dos-via-decompression-bomb¶
Ensure proper handling of highly compressed data
A zip bomb, also known as a decompression bomb is a malicious archive file designed to crash or render useless the program or system reading it. It is usually a small file for ease of transport and to avoid suspisicion. When the file is unpacked, the size increases by a great magnitude. The large amount of memory needed to handle this unpacked file may lead to denial-of-service. One way of mitigating this attack is limiting the max bytes read from an archive file.
Examples¶
Insecure Example
package main
import (
"bytes"
"compress/zlib"
"io"
"os"
)
func unsafe() {
buff := []byte{120, 156, 202, 72, 205, 201, 201, 215, 81, 40, 207,
47, 202, 73, 225, 2, 4, 0, 0, 255, 255, 33, 231, 4, 147}
b := bytes.NewReader(buff)
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}
// copying to Stdout without any limit could lead to denial of service
_, err := io.Copy(os.Stdout, r)
if err != nil {
panic(err)
}
r.Close()
}
Secure Example
package main
import (
"bytes"
"compress/zlib"
"io"
"os"
)
func safe() {
buff := []byte{120, 156, 202, 72, 205, 201, 201, 215, 81, 40, 207,
47, 202, 73, 225, 2, 4, 0, 0, 255, 255, 33, 231, 4, 147}
b := bytes.NewReader(buff)
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}
// it is recommeded that you specify the limit of bytes to be copied
_, err := io.Copy(os.Stdout, r, 1024*1024*4)
if err != nil {
panic(err)
}
r.Close()
}