如何解决Checkmarx的问题Uncontrolled_Memory_Allocation

huangapple go评论86阅读模式
英文:

How to solve Checkmarx's issue Uncontrolled_Memory_Allocation

问题

Checkmarx针对以下代码行报告了Uncontrolled_Memory_Allocation问题。

ObjectNode values = objectMapper.readValue(request.getInputStream(), ObjectNode.class);

调用给定请求的用户在系统中得到了授权。我无法确定系统应该允许的流的合理大小。有时可能会达到60MB甚至更大,但我无法预测是否有人想要上传80MB大小的文件。
我知道我可以尝试捕获OutOfMemoryError,但总的来说,这是非常不好的做法。

处理这个问题的正确方法是什么?

英文:

Checkmarx, for the below line of code, reports the issue Uncontrolled_Memory_Allocation.

ObjectNode values = objectMapper.readValue(request.getInputStream(), ObjectNode.class);

A user that is invoking the given request is authorized in the system. I'm not able to decide what's a reasonable size of a stream that the system should allow. Sometimes it could be even 60 MB, but I cannot predict whether someone would like to upload a file that has, let's say, 80MB.
I know I could try to catch OutOfMemoryError, but this is in general very bad practice.

What would be the correct way to handle this issue?

答案1

得分: 1

如果您的代码允许任意量的内存分配,被Checkmarx标记的结果是正确的。
如果文件只来自受信任的来源/用户,问题就不是很严重,但仍应该进行修复。

很明显,您无法准确预测可能上传的文件的最大大小,但不进行验证和限制最大大小不是良好的实践。
尝试估计仍然对用户上传有意义的大小,并使用10倍的大小限制来未雨绸缪。务必测试您的系统,看看上传如此大的文件是否会产生任何不良影响。

祝您好运!

英文:

If your code allows arbitrary amounts of memory to be allocated, the result that was flagged by Checkmarx is correct.
If the files only come from a trusted source/user, the issue is not very severe, but still should be fixed.

It is clear that you cannot exactly predict the maximum size of the files that may be uploaded, but no validation and limitation of maximum size is not good practice.
Try to estimate what size still makes sense for a user to upload and use a 10x size limit to be future proof. Make sure to test your system and see if there are any adverse effects of uploading such big files.

Good luck!

huangapple
  • 本文由 发表于 2020年10月2日 18:14:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/64169882.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定