Limit readline()

[pixeebot[bot]]

This codemod hardens all readline() calls from file objects returned from an open() call, StringIO and BytesIO against denial of service attacks. A stream influenced by an attacker could keep providing bytes until the system runs out of memory, causing a crash.

Fixing it is straightforward by providing adding a size argument to any readline() calls. The changes from this codemod look like this:

  file = open('some_file.txt')
- file.readline()
+ file.readline(5_000_000)

More reading

* [https://cwe.mitre.org/data/definitions/400.html](https://cwe.mitre.org/data/definitions/400.html)

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

Powered by: pixeebot (codemod ID: pixee:python/limit-readline)

[pixeeai]

@pixeebot next

[pixeebot[bot]]

@pixeeai, I opened PR #5, go check it out!

[pixeebot[bot]]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

[pixeebot[bot]]

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!

[pixeebot[bot]]

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.