python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard
verified publisher icon mpdavis

Limit token size to 250 KB

Open princekhunt opened this issue 1 year ago • 1 comments

princekhunt avatar Mar 31 '24 07:03 princekhunt

Bump on this

smittysmee avatar Apr 29 '24 15:04 smittysmee

Unfortunately the proposed fix just checks that the incoming uncompressed data is no more than than 250KB. I don't know what the maximum size a maliciously crafted 250KB token could expand to, but I imagine it could be significant. Some basic tests suggest that a 250KB token can expand to about 250MB.

In addition to sensibly checking the size of the compressed token, I would suggest changing the decompress function in jwe.py to use the decompress method on an instance of zlib.Decompress. The decompress method accepts a max_length which can limit the size of the decompressed data.

alistairwatts avatar May 07 '24 08:05 alistairwatts

@princekhunt see above ☝️

smittysmee avatar May 21 '24 19:05 smittysmee

I've already opened a pull request for a more robust fix. See https://github.com/mpdavis/python-jose/pull/352

alistairwatts avatar May 21 '24 20:05 alistairwatts

👌

smittysmee avatar May 21 '24 21:05 smittysmee

This appears duplicative to https://github.com/mpdavis/python-jose/pull/352 - I will close this in favor of the other PR.

twwildey avatar May 30 '24 23:05 twwildey