C++: Decompression Bombs #13560
C++: Decompression Bombs #13560
Conversation
|
QHelp previews: cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.qhelpUser-controlled file decompressionExtracting Compressed files with any compression algorithm like gzip can cause denial of service attacks. Attackers can compress a huge file consisting of repeated similiar bytes into a small compressed file. RecommendationWhen you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop. ExampleReading an uncompressed Gzip file within a loop and check for a threshold size in each cycle. #include "zlib.h"
void SafeGzread(gzFile inFileZ) {
const int MAX_READ = 1024 * 1024 * 4;
const int BUFFER_SIZE = 8192;
unsigned char unzipBuffer[BUFFER_SIZE];
unsigned int unzippedBytes;
unsigned int totalRead = 0;
while (true) {
unzippedBytes = gzread(inFileZ, unzipBuffer, BUFFER_SIZE);
totalRead += unzippedBytes;
if (unzippedBytes <= 0) {
break;
}
if (totalRead > MAX_READ) {
// Possible decompression bomb, stop processing.
break;
} else {
// process buffer
}
}
}
The following example is unsafe, as we do not check the uncompressed size. #include "zlib.h"
void UnsafeGzread(gzFile inFileZ) {
const int BUFFER_SIZE = 8192;
unsigned char unzipBuffer[BUFFER_SIZE];
unsigned int unzippedBytes;
while (true) {
unzippedBytes = gzread(inFileZ, unzipBuffer, BUFFER_SIZE);
if (unzippedBytes <= 0) {
break;
}
// process buffer
}
}
References
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsGzopen.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsGzopen.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsGzopen.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsGzopen.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsInflator.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsUncompress.ql
Fixed
Show fixed
Hide fixed
|
Hi, I've completed the work on this query and I don't have any further updates/commits here. |
One good and one bad example suffices to get the point across, and makes the help more readable. The examples also do not have to be complete.
There are no barriers, so the query as is will flag up any use of the identified functions.
|
@am0o0 I've opened am0o0#1 to do some clean up on this. If you're happy with the changes there, please merge and the changes should propagate to here. Given that you've indicated that you have little time, and since the bounty program is ending, this seems to be the best way forward to get this PR merged.
Could you point me to the part of the code where you need an additional flow step, then I can have a look. |
Cleanup cpp bombs
|
@jketema thank you alot for helping on this PR! |
|
You're welcome. How about the following?
|
|
@jketema I created a review of the tests. I mentioned you to receive a notification. IDK why the review doesn't exist in the main in here. |
I haven't received any notifications (as of yet). |
|
Ahh, the link of the comment(it wasn't a review): |
Thanks. I've opened am0o0#2 to address this. This can probably be improved, but matches what you did for minizip. |
C++: Fix zstd and clean up test
There was a problem hiding this comment.
Generally LGTM.
- great range of modelled sources and flow steps.
- I only checked a few of them are accurate (the rest do look reasonable).
- there are some minor issues with the documentation, but should be OK for experimental.
- test coverage is great, though lacking any "good" cases.
- quite a lot of results on MRVA (I guess because decompression is common and we model several libraries here); the results I examined looked plausible, but it's likely we'd want to take a closer look before promoting this query out of experimental.
- CI is failing.
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp
Outdated
Show resolved
Hide resolved
C++: Fix expected test results
This is part of All for one, one for all query submission, I'm going to submit an issue in github/securitylab for this pull request too.
this query will be upgraded more in this week whether in this pull request or in another pull request, currently I'm adding minizip, xz, bzip2, zstd, LZ4 related libraries.
I'm trying my best to add proper sanitizers too if there is any protection for each function as some functions are unsafe by default and can not be controlled during decompression.