Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add zip bomb tests #1300

Merged
merged 85 commits into from
Apr 6, 2023
Merged

Add zip bomb tests #1300

merged 85 commits into from
Apr 6, 2023

Conversation

StephenButtolph
Copy link
Contributor

@StephenButtolph StephenButtolph commented Apr 5, 2023
edited
Loading

Why this should be merged

Verifies that our decompression is not vulnerable to a zip bomb attack.

How this works

Attempts to decompress pre-generated zip bombs. It verifies that decompressing the bombs doesn't crash and that it doesn't allocate significantly more memory than an expected message size.

How this was tested

It is a test

Dan Laine added 30 commits March 2, 2023 15:34
WIP
0b089ef
remove max size from NewZstdCompressor
e4e513b
WIP support multiple compression types
ef84d36
rename compressionType to Type
4a659b0
fix metric
c6de927
WIP remove CompressionEnabled and add --network-compression-type
13eb890
rename types
bc55ea4
add zstd compression/decompression metrics
400a918
Merge remote-tracking branch 'origin/dev' into add-zstd-compression
6f8bd3e
don't allow 2 network compression flags
38e7a12
remove benchmark
3850c79
cleanup
6065be8
don't use zstd until v1.10
d7c5d52
tweak error message
385ba27
nit
37bcf39
nits
81afb71
nits
4da5f21
Merge remote-tracking branch 'origin/dev' into add-zstd-compression
d8a9ccf
flag wording nit
d9b778c
add zstd tests; fix bugs
41bc6c5
consolidate metrics
11c171d
remove old todo
ddd35ee
update test
6dd3f25
update tests
eab4879
add tests
1ad19c1
appease linter
6b29cfc
Merge branch 'dev' into add-zstd-compression
7c150cd
Merge remote-tracking branch 'origin/dev' into add-zstd-compression
874632a
Merge branch 'add-zstd-compression' of github.com:ava-labs/avalancheg…
a9a96f6 
…o-internal into add-zstd-compression
nits
9526ba9
Base automatically changed from add-zstd-compression to dev April 5, 2023 23:47
@StephenButtolph StephenButtolph changed the base branch from dev to simplify-gzip-compression April 6, 2023 00:31
@StephenButtolph StephenButtolph self-assigned this Apr 6, 2023
@StephenButtolph StephenButtolph added the testing This primarily focuses on testing label Apr 6, 2023
@StephenButtolph StephenButtolph added this to the v1.10.0 (Cortina) milestone Apr 6, 2023
@StephenButtolph StephenButtolph changed the title Add zipbomb tests Add zip bomb tests Apr 6, 2023
@StephenButtolph StephenButtolph added the networking This involves networking label Apr 6, 2023
Base automatically changed from simplify-gzip-compression to dev April 6, 2023 01:12
danlaine
danlaine reviewed Apr 6, 2023
View reviewed changes
utils/compression/compressor_test.go
// Make sure that we didn't allocate significantly more memory than
// the max message size.
bytesAllocatedDuringDecompression := afterDecompressionStats.TotalAlloc - beforeDecompressionStats.TotalAlloc
require.Less(t, bytesAllocatedDuringDecompression, uint64(10*maxMessageSize))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kinda interesting that you have to make this at least 6 to pass 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's just because of how the underlying bytes buffer grows afaict.

@StephenButtolph StephenButtolph merged commit 87ba1ac into dev Apr 6, 2023
@StephenButtolph StephenButtolph deleted the add-zip-bomb-tests branch April 6, 2023 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshua-kim joshua-kim joshua-kim approved these changes

@danlaine danlaine danlaine approved these changes

@abi87 abi87 Awaiting requested review from abi87

@gyuho gyuho Awaiting requested review from gyuho

@hexfusion hexfusion Awaiting requested review from hexfusion

Assignees

@StephenButtolph StephenButtolph

Labels
networking This involves networking testing This primarily focuses on testing
Projects
None yet
Milestone
v1.10.0 (Cortina)
Development

Successfully merging this pull request may close these issues.
3 participants
@StephenButtolph @danlaine @joshua-kim