dvsekhvalnov · CrspyAu · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024 · Dec 19, 2024
diff --git a/UnitTests/SecurityVulnerabilitiesTest.cs b/UnitTests/SecurityVulnerabilitiesTest.cs
@@ -63,7 +63,7 @@ public void InvalidCurveAttack(string keyImplementation)
             byte[] y = Base64Url.Decode("e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck");
             byte[] d = Base64Url.Decode("VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw");
 
-            var privateKey = keyImplementation == "CNG" ? (object) EccKey.New(x, y, d, usage: CngKeyUsages.KeyAgreement) : EcdhKey.New(x, y, d) ;
+            var privateKey = keyImplementation == "CNG" ? (object)EccKey.New(x, y, d, usage: CngKeyUsages.KeyAgreement) : EcdhKey.New(x, y, d);
 
             //JWT encrypted with attacker private key, which is equals to (reciever_pk mod 113)
             var attackMod113 =
@@ -171,7 +171,7 @@ public void BitLengthIntegerOverflow()
             }
         }
 
-	[Fact]
+        [Fact]
         public void DeflateBomb()
         {
             // given
@@ -197,15 +197,7 @@ public void DeflateBomb()
             string bomb = Jose.JWT.Encode(payload, publicKey, JweAlgorithm.RSA_OAEP, JweEncryption.A256GCM, JweCompression.DEF);
 
             // when
-            try
-            {
-                string decoded = Jose.JWT.Decode(bomb, privateKey, JwsAlgorithm.RS256);
-                Assert.True(false, "Should fail with NotSupportedException");
-            }
-            catch (JoseException e)
-            {
-                Console.Out.WriteLine(e.ToString());
-            }
+            Exception thrownException = Assert.Throws<CapacityExceededException>(() => Jose.JWT.Decode(bomb, privateKey));
         }
 
         [Fact]
@@ -217,7 +209,7 @@ public void TruncatedGcmAuthTag()
             try
             {
                 // when decrypt token with trunated AES GCM tag, it should fail
-                Jose.JWT.Decode(token, aes128Key);  
+                Jose.JWT.Decode(token, aes128Key);
                 Assert.True(false, "Should fail with IntegrityException");
 
             }
@@ -226,6 +218,5 @@ public void TruncatedGcmAuthTag()
                 Console.Out.WriteLine(e.ToString());
             }
         }
-
     }
 }
diff --git a/jose-jwt/JWT.cs b/jose-jwt/JWT.cs
@@ -1,7 +1,5 @@
-using Jose;
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Text;
 
 namespace Jose
@@ -499,7 +497,7 @@ public static byte[] DecryptBytes(string token, object key, JweAlgorithm? alg =
 
         private static byte[] DecodeBytes(Compact.Iterator parts, object key = null, JwsAlgorithm? expectedJwsAlg = null, JweAlgorithm? expectedJweAlg = null, JweEncryption? expectedJweEnc = null, JwtSettings settings = null, byte[] payload = null)
         {
-            Ensure.IsNotEmpty(parts.Token, "Incoming token expected to be in compact serialization form, not empty, whitespace or null.");            
+            Ensure.IsNotEmpty(parts.Token, "Incoming token expected to be in compact serialization form, not empty, whitespace or null.");
 
             if (parts.Count == 5) //encrypted JWT
             {
@@ -512,7 +510,7 @@ private static byte[] DecodeBytes(Compact.Iterator parts, object key = null, Jws
             }
             else if (parts.Count == 3) // signed JWT
             {
-                if (expectedJweAlg != null || expectedJweEnc !=null)
+                if (expectedJweAlg != null || expectedJweEnc != null)
                 {
                     throw new InvalidAlgorithmException("Signed tokens can't assert encryption type.");
                 }
@@ -610,4 +608,10 @@ public class InvalidAlgorithmException : JoseException
         public InvalidAlgorithmException(string message) : base(message) { }
         public InvalidAlgorithmException(string message, Exception innerException) : base(message, innerException) { }
     }
+
+    public class CapacityExceededException : JoseException
+    {
+        public CapacityExceededException(string message) : base(message) { }
+        public CapacityExceededException(string message, Exception innerException) : base(message, innerException) { }
+    }
 }
diff --git a/jose-jwt/compression/CappedMemoryStream.cs b/jose-jwt/compression/CappedMemoryStream.cs
@@ -0,0 +1,34 @@
+using System;
+using System.IO;
+
+namespace Jose;
+
+public class CappedMemoryStream : MemoryStream
+{
+    private readonly long maxCapacity;
+
+    public CappedMemoryStream(long maxCapacity)
+    {
+        this.maxCapacity = maxCapacity;
+    }
+
+    public override void Write(byte[] buffer, int offset, int count)
+    {
+        if (Length + Math.Min(count, buffer.Length - offset) > maxCapacity)
+        {
+            throw new CapacityExceededException("Exceeding maximum memory stream size.");
+        }
+
+        base.Write(buffer, offset, count);
+    }
+
+    public override void WriteByte(byte value)
+    {
+        if (Length + 1 > maxCapacity)
+        {
+            throw new CapacityExceededException("Exceeding maximum memory stream size.");
+        }
+
+        base.WriteByte(value);
+    }
+}
diff --git a/jose-jwt/compression/DeflateCompression.cs b/jose-jwt/compression/DeflateCompression.cs
@@ -1,4 +1,3 @@
-using System;
 using System.IO;
 using System.IO.Compression;
 
@@ -27,28 +26,19 @@ public byte[] Compress(byte[] plainText)
         }
 
         public byte[] Decompress(byte[] compressedText)
-        {
-            byte[] buffer = new byte[maxBufferSizeBytes];
-
-            try
+        {
+            using (MemoryStream ms = new CappedMemoryStream(maxBufferSizeBytes))
             {
-                using (MemoryStream ms = new MemoryStream(buffer))
+                using (MemoryStream compressedStream = new MemoryStream(compressedText))
                 {
-                    using (MemoryStream compressedStream = new MemoryStream(compressedText))
+                    using (DeflateStream deflater = new DeflateStream(compressedStream, CompressionMode.Decompress))
                     {
-                        using (DeflateStream deflater = new DeflateStream(compressedStream, CompressionMode.Decompress))
-                        {
-                            deflater.CopyTo(ms);
-                        }
+                        deflater.CopyTo(ms);
                     }
+                }
 
-                    return Arrays.Truncate(ms.ToArray(), ms.Position);
-                }
-            }
-            catch(NotSupportedException e)
-            {
-                throw new JoseException("Unable to deflate compressed payload, most likely exceeded decompression buffer size.", e);
-            }
+                return ms.ToArray();
+            }
         }
     }
 }