Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port Decompression bomb security changes from v1 #414

Merged
merged 2 commits into from
Feb 10, 2023
Merged

Port Decompression bomb security changes from v1 #414

merged 2 commits into from
Feb 10, 2023

Conversation

nywilken
Copy link
Contributor

@nywilken nywilken commented Feb 9, 2023

This PR aims to fix #407 (reserved as CVE-2023-0475), by introducing "(de)compression" bomb mitigation options to the various decompressors provided by this package. Specifically, FileSizeLimit and FilesLimit.

  • FileSizeLimit limits the size of a decompressed file, or limits the total size of all decompressed files if dealing with an archive.
  • FilesLimit limits the number of files that are allowed to be decompressed from an archive.

These changes were ported from v1.

In addition to the security changes support for ZTSD as a supported decompressor was also ported.

@yaroot @nywilken
Add zstd support
40387a9 
Port changes from v1 #292
@nywilken nywilken force-pushed the decompression-bomb-port branch 2 times, most recently from f264204 to 6367bae Compare February 9, 2023 20:55
picatz
picatz requested changes Feb 9, 2023
View reviewed changes
gcs/get_gcs.go Outdated Show resolved Hide resolved
picatz
picatz approved these changes Feb 9, 2023
View reviewed changes
Copy link
Contributor

@picatz picatz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@nywilken nywilken merged commit 017a2ee into v2 Feb 10, 2023
This was referenced Mar 16, 2023
Merged
Closed
@nywilken nywilken mentioned this pull request May 20, 2024
Merged
@nywilken nywilken mentioned this pull request Jun 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@picatz picatz picatz approved these changes

@tgross tgross Awaiting requested review from tgross

@sylviamoss sylviamoss Awaiting requested review from sylviamoss

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nywilken @picatz @yaroot