Re: CipherInputStream may not be closed

2023-09-10 Thread Andreas Lehmkühler 




Am 08.09.23 um 17:32 schrieb axh:

Hi Anna-Katharina,

what version are you using? In the current 3.0, the stream is closed 
(implicitly) by using the try-with-resources syntax 
(https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html):

try (CipherInputStream cis = new CipherInputStream(data, cipher))
{
 …
}
According to Git Blame, try-with-resources has been used at that point since 
2017, so there should be no problem. Disclaimer: I am not a maintainer, I just 
sometimes contribute code.

In PDFBox 2.0.x the stream is closed in a finally block.

I guess we are fine here.

Andreas



Axel



Am 08.09.2023 um 14:08 schrieb Anna-Katharina Wickert 
:

Hei dear maintainers,

For a benchmark [1], we randomly sampled JCA usages to decide if the API usage 
is a violation of any API usage constraint.
We believe we found one for the JCA class CipherInputStream.
The call to *close* is missing for the call sequence to *CipherInputStream*. 
Thus, the input stream including the ressources of the stream are not released. 
[More Details in the JDK 17 
documentation](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/CipherInputStream.html)
The instance that we sampled is located in:
- file: 
pdfbox/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/SecurityHandler.java
- method: private void encryptDataAES256(InputStream data, OutputStream output, 
boolean decrypt) throws IOException
- line: 379

To the best of my knowledge, this JCA usage does not result in a vulnerability 
(directly). However, it violates the API constraint discussed above. Therefore, 
we consider adding this usage as a violation into the benchmark.

Best,
Anna-Katharina Wickert
For the CamBench team

[1] https://github.com/CROSSINGTUD/CamBench





-
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

Re: CipherInputStream may not be closed

2023-09-08 Thread Anna-Katharina Wickert 
Hei Axel,

Thanks a lot for pointing this out! We both weren’t (anymore?) aware of this 
syntax!
We will adapt the respective file!

Best,
Anna

> On 8. Sep 2023, at 17:32, axh  wrote:
> 
> Hi Anna-Katharina,
> 
> what version are you using? In the current 3.0, the stream is closed 
> (implicitly) by using the try-with-resources syntax 
> (https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html):
> 
> try (CipherInputStream cis = new CipherInputStream(data, cipher))
> {
>…
> }
> According to Git Blame, try-with-resources has been used at that point since 
> 2017, so there should be no problem. Disclaimer: I am not a maintainer, I 
> just sometimes contribute code.
> 
> Axel
> 
> 
>> Am 08.09.2023 um 14:08 schrieb Anna-Katharina Wickert 
>> :
>> 
>> Hei dear maintainers,
>> 
>> For a benchmark [1], we randomly sampled JCA usages to decide if the API 
>> usage is a violation of any API usage constraint.
>> We believe we found one for the JCA class CipherInputStream.
>> The call to *close* is missing for the call sequence to *CipherInputStream*. 
>> Thus, the input stream including the ressources of the stream are not 
>> released. [More Details in the JDK 17 
>> documentation](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/CipherInputStream.html)
>> The instance that we sampled is located in:
>> - file: 
>> pdfbox/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/SecurityHandler.java
>> - method: private void encryptDataAES256(InputStream data, OutputStream 
>> output, boolean decrypt) throws IOException
>> - line: 379
>> 
>> To the best of my knowledge, this JCA usage does not result in a 
>> vulnerability (directly). However, it violates the API constraint discussed 
>> above. Therefore, we consider adding this usage as a violation into the 
>> benchmark.
>> 
>> Best,
>> Anna-Katharina Wickert
>> For the CamBench team
>> 
>> [1] https://github.com/CROSSINGTUD/CamBench
> 



signature.asc
Description: Message signed with OpenPGP

Re: CipherInputStream may not be closed

2023-09-08 Thread axh 
Hi Anna-Katharina,

what version are you using? In the current 3.0, the stream is closed 
(implicitly) by using the try-with-resources syntax 
(https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html):

try (CipherInputStream cis = new CipherInputStream(data, cipher))
{
…
}
According to Git Blame, try-with-resources has been used at that point since 
2017, so there should be no problem. Disclaimer: I am not a maintainer, I just 
sometimes contribute code.

Axel


> Am 08.09.2023 um 14:08 schrieb Anna-Katharina Wickert 
> :
> 
> Hei dear maintainers,
> 
> For a benchmark [1], we randomly sampled JCA usages to decide if the API 
> usage is a violation of any API usage constraint.
> We believe we found one for the JCA class CipherInputStream.
> The call to *close* is missing for the call sequence to *CipherInputStream*. 
> Thus, the input stream including the ressources of the stream are not 
> released. [More Details in the JDK 17 
> documentation](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/CipherInputStream.html)
> The instance that we sampled is located in:
> - file: 
> pdfbox/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/SecurityHandler.java
> - method: private void encryptDataAES256(InputStream data, OutputStream 
> output, boolean decrypt) throws IOException
> - line: 379
> 
> To the best of my knowledge, this JCA usage does not result in a 
> vulnerability (directly). However, it violates the API constraint discussed 
> above. Therefore, we consider adding this usage as a violation into the 
> benchmark.
> 
> Best,
> Anna-Katharina Wickert
> For the CamBench team
> 
> [1] https://github.com/CROSSINGTUD/CamBench