security: zlib inflate methods might be vulnerable to zip bombs

[jorangreef]

From the documentation, it doesn't appear that there is any way to limit zlib's inflate methods max uncompressed size?

Without a way to limit the maximum amount of data to be uncompressed, Node's zlib inflate methods could be vulnerable to zip bombs, where a few megabytes of input could result in hundreds of megabytes of uncompressed data.

For parsers such as https://github.com/thejoshwolfe/yauzl, which parse the zip format, and which know the compressed and uncompressed sizes exactly, ahead of time, it should be possible to pass this information on to zlib's inflate methods, so that these can stop when they uncompress more than the zip container allows.

zlib's inflate methods should throw an error when more than maxUncompressedSize has been inflated.

See also: thejoshwolfe/yauzl#107

[addaleax]

With the streaming zlib methods, it is possible to limit output size – the chunkSize option controls the output buffer size (although there currently doesn’t seem to be documentation on what it does, only that it exists), and no new input will not be consumed when no output data is being read from the stream.

I don’t think there’s anything like this for the synchronous methods – it should be possible to add options for them as well, if you think that that helps.

[jorangreef]

Thanks @addaleax , an option for the sync methods, as well as for the asynchronous one-shot methods, e.g. zlib.inflateRaw(), would help.

[jasnell]

We can definitely look at this for the sync methods, but in the future, for potential security issues, even if you're not entirely sure if it is a security issue, please use our hackerone account to report it more discreetly :-) https://hackerone.com/nodejs