Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add decompression bomb mitigation options for v1 #412

Merged
merged 1 commit into from
Feb 9, 2023

Conversation

picatz
Copy link
Contributor

@picatz picatz commented Feb 8, 2023

This PR aims to fix #407 (reserved as CVE-2023-0475), by introducing "(de)compression" bomb mitigation options to the various decompressors provided by this package. Specifically, FileSizeLimit and FilesLimit.

  • FileSizeLimit limits the size of a decompressed file, or limits the total size of all decompressed files if dealing with an archive.
  • FilesLimit limits the number of files that are allowed to be decompressed from an archive.

There are a few downsides to consider with the current approach I've taken before we merge this PR:

  • The limits are applied while the content is being decompressed. It doesn't do a "pre-flight check" before starting the decompression. So, if I had a limit of 15GB, an attacker would be able to consume up to that amount, but not past it.
  • io.LimitReader returns an EOF after the configured byte limit, and doesn't seem to provide a clear "you've read past the limit" error. In certain situations, this might lead to an unintended silent error.

☝️ To mitigate some of those issues, for the ZIP and TAR archives, I use the FileInfo in the header returned for the content to check the size before using it.

Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@picatz picatz merged commit 78e6721 into main Feb 9, 2023
@picatz picatz deleted the mitigate-decompression-bomb branch February 9, 2023 15:20
nywilken pushed a commit that referenced this pull request Feb 9, 2023
nywilken pushed a commit that referenced this pull request Feb 9, 2023
nywilken pushed a commit that referenced this pull request Feb 9, 2023
nywilken pushed a commit that referenced this pull request Feb 10, 2023
nywilken added a commit that referenced this pull request Feb 10, 2023
* Add zstd support

Port changes from v1 #292

* Port decompression bomb changes from v1

#412

---------

Co-authored-by: Yan Su <tsu@yaroot.net>
Co-authored-by: Kent 'picat' Gruber <kent@hashicorp.com>
renovate bot referenced this pull request in DelineaXPM/terraform-provider-dsv Jan 23, 2024
…ecurity] (#61)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter)
| `v1.6.2` -> `v1.7.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fhashicorp%2fgo-getter/v1.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fhashicorp%2fgo-getter/v1.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fhashicorp%2fgo-getter/v1.6.2/v1.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fhashicorp%2fgo-getter/v1.6.2/v1.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2023-0475](https://nvd.nist.gov/vuln/detail/CVE-2023-0475)

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression
bombs. Fixed in 1.7.0 and 2.2.0.

---

### Release Notes

<details>
<summary>hashicorp/go-getter (github.com/hashicorp/go-getter)</summary>

###
[`v1.7.0`](https://github.com/hashicorp/go-getter/releases/tag/v1.7.0)

[Compare
Source](https://github.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0)

#### What's Changed

- docs: provide logging recommendations by
[@&#8203;mickael-hc](https://github.com/mickael-hc) in
[https://github.com/hashicorp/go-getter/pull/371](https://github.com/hashicorp/go-getter/pull/371)
- Update aws sdk version by [@&#8203;Jukie](https://github.com/Jukie)
in
[https://github.com/hashicorp/go-getter/pull/384](https://github.com/hashicorp/go-getter/pull/384)
- Update S3 URL in README by
[@&#8203;twelvelabs](https://github.com/twelvelabs) in
[https://github.com/hashicorp/go-getter/pull/378](https://github.com/hashicorp/go-getter/pull/378)
- Migrate to GHA by
[@&#8203;claire-labry](https://github.com/claire-labry) in
[https://github.com/hashicorp/go-getter/pull/379](https://github.com/hashicorp/go-getter/pull/379)
- \[COMPLIANCE] Update MPL 2.0 LICENSE by
[@&#8203;hashicorp-copywrite](https://github.com/hashicorp-copywrite)
in
[https://github.com/hashicorp/go-getter/pull/386](https://github.com/hashicorp/go-getter/pull/386)
- remove codesign entirely from go-getter by
[@&#8203;claire-labry](https://github.com/claire-labry) in
[https://github.com/hashicorp/go-getter/pull/408](https://github.com/hashicorp/go-getter/pull/408)
- Add decompression bomb mitigation options for v1 by
[@&#8203;picatz](https://github.com/picatz) in
[https://github.com/hashicorp/go-getter/pull/412](https://github.com/hashicorp/go-getter/pull/412)
- v1: decompressors: add LimitedDecompressors helper by
[@&#8203;shoenig](https://github.com/shoenig) in
[https://github.com/hashicorp/go-getter/pull/413](https://github.com/hashicorp/go-getter/pull/413)

#### New Contributors

- [@&#8203;mickael-hc](https://github.com/mickael-hc) made their first
contribution in
[https://github.com/hashicorp/go-getter/pull/371](https://github.com/hashicorp/go-getter/pull/371)
- [@&#8203;Jukie](https://github.com/Jukie) made their first
contribution in
[https://github.com/hashicorp/go-getter/pull/384](https://github.com/hashicorp/go-getter/pull/384)
- [@&#8203;twelvelabs](https://github.com/twelvelabs) made their first
contribution in
[https://github.com/hashicorp/go-getter/pull/378](https://github.com/hashicorp/go-getter/pull/378)
-
[@&#8203;hashicorp-copywrite](https://github.com/hashicorp-copywrite)
made their first contribution in
[https://github.com/hashicorp/go-getter/pull/386](https://github.com/hashicorp/go-getter/pull/386)

**Full Changelog**:
hashicorp/go-getter@v1.6.2...v1.7.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/DelineaXPM/terraform-provider-dsv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Vulnerable to Zip bombs.
2 participants