Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BugFix: Fixed Unsafe Zip Deserialization #77

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

BugFix: Fixed Unsafe Zip Deserialization #77

wants to merge 1 commit into from

Conversation

fazledyn-or
Copy link

@fazledyn-or fazledyn-or commented Jan 10, 2024
edited
Loading

Summary

This PR fixes a potential zip deserialization bug in your code.

Description

While triaging your project, our bug fixing tool generated the following diff(s)-

--- a/go-tagexpr/binding/body.go
+++ b/go-tagexpr/binding/body.go
@@ -85,6 +85,12 @@
 			r.Body = flate.NewReader(r.Body)
 		case "zlib":
 			var readCloser io.ReadCloser
+			// OpenRefactory Warning:
+			// Possible Untrusted Deserializaiton!
+			// Path:
+			//	File: body.go, Line: 88
+			//		zlib.NewReader(r.Body)
+			//		Tainted information is used in a sink.
 			readCloser, err = zlib.NewReader(r.Body)
 			if err == nil {
 				r.Body = readCloser

Here, the payload sent through r.Body is decompressed using gzip, deflate, and zlib based on the "Content-Encoding" header. However, the copy operation on line 97 is unsafe because the compressed data inside r.Body can contain zip bomb that can lead to deflation of large amount of data, which can lead to a denial of service.

As a result, it is suggested that the io.CopyN() method is used with a maximum output limit (number of allowed bytes in the uncompressed data). Here, 256 MB has been set as the limit.

Comments

Even though the GetBody() method isn't used anywhere in the codebase except for the two test files, anyone using your project as a dependency can import and use the GetBody() method. As a result, having such a protection mechanism is the best option.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

- Git Commit SignOff documentation

Sponsorship and Support

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

@fazledyn-or
Added maximum limit on decompressing request body
dc6adf1 
This commit adds a 256 MB limit on the decompressed
data so that any zip bomb sent as a payload doesn't
decompress and lead to a denial-of-service attack.

Signed-off-by: fazledyn-or <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fazledyn-or