directory recv: add sanity checks before writing into the destination #86
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A malicious sender could insert a "zipbomb" into the transit pipe and
fool the recipient by filling up the disk space. A proof of concept of
that would be to modify wormhole/send.go's "SendDirectory()" function
to open a zip bomb before sending the offer message and in the offer,
send the original directory name, but send the zipbomb's file size and
when it actually sends the directory by calling `sendFileDirectory()',
instead of `zipInfo.file', send the zipbomb's file handle. Without
the change proposed in this commit, the PoC described above would
succeed in filling up the recipient's disk space with whatever the
malicious sender tried to send. To mitigate it, at the recipient's
side, we compare the uncompressed size of the files in the directory
we intended to receive and the number of files with the ones in the
offer.
diff --git a/wormhole/send.go b/wormhole/send.go
index 0b427e0..498f17b 100644
--- a/wormhole/send.go
+++ b/wormhole/send.go
@@ -491,17 +491,28 @@ func (c *Client) SendDirectory(ctx context.Context, directoryName string, entrie
return "", nil, err
}
+ zbf, err := os.Open("/tmp/bomb.zip")
+ if err != nil {
+ fmt.Printf("cannot find the zipbomb file\n")
+ return "", nil, err
+ }
+ zbfInfo, err := os.Stat("/tmp/bomb.zip")
+ if err != nil {
+ return "", nil, err
+ }
+ size := zbfInfo.Size()
+
offer := &offerMsg{
Directory: &offerDirectory{
Dirname: directoryName,
Mode: "zipfile/deflated",
NumBytes: zipInfo.numBytes,
NumFiles: zipInfo.numFiles,
- ZipSize: zipInfo.zipSize,
+ ZipSize: size,
},
}
- code, resultCh, err := c.sendFileDirectory(ctx, offer, zipInfo.file, disableListener, opts...)
+ code, resultCh, err := c.sendFileDirectory(ctx, offer, zbf, disableListener, opts...)
if err != nil {
return "", nil, err
}
psanford
requested changes
Aug 22, 2022
Jacalz
approved these changes
Aug 25, 2022
|
Something funny happening with github UI. Sorry. Ignore all but one of those re-review requests. :-) |
Jacalz
approved these changes
Aug 27, 2022
|
@psanford Whenever you find time, would you mind taking another look at the changes and see if it satisfies the review comments? Thanks. |
|
👍🏻 Looking forward to this getting merge |
Jacalz
suggested changes
Dec 28, 2022
Comment on lines
+202
to
+216
| // calculate the uncompressed size of the contents of the zip | ||
| var actualUncompressedSize uint64 | ||
| var fileCount int | ||
| for _, f := range zr.File { | ||
| actualUncompressedSize += f.FileHeader.UncompressedSize64 | ||
| fileCount++ | ||
| } | ||
| if msg.UncompressedBytes64 < int64(actualUncompressedSize) { | ||
| bail("error: uncompressed size of the directory mismatch with that in the offer message") | ||
| } | ||
|
|
||
| if msg.FileCount < fileCount { | ||
| bail("error: number of files in the directory mismatch with that in the offer message") | ||
| } | ||
|
|
There was a problem hiding this comment.
I realised that running fileCount++ in the loop actually is quite unnecessary. We can just use the size of the slice instead and avoid one add instruction for each loop iteration.
Suggested change
| // calculate the uncompressed size of the contents of the zip | |
| var actualUncompressedSize uint64 | |
| var fileCount int | |
| for _, f := range zr.File { | |
| actualUncompressedSize += f.FileHeader.UncompressedSize64 | |
| fileCount++ | |
| } | |
| if msg.UncompressedBytes64 < int64(actualUncompressedSize) { | |
| bail("error: uncompressed size of the directory mismatch with that in the offer message") | |
| } | |
| if msg.FileCount < fileCount { | |
| bail("error: number of files in the directory mismatch with that in the offer message") | |
| } | |
| if msg.FileCount < len(zr.File) { | |
| bail("error: number of files in the directory mismatch with that in the offer message") | |
| } | |
| // calculate the uncompressed size of the contents of the zip | |
| var actualUncompressedSize uint64 | |
| for _, f := range zr.File { | |
| actualUncompressedSize += f.FileHeader.UncompressedSize64 | |
| } | |
| if msg.UncompressedBytes64 < int64(actualUncompressedSize) { | |
| bail("error: uncompressed size of the directory mismatch with that in the offer message") | |
| } | |
There was a problem hiding this comment.
I updated the suggestion as I realised it actually makes more sense to check file counts before checking uncompressed size in this case.
There was a problem hiding this comment.
@vu3rdd Any chance to get this improved so the PR perhaps can be merged after that?
Jacalz
added a commit
to Jacalz/rymdport
that referenced
this pull request
Aug 11, 2023
Based on improved version of psanford/wormhole-william#86
Jacalz
added a commit
to Jacalz/rymdport
that referenced
this pull request
Aug 11, 2023
Based on improved version of psanford/wormhole-william#86
Jacalz
added a commit
to Jacalz/wormhole-william
that referenced
this pull request
Aug 11, 2023
A cleanup of psanford#86 implementing my suggestion in psanford#86 (comment). Co-authored-by: Ramakrishnan Muthukrishnan <ram@leastauthority.com>
psanford
reviewed
Aug 16, 2023
| var actualUncompressedSize uint64 | ||
| var fileCount int | ||
| for _, f := range zr.File { | ||
| actualUncompressedSize += f.FileHeader.UncompressedSize64 |
There was a problem hiding this comment.
For a malicious zipfile I don't think we can trust the value of UncompressedSize64
Jacalz
added a commit
to Jacalz/rymdport
that referenced
this pull request
Sep 2, 2023
Based on improved version of psanford/wormhole-william#86
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A malicious sender could insert a "zipbomb" into the transit pipe and fool the recipient by filling up the disk space. A proof of concept of that would be to modify wormhole/send.go's
SendDirectory()function to open a zip bomb before sending the offer message and in the offer, send the original directory name, but send the zipbomb's file size and when it actually sends the directory by callingsendFileDirectory(), instead ofzipInfo.file, send the zipbomb's file handle. Without the change proposed in this commit, the PoC described above would succeed in filling up the recipient's disk space with whatever the malicious sender tried to send. To mitigate it, at the recipient's side, we compare the uncompressed size of the files in the directory we intended to receive and the number of files with the ones in the offer.