Skip to content

fix(processor): bound decompressed document size to prevent decompression bombs#3076

Open
kanywst wants to merge 1 commit into
guacsec:mainfrom
kanywst:fix/decompression-bomb-limit
Open

fix(processor): bound decompressed document size to prevent decompression bombs#3076
kanywst wants to merge 1 commit into
guacsec:mainfrom
kanywst:fix/decompression-bomb-limit

Conversation

@kanywst

@kanywst kanywst commented Jun 20, 2026

Copy link
Copy Markdown

Description of the PR

decompressDocument read the bzip2/zstd stream with io.ReadAll and no size limit, so a small compressed document could expand to an arbitrary size and exhaust the processor's memory. The encoding is auto-detected from the blob's magic bytes, so any ingested artifact can reach this path.

This bounds the decompressed size with io.LimitReader and rejects documents that exceed the limit, matching the object-size handling already used by the blob collector (pkg/handler/collector/blob/blob.go). A 56 KB zstd input previously materialized 500 MiB in memory; it is now rejected once it passes the limit.

Fixes #3075

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If GraphQL schema is changed, GraphQL client updates/additions have been made
  • If OpenAPI spec is changed, make generate has been run
  • If ent schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

@kanywst kanywst force-pushed the fix/decompression-bomb-limit branch from 8abb629 to e6b3949 Compare June 20, 2026 12:41
…sion bombs

decompressDocument read the bzip2/zstd stream with io.ReadAll and no size
limit, so a small compressed document could expand to an arbitrary size and
exhaust the processor's memory. The encoding is auto-detected from the blob's
magic bytes, so any ingested artifact can trigger this. Wrap the reader in an
io.LimitReader and reject documents that exceed the limit, matching the
existing object-size handling in the blob collector.

Signed-off-by: kanywst <niwatakuma@icloud.com>
@kanywst kanywst force-pushed the fix/decompression-bomb-limit branch from e6b3949 to e6e80a2 Compare June 20, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[bug] Document decompression has no size limit (decompression bomb)

2 participants