From 6152d3fbb17b4baa849845d8b44e71deaa21ce9d Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Thu, 5 Dec 2024 14:02:21 +0000
Subject: [PATCH] Hardening suggestions for Stirling-PDF / certValidate (#2395)

* Protect `readLine()` against DoS

* Switch order of literals to prevent NullPointerException

---------

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
---
 .../software/SPDF/service/CertificateValidationService.java  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/stirling/software/SPDF/service/CertificateValidationService.java b/src/main/java/stirling/software/SPDF/service/CertificateValidationService.java
index 3650a11aa8f..41f54f4aa22 100644
--- a/src/main/java/stirling/software/SPDF/service/CertificateValidationService.java
+++ b/src/main/java/stirling/software/SPDF/service/CertificateValidationService.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.service;
 
+import io.github.pixee.security.BoundedLineReader;
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -44,14 +45,14 @@ private void loadMozillaCertificates() throws Exception {
             boolean inCert = false;
             int certCount = 0;
 
-            while ((line = reader.readLine()) != null) {
+            while ((line = BoundedLineReader.readLine(reader, 5_000_000)) != null) {
                 if (line.startsWith("CKA_VALUE MULTILINE_OCTAL")) {
                     inCert = true;
                     certData = new StringBuilder();
                     continue;
                 }
                 if (inCert) {
-                    if (line.equals("END")) {
+                    if ("END".equals(line)) {
                         inCert = false;
                         byte[] certBytes = parseOctalData(certData.toString());
                         if (certBytes != null) {