Skip to main content

Return to Answer

added 2 characters in body
Source Link
eicksl
eicksl
  • 910
  • 8
  • 8

When using other answers here, please ensure that you can trust the sizesource of the input stream. Reading an arbitrarily large input stream could exhaust all memory on the system and lead to a DOS attack.

Note that InputStream.available() has to do with Java's non-blocking IO capabilities and cannot be relied on to get the total size of the input stream. Reading a stream is the only way to be sure what its size is. It is therefore advisable to throw an exception after reading some n bytes. One way is to use apache commons' ThresholdingOutputStream:

public static byte[] toByteArray(InputStream is) throws IOException {
    byte[] bytes;
    UnsynchronizedByteArrayOutputStream ubaOutput = UnsynchronizedByteArrayOutputStream.builder().get();
    ThresholdingOutputStream thresholdOutput = new ThresholdingOutputStream(MAX_BYTES, os -> {
        throw new IllegalArgumentException(String.format("Input stream length exceeds maximum allowed size of %d bytes", MAX_BYTES));
    }, os -> ubaOutput);
    IOUtils.copy(is, thresholdOutput);
    bytes = ubaOutput.toByteArray();
    ubaOutput.close();
    thresholdOutput.close();
    return bytes;
}

When using other answers here, please ensure that you can trust the size of the input stream. Reading an arbitrarily large input stream could exhaust all memory on the system and lead to a DOS attack.

Note that InputStream.available() has to do with Java's non-blocking IO capabilities and cannot be relied on to get the total size of the input stream. Reading a stream is the only way to be sure what its size is. It is therefore advisable to throw an exception after reading some n bytes. One way is to use apache commons' ThresholdingOutputStream:

public static byte[] toByteArray(InputStream is) throws IOException {
    byte[] bytes;
    UnsynchronizedByteArrayOutputStream ubaOutput = UnsynchronizedByteArrayOutputStream.builder().get();
    ThresholdingOutputStream thresholdOutput = new ThresholdingOutputStream(MAX_BYTES, os -> {
        throw new IllegalArgumentException(String.format("Input stream length exceeds maximum allowed size of %d bytes", MAX_BYTES));
    }, os -> ubaOutput);
    IOUtils.copy(is, thresholdOutput);
    bytes = ubaOutput.toByteArray();
    ubaOutput.close();
    thresholdOutput.close();
    return bytes;
}

When using other answers here, please ensure that you can trust the source of the input stream. Reading an arbitrarily large input stream could exhaust all memory on the system and lead to a DOS attack.

Note that InputStream.available() has to do with Java's non-blocking IO capabilities and cannot be relied on to get the total size of the input stream. Reading a stream is the only way to be sure what its size is. It is therefore advisable to throw an exception after reading some n bytes. One way is to use apache commons' ThresholdingOutputStream:

public static byte[] toByteArray(InputStream is) throws IOException {
    byte[] bytes;
    UnsynchronizedByteArrayOutputStream ubaOutput = UnsynchronizedByteArrayOutputStream.builder().get();
    ThresholdingOutputStream thresholdOutput = new ThresholdingOutputStream(MAX_BYTES, os -> {
        throw new IllegalArgumentException(String.format("Input stream length exceeds maximum allowed size of %d bytes", MAX_BYTES));
    }, os -> ubaOutput);
    IOUtils.copy(is, thresholdOutput);
    bytes = ubaOutput.toByteArray();
    ubaOutput.close();
    thresholdOutput.close();
    return bytes;
}
Source Link
eicksl
eicksl
  • 910
  • 8
  • 8

When using other answers here, please ensure that you can trust the size of the input stream. Reading an arbitrarily large input stream could exhaust all memory on the system and lead to a DOS attack.

Note that InputStream.available() has to do with Java's non-blocking IO capabilities and cannot be relied on to get the total size of the input stream. Reading a stream is the only way to be sure what its size is. It is therefore advisable to throw an exception after reading some n bytes. One way is to use apache commons' ThresholdingOutputStream:

public static byte[] toByteArray(InputStream is) throws IOException {
    byte[] bytes;
    UnsynchronizedByteArrayOutputStream ubaOutput = UnsynchronizedByteArrayOutputStream.builder().get();
    ThresholdingOutputStream thresholdOutput = new ThresholdingOutputStream(MAX_BYTES, os -> {
        throw new IllegalArgumentException(String.format("Input stream length exceeds maximum allowed size of %d bytes", MAX_BYTES));
    }, os -> ubaOutput);
    IOUtils.copy(is, thresholdOutput);
    bytes = ubaOutput.toByteArray();
    ubaOutput.close();
    thresholdOutput.close();
    return bytes;
}