fix: add size validation to JarRemoteClassSource

Flossy · claude · Scot P. Floess · commit 55ae93fe9f26 · 2026-05-29T11:33:47.000-04:00
- Add MAX_JAR_SIZE constant (100MB default) to prevent disk exhaustion - Add MAX_CLASS_SIZE constant (10MB default) to prevent OOM on large entries - Check Content-Length header before downloading JAR - Validate downloaded JAR file size after download - Check entry size before reading from JAR - Add readWithSizeLimit() helper for entries with unknown size - Document canLoad() performance characteristics in Javadoc Without these fixes: - Attacker could upload multi-GB JAR and fill disk - Large class entries could cause OutOfMemoryError - No protection against malicious content Fixes #54 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/src/main/java/org/flossware/classloader/JarRemoteClassSource.java b/src/main/java/org/flossware/classloader/JarRemoteClassSource.java
@@ -30,6 +30,8 @@ public class JarRemoteClassSource implements ClassSource, AutoCloseable {
     private static final Logger logger = LoggerFactory.getLogger(JarRemoteClassSource.class);
     private static final int DEFAULT_CONNECT_TIMEOUT_MS = 10000;
     private static final int DEFAULT_READ_TIMEOUT_MS = 30000;
+    private static final long MAX_JAR_SIZE = 100 * 1024 * 1024; // 100MB default
+    private static final long MAX_CLASS_SIZE = 10 * 1024 * 1024; // 10MB default
 
     private final String jarUrl;
     private final AuthConfig authConfig;
@@ -113,12 +115,29 @@ private synchronized void ensureJarReady() throws IOException {
                 if (responseCode != HttpURLConnection.HTTP_OK) {
                     throw new IOException("HTTP error code: " + responseCode + " for URL: " + url);
                 }
+
+                // Check JAR size before downloading
+                long contentLength = httpConnection.getContentLengthLong();
+                if (contentLength > MAX_JAR_SIZE) {
+                    throw new IOException(
+                        "JAR file too large: " + contentLength + " bytes (max " + MAX_JAR_SIZE + ")"
+                    );
+                }
             }
 
             try (InputStream in = connection.getInputStream()) {
                 Files.copy(in, tempJarPath, StandardCopyOption.REPLACE_EXISTING);
             }
 
+            // Validate downloaded file size
+            long actualSize = Files.size(tempJarPath);
+            if (actualSize > MAX_JAR_SIZE) {
+                Files.deleteIfExists(tempJarPath);
+                throw new IOException(
+                    "Downloaded JAR exceeds size limit: " + actualSize + " bytes"
+                );
+            }
+
             return null;
         });
 
@@ -137,19 +156,64 @@ public byte[] loadClassData(String className) throws IOException {
             throw new IOException("Class not found in JAR: " + className);
         }
 
-        try (InputStream in = jarFile.getInputStream(entry);
-             ByteArrayOutputStream out = new ByteArrayOutputStream()) {
+        long size = entry.getSize();
+        if (size < 0) {
+            // Unknown size - read with limit
+            return readWithSizeLimit(jarFile.getInputStream(entry), MAX_CLASS_SIZE);
+        }
 
+        if (size > MAX_CLASS_SIZE) {
+            throw new IOException(
+                "Class file too large: " + size + " bytes (max " + MAX_CLASS_SIZE + ")"
+            );
+        }
+
+        if (size > Integer.MAX_VALUE) {
+            throw new IOException("Class file exceeds Java array limit: " + size);
+        }
+
+        try (InputStream in = jarFile.getInputStream(entry)) {
+            byte[] data = new byte[(int)size];
+            int totalRead = 0;
+
+            while (totalRead < size) {
+                int n = in.read(data, totalRead, (int)size - totalRead);
+                if (n == -1) break;
+                totalRead += n;
+            }
+
+            return data;
+        }
+    }
+
+    private byte[] readWithSizeLimit(InputStream in, long maxSize) throws IOException {
+        try (ByteArrayOutputStream out = new ByteArrayOutputStream()) {
             byte[] buffer = new byte[DEFAULT_BUFFER_SIZE];
+            long totalRead = 0;
             int bytesRead;
+
             while ((bytesRead = in.read(buffer)) != -1) {
+                totalRead += bytesRead;
+                if (totalRead > maxSize) {
+                    throw new IOException("Entry exceeds maximum size: " + totalRead);
+                }
                 out.write(buffer, 0, bytesRead);
             }
 
             return out.toByteArray();
         }
     }
 
+    /**
+     * Checks if this source can load the specified class.
+     *
+     * <p><b>Performance Note:</b> The first call to this method (or loadClassData())
+     * will download the entire JAR file. Subsequent calls use the cached JAR and are fast.
+     * The download is synchronized and happens only once per instance.</p>
+     *
+     * @param className The fully qualified class name to check
+     * @return true if the class exists in the JAR, false otherwise
+     */
     @Override
     public boolean canLoad(String className) {
         try {
