HTTP.jl icon indicating copy to clipboard operation
HTTP.jl copied to clipboard
verified publisher icon JuliaWeb

gzip / zip bomb mitigation

Open chelyabinsk opened this issue 1 year ago • 1 comments

I think it is a good idea to have a similar check implemented by Python's WebSocket library, as it is a very easy attack. Mainly, check that decompressed size does not exceed some kind of limit when executing HTTP.decode .

A simple example.

First, generate a gzip file. I lifted code from this repo

time dd if=/dev/zero bs=1M count=$((20*1024)) | gzip > ./cake.gzip

When I execute the following I observe a jump in the resource usage, eventually leading to a crash of the julia process.

using HTTP

data = read("cake.gzip")

server = HTTP.serve!() do request::HTTP.Request
   @show request
   @show request.method
   @show HTTP.header(request, "Content-Type")
   @show request.body
   try
       return HTTP.Response(data)
   catch e
       return HTTP.Response(400, "Error: $e")
   end
end

r = HTTP.get("http://127.0.0.1:8081/"; decompress=false)

HTTP.decode(r, "gzip")

Happy to provide further details. I can also try to implement a solution if that's gong to be easier :)

chelyabinsk avatar May 11 '24 16:05 chelyabinsk

This also needs to be done for websockets.

https://github.com/JuliaWeb/HTTP.jl/issues/1181

bryaan avatar Jun 06 '24 23:06 bryaan