search

mpdavis / python-jose

A JOSE implementation in Python
MIT License
1.55k stars 238 forks source link

Limit token size to 250 KB #345

Closed princekhunt closed 6 months ago

smittysmee commented 7 months ago

Bump on this

alistairwatts commented 6 months ago

Unfortunately the proposed fix just checks that the incoming uncompressed data is no more than than 250KB. I don't know what the maximum size a maliciously crafted 250KB token could expand to, but I imagine it could be significant. Some basic tests suggest that a 250KB token can expand to about 250MB.

In addition to sensibly checking the size of the compressed token, I would suggest changing the decompress function in jwe.py to use the decompress method on an instance of zlib.Decompress. The decompress method accepts a max_length which can limit the size of the decompressed data.

smittysmee commented 6 months ago

@princekhunt see above ☝️

alistairwatts commented 6 months ago

I've already opened a pull request for a more robust fix. See https://github.com/mpdavis/python-jose/pull/352

smittysmee commented 6 months ago

👌

twwildey commented 6 months ago

This appears duplicative to https://github.com/mpdavis/python-jose/pull/352 - I will close this in favor of the other PR.