security: zlib inflate methods might be vulnerable to zip bombs #27253
Comments
addaleax
added
security
|
With the streaming zlib methods, it is possible to limit output size – the I don’t think there’s anything like this for the synchronous methods – it should be possible to add options for them as well, if you think that that helps. |
|
Thanks @addaleax , an option for the sync methods, as well as for the asynchronous one-shot methods, e.g. |
|
We can definitely look at this for the sync methods, but in the future, for potential security issues, even if you're not entirely sure if it is a security issue, please use our hackerone account to report it more discreetly :-) https://hackerone.com/nodejs |
Fixes: nodejs#27253 PR-URL: nodejs#33516 Reviewed-By: Anna Henningsen <anna@addaleax.net>
From the documentation, it doesn't appear that there is any way to limit zlib's inflate methods max uncompressed size?
Without a way to limit the maximum amount of data to be uncompressed, Node's zlib inflate methods could be vulnerable to zip bombs, where a few megabytes of input could result in hundreds of megabytes of uncompressed data.
For parsers such as https://github.com/thejoshwolfe/yauzl, which parse the zip format, and which know the compressed and uncompressed sizes exactly, ahead of time, it should be possible to pass this information on to zlib's inflate methods, so that these can stop when they uncompress more than the zip container allows.
zlib's inflate methods should throw an error when more than
maxUncompressedSizehas been inflated.See also: thejoshwolfe/yauzl#107
The text was updated successfully, but these errors were encountered: