From 19a90a64c47bb07c4aa5462f1316d5c293d81fcf Mon Sep 17 00:00:00 2001 From: Brian Campbell Date: Wed, 6 Mar 2024 11:43:53 -0700 Subject: [PATCH] Safeguard against excessive resource utilization by restricting the size of data during JWE payload decompression (fix #220) --- .../DeflateRFC1951CompressionAlgorithm.java | 28 +++++++++++++++++++ ...eflateRFC1951CompressionAlgorithmTest.java | 22 +++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/src/main/java/org/jose4j/zip/DeflateRFC1951CompressionAlgorithm.java b/src/main/java/org/jose4j/zip/DeflateRFC1951CompressionAlgorithm.java index 6a0d8fe..6061b69 100644 --- a/src/main/java/org/jose4j/zip/DeflateRFC1951CompressionAlgorithm.java +++ b/src/main/java/org/jose4j/zip/DeflateRFC1951CompressionAlgorithm.java @@ -19,6 +19,8 @@ package org.jose4j.zip; import org.jose4j.keys.KeyPersuasion; import org.jose4j.lang.JoseException; import org.jose4j.lang.UncheckedJoseException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; @@ -32,6 +34,27 @@ import java.util.zip.InflaterInputStream; */ public class DeflateRFC1951CompressionAlgorithm implements CompressionAlgorithm { + private static final Logger log = LoggerFactory.getLogger(DeflateRFC1951CompressionAlgorithm.class); + public static final String DECOMPRESS_MAX_BYTES_PROPERTY_NAME = "org.jose4j.zip.decompress-max-bytes"; + + private int maxDecompressedBytes = 204800; + + public DeflateRFC1951CompressionAlgorithm() + { + String property = System.getProperty(DECOMPRESS_MAX_BYTES_PROPERTY_NAME, "204800"); + try + { + maxDecompressedBytes = Integer.parseInt(property); + } + catch (NumberFormatException e) + { + log.debug("Using the default value of "+maxDecompressedBytes+" for the maximum allowed size of decompressed data " + + "because the system property " + DECOMPRESS_MAX_BYTES_PROPERTY_NAME + " contains an invalid value: " + e); + } + + log.debug(""); + } + public byte[] compress(byte[] data) { Deflater deflater = new Deflater(Deflater.DEFLATED, true); @@ -64,6 +87,11 @@ public class DeflateRFC1951CompressionAlgorithm implements CompressionAlgorithm while ((bytesRead = iis.read(buff)) != -1) { byteArrayOutputStream.write(buff, 0, bytesRead); + if (byteArrayOutputStream.size() > maxDecompressedBytes) + { + throw new JoseException("Maximum allowed size of decompressed data exceeded (which is " + +maxDecompressedBytes+" bytes but configurable with the "+ DECOMPRESS_MAX_BYTES_PROPERTY_NAME +" system property)"); + } } return byteArrayOutputStream.toByteArray(); diff --git a/src/test/java/org/jose4j/zip/DeflateRFC1951CompressionAlgorithmTest.java b/src/test/java/org/jose4j/zip/DeflateRFC1951CompressionAlgorithmTest.java index 2eabe73..716308e 100644 --- a/src/test/java/org/jose4j/zip/DeflateRFC1951CompressionAlgorithmTest.java +++ b/src/test/java/org/jose4j/zip/DeflateRFC1951CompressionAlgorithmTest.java @@ -20,11 +20,33 @@ import junit.framework.TestCase; import org.jose4j.base64url.Base64Url; import org.jose4j.lang.JoseException; import org.jose4j.lang.StringUtil; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + /** */ public class DeflateRFC1951CompressionAlgorithmTest extends TestCase { + private static final Logger log = LoggerFactory.getLogger(DeflateRFC1951CompressionAlgorithmTest.class); + + public void testDeflatedDataTooBig() throws JoseException + { + byte[] data = new byte[100000000]; // will compress very well + CompressionAlgorithm ca = new DeflateRFC1951CompressionAlgorithm(); + byte[] compressed = ca.compress(data); + assertTrue(data.length > compressed.length); + try + { + byte[] decompress = ca.decompress(compressed); + fail("should not have decompressed b/c too big size " + decompress.length); + } + catch (JoseException e) + { + log.debug("Expected exception because this tests going over the max allowed size of decompressed data " + e); + } + } + public void testRoundTrip() throws JoseException { String dataString = "test test test test test test test test test test test test test test test test and stuff"; -- 2.52.0