search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
14.06k stars 1.44k forks source link

Limit readline() #2379

Closed pixeeai closed 7 months ago

pixeeai commented 7 months ago

This codemod hardens all readline() calls from file objects returned from an open() call, StringIO and BytesIO against denial of service attacks. A stream influenced by an attacker could keep providing bytes until the system runs out of memory, causing a crash.

Fixing it is straightforward by providing adding a size argument to any readline() calls. The changes from this codemod look like this:

  file = open('some_file.txt')
- file.readline()
+ file.readline(5_000_000)
More reading * [https://cwe.mitre.org/data/definitions/400.html](https://cwe.mitre.org/data/definitions/400.html)

Powered by: pixeebot (codemod ID: pixee:python/limit-readline)

dms00 commented 7 months ago

First time I've heard of this AI assistant. Just wondering if this bot was asked to scan the repo and offer its "help" by a human or if it generated this PR automatically.

pixeeai commented 7 months ago

First time I've heard of this AI assistant. Just wondering if this bot was asked to scan the repo and offer its "help" by a human or if it generated this PR automatically.

Hi - yes this change was autogenerated from a new trending GitHub app - called Pixeebot. A code-quality GitHub App; like Dependabot, but for source code.

I manually forked your repo and ran the scanning bot. But if you'd like you can add the bot to your main repository and it will recommend changes periodically.

JoshData commented 7 months ago

I don't accept patches for hypothetical attacks.