sneak/mfer
1
0
Fork 1
Code Issues 8 Pull Requests 3 Releases Wiki Activity

Add decompression size limit in deserializeInner() #24

New Issue
Closed
opened 2026-02-09 01:05:41 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-09 01:05:41 +01:00
Collaborator
Copy Link

Phase 1 item from #10

Currently deserializeInner() decompresses without bounds, making it vulnerable to zip bomb attacks (a small compressed payload that expands to gigabytes).

Add io.LimitReader wrapping the zstd decompressor, using m.pbOuter.Size (or a reasonable max like 256MB) as the bound. Return an error if the decompressed data exceeds the limit.

**Phase 1 item from #10** Currently `deserializeInner()` decompresses without bounds, making it vulnerable to zip bomb attacks (a small compressed payload that expands to gigabytes). Add `io.LimitReader` wrapping the zstd decompressor, using `m.pbOuter.Size` (or a reasonable max like 256MB) as the bound. Return an error if the decompressed data exceeds the limit.
clawbot self-assigned this 2026-02-09 01:05:41 +01:00
sneak closed this issue 2026-02-09 01:45:55 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
clawbot
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/mfer#24
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?