Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

insecure use of collect(upTo: contentLength) #40

Closed
weissi opened this issue Jun 21, 2024 · 2 comments
Closed

insecure use of collect(upTo: contentLength) #40

weissi opened this issue Jun 21, 2024 · 2 comments

Comments

@weissi
Copy link

weissi commented Jun 21, 2024
edited
Loading

client/Sources/SwiftkubeClient/Client/RequestHandlerType.swift

Line 54 in 9d040ab

let expectedBytes = response.headers.first(name: "content-length").flatMap(Int.init)

This line should be fixed to use a fixed limit. Setting it to contentLength doesn't make sense as that'd be the same as "limiting" it by Int.max (because content-length is attacker controlled and can be set to anything the other side wants). If that's desired (unlikely as that would open it up to denial of service attacks), then I'd recommend to be explicit: collect(upTo: Int.max).

But really: This should be a fixed number (maybe 16 MiB) of the maximum amount of bytes you're willing to balloon into memory here.

Please note that you do not need to validate (or even read) the content-length header, AsyncHTTPClient and SwiftNIO validate that it's correct (if present at all).
@weissi weissi mentioned this issue Jun 21, 2024
Open
@iabudiab
Copy link
Member

@weissi Yup, absolutely right. I'll take care of that. Thanks for the report 👍

@iabudiab
Copy link
Member

iabudiab commented Jul 1, 2024

This should be fixed in the latest release 0.18.0

@iabudiab iabudiab closed this as completed Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weissi @iabudiab