fix(iot-dev): Add an upper limit to SAS token expiry time values (#1755)

A recent customer issue revealed that very high values for this field result in the SDK repeatedly sending new SAS tokens due to an integer overflow
Azure · Oct 20, 2023 · 4465526 · 4465526
1 parent d547e53
commit 4465526
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/...t-device-client/src/main/java/com/microsoft/azure/sdk/iot/device/ClientConfiguration.java b/...t-device-client/src/main/java/com/microsoft/azure/sdk/iot/device/ClientConfiguration.java
@@ -46,6 +46,8 @@ public final class ClientConfiguration
 
     private static final long DEFAULT_OPERATION_TIMEOUT = 4 * 60 * 1000; //4 minutes
 
+    private static final long MAX_SAS_TOKEN_EXPIRY_TIME_SECONDS = 10 * 365 * 24 * 60 * 60; //10 years
+
     private boolean useWebsocket;
 
     @Getter
@@ -244,6 +246,13 @@ private void setClientOptionValues(ClientOptions clientOptions)
                 throw new IllegalArgumentException("ClientOption sasTokenExpiryTime must be greater than 0");
             }
 
+            if (clientOptions.getSasTokenExpiryTime() >= MAX_SAS_TOKEN_EXPIRY_TIME_SECONDS)
+            {
+                // Higher values cause overflows that result in the SDK repeatedly renewing SAS tokens
+                // and are generally a security risk
+                throw new IllegalArgumentException("ClientOption sasTokenExpiryTime must be less than 10 years");
+            }
+
             this.getSasTokenAuthentication().setTokenValidSecs(clientOptions.getSasTokenExpiryTime());
         }