Tweak DoS limits and logging; update dependencies

pom.xml

@@ -442,7 +442,7 @@
             <dependency>
               <groupId>com.puppycrawl.tools</groupId>
               <artifactId>checkstyle</artifactId>
-              <version>8.38</version>
+              <version>8.39</version>
             </dependency>
           </dependencies>
         </plugin>

zxingorg/pom.xml

@@ -39,7 +39,7 @@
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
-      <version>30.0-android</version>
+      <version>30.1-android</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
@@ -73,7 +73,7 @@
   </parent>
 
   <properties>
-    <spring.version>5.3.1</spring.version>
+    <spring.version>5.3.2</spring.version>
   </properties>
 
   <build>

zxingorg/src/main/java/com/google/zxing/web/ChartDoSFilter.java

@@ -25,7 +25,7 @@ import javax.servlet.annotation.WebInitParam;
 @WebFilter(urlPatterns = {"/w/chart"}, initParams = {
   @WebInitParam(name = "maxAccessPerTime", value = "120"),
   @WebInitParam(name = "accessTimeSec", value = "60"),
-  @WebInitParam(name = "maxEntries", value = "10000"),
+  @WebInitParam(name = "maxEntries", value = "100000"),
   @WebInitParam(name = "maxLoad", value = "0.9")
 })
 public final class ChartDoSFilter extends DoSFilter {

zxingorg/src/main/java/com/google/zxing/web/DecodeDoSFilter.java

@@ -25,7 +25,7 @@ import javax.servlet.annotation.WebInitParam;
 @WebFilter(urlPatterns = {"/w/decode"}, initParams = {
   @WebInitParam(name = "maxAccessPerTime", value = "60"),
   @WebInitParam(name = "accessTimeSec", value = "60"),
-  @WebInitParam(name = "maxEntries", value = "10000"),
+  @WebInitParam(name = "maxEntries", value = "100000"),
   @WebInitParam(name = "maxLoad", value = "0.9")
 })
 public final class DecodeDoSFilter extends DoSFilter {

zxingorg/src/main/java/com/google/zxing/web/DecodeServlet.java

@@ -91,7 +91,7 @@ import javax.servlet.http.Part;
 @WebServlet(value = "/w/decode", loadOnStartup = 1, initParams = {
   @WebInitParam(name = "maxAccessPerTime", value = "120"),
   @WebInitParam(name = "accessTimeSec", value = "120"),
-  @WebInitParam(name = "maxEntries", value = "10000")
+  @WebInitParam(name = "maxEntries", value = "100000")
 })
 public final class DecodeServlet extends HttpServlet {
 
@@ -212,7 +212,11 @@ public final class DecodeServlet extends HttpServlet {
       return;
     }
 
-    if (destHostTracker.isBanned(imageURI.getHost())) {
+    String host = imageURI.getHost();
+    // Also should parse for 172.x subnets
+    if (host == null || host.startsWith("10.") || host.startsWith("192.168.") ||
+        "127.0.0.1".equals(host) || "localhost".equals(host) ||
+        destHostTracker.isBanned(host)) {
       errorResponse(request, response, "badurl");
       return;
     }

zxingorg/src/main/java/com/google/zxing/web/DoSTracker.java

@@ -89,7 +89,10 @@ final class DoSTracker {
       // smallest count > maxAccessesPerTime
       int minDisallowedCount = Integer.MAX_VALUE;
       int localMAPT = maxAccessesPerTime;
+      int totalEntries;
+      int clearedEntries = 0;
       synchronized (numRecentAccesses) {
+        totalEntries = numRecentAccesses.size();
         Iterator<Map.Entry<String,AtomicInteger>> accessIt = numRecentAccesses.entrySet().iterator();
         while (accessIt.hasNext()) {
           Map.Entry<String,AtomicInteger> entry = accessIt.next();
@@ -99,6 +102,7 @@ final class DoSTracker {
           if (count <= localMAPT) {
             accessIt.remove();
             maxAllowedCount = Math.max(maxAllowedCount, count);
+            clearedEntries++;
           } else {
             // Else it exceeded the max, so log it (again)
             log.warning(name + ": Blocking " + entry.getKey() + " (" + count + " outstanding)");
@@ -108,6 +112,8 @@ final class DoSTracker {
           }
         }
       }
+      log.info(name + ": " + clearedEntries + " of " + totalEntries + " cleared");
+
       if (maxLoad != null) {
         OperatingSystemMXBean mxBean = ManagementFactory.getOperatingSystemMXBean();
         if (mxBean == null) {
@@ -117,11 +123,13 @@ final class DoSTracker {
           if (loadAvg >= 0.0) {
             int cores = mxBean.getAvailableProcessors();
             double loadRatio = loadAvg / cores;
-            log.info(name + ": Load ratio: " + loadRatio + " (" + loadAvg + '/' + cores + ") vs " + maxLoad);
-            maxAccessesPerTime = loadRatio > maxLoad ?
-              Math.min(maxAllowedCount, maxAccessesPerTime) :
+            int newMaxAccessesPerTime = loadRatio > maxLoad ?
+              Math.min(maxAllowedCount, Math.max(1, maxAccessesPerTime - 1)) :
               Math.max(minDisallowedCount, maxAccessesPerTime);
-            log.info(name + ": New maxAccessesPerTime: " + maxAccessesPerTime);
+            log.info(name + ": Load ratio: " + loadRatio +
+              " (" + loadAvg + '/' + cores + ") vs " + maxLoad +
+              "; new maxAccessesPerTime: " + newMaxAccessesPerTime);
+            maxAccessesPerTime = newMaxAccessesPerTime;
           }
         }
       }