Detect truncated GZip streams

[mfkl]

For context, please see:

• Add strict validation to System.IO.Compression.GZipStream #47563,
• and https://stackoverflow.com/questions/9456563/gzipstream-doesnt-detect-corrupt-data-even-crc32-passes

TL;DR: The System.IO.Compression.GZipStream implementation over zlib does not currently do strict native error reporting when it comes to truncated streams. Other zlib .NET managed implementation or bindings over the native API do report issues on corrupt data, but they rely on an error code returned by zlib, which should be ignored sometimes. This PR tries to address this edge case.

I initially used the approach of relying on the zlib buf errors to implement this (as some other community wrappers have done), but it failed some of your tests. So, I decided to add a new API parameter to enable "strict validation" as an opt-in.

But, after more troubleshooting with the help from @marcin-krystianc, it seems we could do without the new API if we don't rely on zlib buf errors. Some of the existing unit tests should actually be changed to account for the new behavior (e.g. throw on invalid data) as I've done in mfkl@196783b

I'm eager to hear your feedback on this as I'm no compression expert.

[ghost]

Tagging subscribers to this area: @dotnet/area-system-io-compression
See info in area-owners.md if you want to be subscribed.

Issue Details

---

For context, please see:

• Add strict validation to System.IO.Compression.GZipStream #47563,
• and https://stackoverflow.com/questions/9456563/gzipstream-doesnt-detect-corrupt-data-even-crc32-passes

TL;DR: The System.IO.Compression.GZipStream implementation over zlib does not currently do strict native error reporting when it comes to truncated streams. Other zlib .NET managed implementation or bindings over the native API do report issues on corrupt data, but they rely on an error code returned by zlib, which should be ignored sometimes. This PR tries to address this edge case.

I initially used the approach of relying on the zlib buf errors to implement this (as some other community wrappers have done), but it failed some of your tests. So, I decided to add a new API parameter to enable "strict validation" as an opt-in.

But, after more troubleshooting with the help from @marcin-krystianc, it seems we could do without the new API if we don't rely on zlib buf errors. Some of the existing unit tests should actually be changed to account for the new behavior (e.g. throw on invalid data) as I've done in mfkl@196783b

I'm eager to hear your feedback on this as I'm no compression expert.

Author:	mfkl
Assignees:	-
Labels:	area-System.IO.Compression
Milestone:	-

[mfkl]

Hmm the failed jobs look unrelated to this PR. This is ready for review /cc @adamsitnik @danmoseley @carlossanlop

[danmoseley]

is the 'else' needed here - eg codegen improves because it does not realize that the throw method never returns?

[mfkl]

I'm not sure how to properly check this but I'll look into it.

[mfkl]

If I checked things correctly (by codegen you meant IL and not x86, right?), this is the result. With the else

      // [286 28 - 286 54]
      IL_00bc: call         void System.IO.Compression.DeflateStream::ThrowGenericInvalidData()
      IL_00c1: nop          

      // [287 25 - 287 26]
      IL_00c2: nop          

      IL_00c3: br.s         IL_00c8

      // [289 25 - 289 26]
      IL_00c5: nop          

      // [290 29 - 290 35]
      IL_00c6: br.s         IL_0120

      // [292 21 - 292 22]
      IL_00c8: nop          

      IL_00c9: br.s         IL_00fc

Without the else

      // [286 28 - 286 54]
      IL_00bc: call         void System.IO.Compression.DeflateStream::ThrowGenericInvalidData()
      IL_00c1: nop          

      // [287 25 - 287 26]
      IL_00c2: nop          

      // [290 29 - 290 35]
      IL_00c3: br.s         IL_011a

So it seems you are correct! I updated the PR accordingly.

[danmoseley]

By codegen we generally mean assembly code. Usually the quickest way to verify that is with sharplab.io. Not sure how much the IL correlates. But it makes sense to change as you suggest.

[danmoseley]

does this manage to hit all the 4 new throw statements?

[mfkl]

Yes it does.

[danmoseley]

nit, would nonEmptyInput be better name? a zero input might be a buffer of zeroes.
or perhaps this means nonEmptyOutput?

[mfkl]

Changed to nonEmptyInput.

[danmoseley]

cc @adamsitnik @carlossanlop @jozkee are the full compression crew.

[mfkl]

As mentioned in #61768 (comment), CI failure is unrelated, please feel free to restart a CI build, thanks!

[danmoseley]

@mfkl you can restart CI by close and reopen actually ..

[mfkl]

Anything I can do to help move the review process forward?

Even though it is quite an edge case, it'd be nice to get this merged in, as it fixes one really old bug with regard to gzip streams in dotnet.

[stackedsax]

Hey there @danmoseley @jozkee, any updates from your side on this?

[danmoseley]

Apologies for the delay @mfkl . Perhaps @jozkee can set expectations as I know he's juggling several tasks.

[jozkee]

These conditions still hold true in CopyTo[Async].

Suggested change

	if (!_deflateStream._inflater.Finished())
	{
	ThrowGenericInvalidData();
	}
	if (!_deflateStream._inflater.Finished())
	{
	Debug.Assert(_deflateStream._inflater.NonEmptyInput());
	Debug.Assert(_deflateStream._inflater.AvailableOutput > 0);
	ThrowGenericInvalidData();
	}

[jozkee]

I understand the condition as "if we haven't finished inflating AND there's partial input set AND there's already output available; we are in the bad state and we should throw".
Is it possible (i.e: an scenario) where there could be partial input but not available output?

[jozkee]

Can you please double check test-code-coverage of the three conditions. If I remove _inflater.AvailableOutput > 0 all tests still pass.

[mfkl]

Yes, without _inflater.AvailableOutput > 0, the following test fails.

  System.IO.InvalidDataException : Found invalid data while decoding.

  Stack Trace: 
DeflateStream.ThrowGenericInvalidData() line 348
DeflateStream.ReadCore(Span`1 buffer) line 280
DeflateStream.Read(Byte[] buffer, Int32 offset, Int32 count) line 235
ZipFileTestBase.ReadAllBytes(Stream stream, Byte[] buffer, Int32 offset, Int32 count) line 83
ZipFileTestBase.StreamsEqual(Stream ast, Stream bst, Int32 blocksToRead) line 142
ZipFileTestBase.StreamsEqual(Stream ast, Stream bst) line 111
ZipFile_Create.CreateFromDirectory_IncludeBaseDirectory() line 42

This is the reason I added an async version of the test in this PR, to cover the async code path.

[jozkee]

Aside of truncation tests, could we test changing byte values?

[mfkl]

sure, I'll re-use the test from the original SO thread, if that is fine with you.

[danmoseley]

@mfkl it's fine to reuse that from SO per the SO license. If you end up essentially pasting as-is, please add a few lines to our THIRD-PARTY-NOTICES to ensure that the poster is recognized. If you write something that effectively does the same thing, that's probably not necessary.

[mfkl]

Yes, I believe so @danmoseley.

[jozkee]

I've been rethinking it and I think it makes sense to not throw for buffer.IsEmpty, we don't pinvoke inflate in such case so there's no way to tell if there's still available output on the inflater.

[jozkee]

This will eat-up false positives. You can do this instead:

Assert.Throws<InvalidDataException>(() => { while (ZipFileTestBase.ReadAllBytes(s, buffer, 0, buffer.Length) != 0) ; });

If there are cases where a corruption can't be expected (e.g: changing a header byte), we should skip them, but they should be deliberated.

[mfkl]

Ok, I did this (code may not be elegant though, let me know if you have a more elegant version in mind).

Skipping though means that we do not check the decompression process was successful in these cases (e.g. comparing the decompressed buffer with the initial source). It may or may not be relevant to do so, I'm not sure.

[jozkee]

I'm not exactly sure what you mean here, but I think the way you have it in the latest commits is the way to go, we should always assert for the exception when desired, not just ignore it (unless there's a reason for it).

runtime/src/libraries/System.IO.Compression/tests/CompressionStreamUnitTests.ZLib.cs

Lines 49 to 52 in e4c1d7f

	Assert.Throws<InvalidDataException>(() =>
	{
	while (ZipFileTestBase.ReadAllBytes(decompressor, buffer, 0, buffer.Length) != 0);
	});

[mfkl]

zlib should be able to detect corruption as with gzip currently (but not brotli). I'm looking for a way to add this test without duplicating code (as some types of streams are unable to detect such corruption).

[mfkl]

For the truncated error case, should a new error message be created to more precisely describe the problem?

Currently Found invalid data while decoding is used (and Decoder ran into invalid data for brotli). It could be Found truncated data while decoding to provide a more meaningful hint.

Aside from this, I think it's OK now. Let me know!

[jozkee]

Can you please add, as a comment, the reason why these bytes don't corrupt the compressed data?

[mfkl]

Ok, done.

[jozkee]

Shouldn't we add this test to CompressionStreamUnitTests.Deflate.cs as well?

[mfkl]

Sadly this is not really an option as DeflateStream does not do CRC, hence fails to detect stream corruption (unlike zlib and gzip streams). Truncation detection works fine though.

[jozkee]

For the truncated error case, should a new error message be created to more precisely describe the problem?

Currently Found invalid data while decoding is used (and Decoder ran into invalid data for brotli). It could be Found truncated data while decoding to provide a more meaningful hint.

I think we can do that, feel free to add your proposed error message to the .\src\libraries\System.IO.Compression\src\Resources\Strings.resx file and use it as needed.

[jozkee]

LGTM, thanks @mfkl

[ghost]

Added needs-breaking-change-doc-created label because this PR has the breaking-change label.

When you commit this breaking change:

1. Create and link to this PR and the issue a matching issue in the dotnet/docs repo using the breaking change documentation template, then remove this needs-breaking-change-doc-created label.
2. Ask a committer to mail the .NET Breaking Change Notification DL.

Tagging @dotnet/compat for awareness of the breaking change.

[mfkl]

Thanks for the review feedback @jozkee :)

[stephentoub]

Reverted in #72742

[stephentoub]

@ericstj, I've removed the breaking change labels as this was reverted.

[ericstj]

Thank you @stephentoub