search

JuliaWeb / HTTP.jl

HTTP for Julia
https://juliaweb.github.io/HTTP.jl/stable/
Other
626 stars 177 forks source link

gzip / zip bomb mitigation #1178

Open chelyabinsk opened 1 month ago

chelyabinsk commented 1 month ago

I think it is a good idea to have a similar check implemented by Python's WebSocket library, as it is a very easy attack. Mainly, check that decompressed size does not exceed some kind of limit when executing HTTP.decode .

A simple example.

First, generate a gzip file. I lifted code from this repo

time dd if=/dev/zero bs=1M count=$((20*1024)) | gzip > ./cake.gzip

When I execute the following I observe a jump in the resource usage, eventually leading to a crash of the julia process.

using HTTP

data = read("cake.gzip")

server = HTTP.serve!() do request::HTTP.Request
   @show request
   @show request.method
   @show HTTP.header(request, "Content-Type")
   @show request.body
   try
       return HTTP.Response(data)
   catch e
       return HTTP.Response(400, "Error: $e")
   end
end

r = HTTP.get("http://127.0.0.1:8081/"; decompress=false)

HTTP.decode(r, "gzip")

Happy to provide further details. I can also try to implement a solution if that's gong to be easier :)

bryaan commented 3 weeks ago

This also needs to be done for websockets.

https://github.com/JuliaWeb/HTTP.jl/issues/1181