decentraland / catalyst-storage / 27278606859

95%

push

github

fix: cap gzip decompression size to prevent a decompression bomb (#101)

* fix: cap gzip decompression size to prevent a decompression bomb

When serving a range request for a gzip-stored item, the gzip was inflated
to a cache file on disk with no size limit, so a crafted small gzip could
expand to an arbitrarily large file (disk/CPU exhaustion).

Inflation is now passed through a size-limiting transform that aborts the
pipe once the decompressed output exceeds decompressMaxFileSize (defaults to
decompressCacheMaxSize). The limit is enforced on the actual inflated bytes
rather than the gzip trailer's declared size, which is attacker-controllable.
The partial file is cleaned up on abort, and retrieve returns undefined.

Fixes #99

* test: add edge cases for the gzip decompression cap

- Boundary: a gzip inflating to exactly the cap succeeds.
- Concurrency: two simultaneous range requests for an over-cap gzip are both
  refused, nothing is left on disk, and the inflight guard is not left stuck.
- Default inheritance: with decompressMaxFileSize unset, a file within
  decompressCacheMaxSize is allowed and one larger than it is refused.

104 of 117 branches covered (88.89%)

Branch coverage included in aggregate %.

10 of 10 new or added lines in 1 file covered. (100.0%)

367 of 374 relevant lines covered (98.13%)

34.06 hits per line