From cc4398598713d3b3277cfaa2ddf5662f6a06188b Mon Sep 17 00:00:00 2001
From: Dmytro Lapko <dlk@mercell.com>
Date: Wed, 24 May 2023 17:02:48 +0300
Subject: [PATCH 1/4] The change inspired by
 https://rep.erst.dk/git/openebusiness/nemhandeledelivery/oxalis-as4/-/blob/fca264842fd43c56b384ec55dccc2a06a5431260/src/main/java/network/oxalis/as4/config/As4Conf.java#L46

---
 src/main/java/network/oxalis/as4/config/As4Conf.java  | 11 ++++++++++-
 .../network/oxalis/as4/inbound/As4InboundHandler.java |  8 ++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/main/java/network/oxalis/as4/config/As4Conf.java b/src/main/java/network/oxalis/as4/config/As4Conf.java
index a8fde83..c01815e 100644
--- a/src/main/java/network/oxalis/as4/config/As4Conf.java
+++ b/src/main/java/network/oxalis/as4/config/As4Conf.java
@@ -39,5 +39,14 @@ public enum As4Conf {
 
     @Path("oxalis.as4.type")
     @DefaultValue("peppol")
-    TYPE
+    TYPE,
+
+    /**
+     * Defines maximum possible size of SBDH header in bytes. It is needed to limit 
+     * parsing of SBD to prevent DOS attack, and be able to rewind the input 
+     * stream to the start before passing it to persister.
+     */
+    @Path("oxalis.as4.sbdh.limit")
+    @DefaultValue("65536")
+    SBDH_LIMIT
 }
diff --git a/src/main/java/network/oxalis/as4/inbound/As4InboundHandler.java b/src/main/java/network/oxalis/as4/inbound/As4InboundHandler.java
index efd956c..5778845 100644
--- a/src/main/java/network/oxalis/as4/inbound/As4InboundHandler.java
+++ b/src/main/java/network/oxalis/as4/inbound/As4InboundHandler.java
@@ -14,11 +14,13 @@
 import network.oxalis.api.model.Direction;
 import network.oxalis.api.model.TransmissionIdentifier;
 import network.oxalis.api.persist.PersisterHandler;
+import network.oxalis.api.settings.Settings;
 import network.oxalis.api.timestamp.Timestamp;
 import network.oxalis.api.timestamp.TimestampProvider;
 import network.oxalis.api.transmission.TransmissionVerifier;
 import network.oxalis.as4.common.As4MessageProperties;
 import network.oxalis.as4.common.As4MessageProperty;
+import network.oxalis.as4.config.As4Conf;
 import network.oxalis.commons.header.SbdhHeaderParser;
 import network.oxalis.commons.io.UnclosableInputStream;
 import network.oxalis.vefa.peppol.common.code.DigestMethod;
@@ -63,9 +65,10 @@ public class As4InboundHandler {
     private final As4MessageFactory as4MessageFactory;
     private final PolicyService policyService;
     private final InboundService inboundService;
+    private final Settings<As4Conf> as4Settings;
 
     @Inject
-    public As4InboundHandler(TransmissionVerifier transmissionVerifier, PersisterHandler persisterHandler, TimestampProvider timestampProvider, HeaderParser headerParser, As4MessageFactory as4MessageFactory, PolicyService policyService, InboundService inboundService) {
+    public As4InboundHandler(TransmissionVerifier transmissionVerifier, PersisterHandler persisterHandler, TimestampProvider timestampProvider, HeaderParser headerParser, As4MessageFactory as4MessageFactory, PolicyService policyService, InboundService inboundService, Settings<As4Conf> as4Settings) {
         this.transmissionVerifier = transmissionVerifier;
         this.persisterHandler = persisterHandler;
         this.timestampProvider = timestampProvider;
@@ -73,6 +76,7 @@ public As4InboundHandler(TransmissionVerifier transmissionVerifier, PersisterHan
         this.as4MessageFactory = as4MessageFactory;
         this.policyService = policyService;
         this.inboundService = inboundService;
+        this.as4Settings = as4Settings;
     }
 
     public SOAPMessage handle(SOAPMessage request, MessageContext messageContext) throws OxalisAs4Exception {
@@ -359,7 +363,7 @@ private LinkedHashMap<InputStream, As4PayloadHeader> parseAttachments(Iterator<A
 
                 Header sbdh;
                 if (headerParser instanceof SbdhHeaderParser) {
-                    bis.mark(65536);
+                    bis.mark(as4Settings.getInt(As4Conf.SBDH_LIMIT));
                     sbdh = readHeader(contentId, bis);
                     bis.reset();
                 } else {

From 3b71a9d9710e118bd69ac20a5a71b777d532cd8d Mon Sep 17 00:00:00 2001
From: Dmytro Lapko <dlk@mercell.com>
Date: Wed, 24 May 2023 17:03:32 +0300
Subject: [PATCH 2/4] chore: ignore Eclipse specific resources

---
 .gitignore | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 17aec2a..d0cbcd4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,7 @@
 .idea/
+.settings/
 target/
 oxalis-as4.iml
-output.mime
\ No newline at end of file
+output.mime
+/.classpath
+/.project
\ No newline at end of file

From 4853e220a615e3118871225755ef277274024e34 Mon Sep 17 00:00:00 2001
From: Dmytro Lapko <dlk@mercell.com>
Date: Wed, 24 May 2023 17:04:03 +0300
Subject: [PATCH 3/4] chore: shouldn't parent version correspond to own version
 of oxalis-as4?

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e20197f..672bc5a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
     <parent>
         <groupId>network.oxalis</groupId>
         <artifactId>oxalis</artifactId>
-        <version>6.0.0-RC3</version>
+        <version>6.0.0-RC4-SNAPSHOT</version>
     </parent>
 
     <artifactId>oxalis-as4</artifactId>

From 11d4dff01abff809e29bfcf6d0ae685f6baaa5c0 Mon Sep 17 00:00:00 2001
From: Dmytro Lapko <dlk@mercell.com>
Date: Wed, 24 May 2023 17:10:16 +0300
Subject: [PATCH 4/4] fix: rollback migration to RC4-SNAPSHOT of parent, as it
 is not yet published

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 672bc5a..e20197f 100755
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
     <parent>
         <groupId>network.oxalis</groupId>
         <artifactId>oxalis</artifactId>
-        <version>6.0.0-RC4-SNAPSHOT</version>
+        <version>6.0.0-RC3</version>
     </parent>
 
     <artifactId>oxalis-as4</artifactId>