Improper handling of highly compressed data
Description
Directly decompressing files or buffers may lead to a potential Denial of Service (DoS) due to a decompression bomb. Decompression bombs are maliciously compressed files or data that decompresses to extremely large sizes. This can cause the process to run out of memory, or the disk to fill up.
Examples
Insecure Code
go
r, err := gzip.NewReader(f)
io.Copy(os.Stdout, r)Secure Code
go
limitedReader := io.LimitReader(r, oneMegabyte)
io.Copy(os.Stdout, limitedReader)Remediation
Use io.LimitReader to limit how much can be read during the decompression routine.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0782 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-409 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | decompression bomb, Denial of Service |
| OWASP | A1:2017-Injection, A03:2021-Injection |