attack, or Java usually takes care of that?

Thanks,

Answer 1

In theory, someone could make your application crash by providing an extremely long line as input.

In practice, it is not worth worrying about:

• The denial of service is trivial. If your program crashes, it affects nothing of importance on the system. The "attacker" will get the satisfaction of seeing a stack trace ... but that is the limit of the damage.

• The "attack" is only available to someone who can run your program. If they can do that, there are a lot worse things that they could do to "deny service".

Since the attack has no plausible impact, IMO it is not worth defending against. But if you did want to defend against it, it would be a simple matter to pre-read each line into a StringBuffer, reading one character at a time and discarding characters if the line is longer than you think is appropriate.

Note that this particular "attack" can't be done by simply typing a very long input line. A typical command shell (or console program, or "tty" driver) has a limit of a few thousand characters on the length of a line. The "bad guy" needs to redirect standard input to get longer input lines. (It is not hard ...)

---

There are situations where extra long lines could be a viable DOS attack ... but not here.

Answer 2

If you're worried about someone feeding the program a very long line and you use nextLine you have already lost:

As you can see in the Javadoc:

Since this method continues to search through the input looking for a line separator, it may buffer all of the input searching for the line to skip if no line separators are present.

Plus, calling nextLine twice won't get you the same result. Store the return value and check against that.

Storing the return value does not allocate more storage as it simply stores another reference to the string. nextLine already allocated that storage when it was preparing the return value. If you really want to ensure that you do not allocate a very long string, you need to read bytes from System.in into an array of predetermined size (use the read() method). This is a bit harder than just using Scanner.nextLine though. Consider if you really need this level of checking.