Make maximum recursion depth and maximum in memory size configurable

google / log4jscanner

A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.

Apache License 2.0

1.57k stars 120 forks source link

Make maximum recursion depth and maximum in memory size configurable #48

Closed singlethink closed 2 years ago

singlethink commented 2 years ago

Permitting the caller to tune the recursion depth and memory size allows log4jscanner to be used on more memory constrained devices. To test this, this PR adds zips that expand to very large files, recursively expand infinitely, as well as some zip bombs to improve adversarial testing coverage.

ericchiang commented 2 years ago

lgtm! please squash and I can merge :)

singlethink commented 2 years ago

Done.