0

We are currently undertaking security vulnerability assessment of our webapps. For this we have been using the ZAP tool from OWASP for automated penetration testing. One of the alerts we received from ZAP was for integer overflow error with the following description: An integer overflow condition exists when an integer, which has not been properly checked from the input stream is used within a compiled program.

The actual report appears as follows:

Screenshot of the actual report

The method signature of the API listed above is as follows:

    @GetMapping(value = "/list")
    public ResponseEntity<PaginatedResponse> getUserList(
            @RequestParam(name = "searchQuery", defaultValue = "") String searchString,
            @RequestParam(defaultValue = "1") int pageNumber, 
            @RequestParam(defaultValue = "100") int pageSize,
            @RequestParam(name = "sort_by",required = false) String sortBy,
            @RequestParam(name = "descending",defaultValue = "false") boolean isDescending)

We are using Spring Boot for our REST API, and the pageSize and pageNumber parameters are values that are passed to PageRequest for pagination purposes.

I have tried adding a check to see whether the input values are between Integer.MIN_VALUE and Integer.MAX_VALUE, but there is a possibility that the resulting value could still be a valid integer because of the wrap-around behaviour of casting values larger than the integer limit to an integer variable in Java.

Another thing to note is that the tool also passed an integer value to a variable that is expecting boolean (descending in the screenshot above), which I think will also have to be addressed somehow.

Perhaps there is some way to catch such an issue before binding occurs?

Desmond27
  • 173
  • 1
  • 4
  • 17

2 Answers2

2

This has nothing to do with converting the string to a valid integer. That is already taken care of by Spring.

The actual issue is described on the OWASP ZAP page. A very large page number may overflow to a negative number after addition, resulting in possible unexpected behaviour in your application. Consider, for example,

https:/...?pageNumber=2147483646&pageSize=100

The pageNumber is a perfectly valid int, with value Integer.MAX_VALUE - 1. But if your application then adds pageSize to it, it will overflow. You can mitigate by validating pageNumber and pageSize to be within ranges of sensible values, e.g. pageNumber between 1 and 1000000, pageSize between 1 and 10000.

k314159
  • 5,051
  • 10
  • 32
  • After testing this a bit more I see that Spring was throwing a `MethodArgumentTypeMismatchException`. The exception message is : `Failed to convert value of type 'java.lang.String' to required type 'int'; nested exception is java.lang.NumberFormatException: For input string: "75200819393726134959398316129505110502500992"`. So I guess checking the limit of the incoming value is not required since if the value does not match the data type of the bind variable, Spring would throw this exception anyway. I have updated the ControllerAdvice to handle this exception and return a 400 response. – Desmond27 Jan 11 '22 at 13:18
0

A simplistic and a bit performance inefficient solution would be to receive all your params as String and to your own parsing with appropriate validation.

Michael Gantman
  • 7,315
  • 2
  • 19
  • 36
  • Seems this is what Spring does anyway (ref my comment on the other answer). So, I guess we don't need to handle this ourselves. – Desmond27 Jan 11 '22 at 13:19