Add ->max_body_size accessor

Max Maischein · oalders · commit 7fc855e1d64c · 2022-10-18T09:40:07.000-04:00
Limit decoded body size by manually decoding the compressed content This creates one (more) copy of the content if we limit the output because Zlib and Bzip2 want to remove the consumed input from the input string. Also, this moves away from IO::Uncompress::Gunzip and IO::Uncompress::Bzip2 in favour of Compress::Raw::Zlib and Compress::Raw::Bzip2 because I found no way to convince IO::Uncompress::Gunzip::gunzip to pass through the appropriate limiting options. The API is extended (but not yet documented) in three ways: 1) A global variable, $HTTP::Message::MAX_BODY_SIZE to limit the maximum size of ->decoded_content 2) An accessor, ->max_body_size, which can be set for individual HTTP::Responses 3) An optional parameter to ->decoded_content, which certainly is the most preferrable option but requires cooperation from all locations where ->decoded_content is called. Output the Compress::Raw::Zlib version in case a test fails We might be fine with version 2.061... Up our prerequisite to 2.061 for the time being... Update META.json as well... Amend changes * Eliminate use of wantarray() in ->max_body_size * Eliminate use of vars.pm Also handle Brotli (de)compression Reindent to match source Only run zipbomb tests if we have a recent version of Compress::Raw::Zlib The Bufsize parameter was introduced in 2.060, so using 2.061 should be fairly safe here Remove debugging comments, remove misleading comments In #181 , #181 (review) Add Changes blurb ... mostly to pacify the gods of CI
diff --git a/Changes b/Changes
@@ -7,6 +7,13 @@ Revision history for HTTP-Message
       from 2048 to 8192. This was suggested in RT#105184, as it improved
       performance for them. (GH#59) (Neil Bowers)
 
+6.41      2022-10-12 15:57:40Z
+    - Add maximum size for HTTP::Message->decoded_content
+      This can be used to limit the size of a decompressed HTTP response,
+      especially when making requests to untrusted or user-specified servers.
+      The $HTTP::Message::MAXIMUM_BODY_SIZE variable and the ->max_body_size
+      accessor can set this limit. (GH#181) (Max Maischein)
+
 6.40      2022-10-12 15:45:52Z
     - Fixed two typos in the doc, originally reported by FatherC
       in RT#90716, ported over as GH#57. (GH#57) (Neil Bowers)
diff --git a/META.json b/META.json
@@ -61,6 +61,7 @@
             "IO::Compress::Bzip2" : "2.021",
             "IO::Compress::Deflate" : "0",
             "IO::Compress::Gzip" : "0",
+            "Compress::Raw::Zlib" : "2.061",
             "IO::HTML" : "0",
             "IO::Uncompress::Bunzip2" : "2.021",
             "IO::Uncompress::Gunzip" : "0",
diff --git a/Makefile.PL b/Makefile.PL
@@ -32,6 +32,7 @@ my %WriteMakefileArgs = (
     "IO::Uncompress::Gunzip" => 0,
     "IO::Uncompress::Inflate" => 0,
     "IO::Uncompress::RawInflate" => 0,
+    "Compress::Raw::Zlib" => 2.061,
     "LWP::MediaTypes" => 6,
     "MIME::Base64" => "2.1",
     "MIME::QuotedPrint" => 0,
diff --git a/lib/HTTP/Message.pm b/lib/HTTP/Message.pm
@@ -8,6 +8,8 @@ our $VERSION = '6.41';
 require HTTP::Headers;
 require Carp;
 
+our $MAXIMUM_BODY_SIZE;
+
 my $CRLF = "\015\012";   # "\r\n" is not portable
 unless ($HTTP::URI_CLASS) {
     if ($ENV{PERL_HTTP_URI_CLASS}
@@ -53,10 +55,10 @@ sub new
     bless {
 	'_headers' => $header,
 	'_content' => $content,
+	'_max_body_size' => $HTTP::Message::MAXIMUM_BODY_SIZE,
     }, $class;
 }
 
-
 sub parse
 {
     my($class, $str) = @_;
@@ -277,6 +279,17 @@ sub content_charset
     return undef;
 }
 
+sub max_body_size  {
+    my $self = $_[0];
+    my $old = $self->{_max_body_size};
+    $self->_set_max_body_size($_[1]) if @_ > 1;
+    return $old;
+}
+
+sub _set_max_body_size {
+    my $self = $_[0];
+    $self->{_max_body_size} = $_[1];
+}
 
 sub decoded_content
 {
@@ -288,34 +301,85 @@ sub decoded_content
 	$content_ref = $self->content_ref;
 	die "Can't decode ref content" if ref($content_ref) ne "SCALAR";
 
+	my $content_limit = exists $opt{ max_body_size } ? $opt{ max_body_size }
+			: defined $self->max_body_size ? $self->max_body_size
+			: undef
+			;
+	my %limiter_options;
+	if( defined $content_limit ) {
+	    %limiter_options = (LimitOutput => 1, Bufsize => $content_limit);
+	};
 	if (my $h = $self->header("Content-Encoding")) {
 	    $h =~ s/^\s+//;
 	    $h =~ s/\s+$//;
 	    for my $ce (reverse split(/\s*,\s*/, lc($h))) {
 		next unless $ce;
 		next if $ce eq "identity" || $ce eq "none";
 		if ($ce eq "gzip" || $ce eq "x-gzip") {
-		    require IO::Uncompress::Gunzip;
-		    my $output;
-		    IO::Uncompress::Gunzip::gunzip($content_ref, \$output, Transparent => 0)
-			or die "Can't gunzip content: $IO::Uncompress::Gunzip::GunzipError";
+		    require Compress::Raw::Zlib; # 'WANT_GZIP_OR_ZLIB', 'Z_BUF_ERROR';
+
+		    if( ! $content_ref_iscopy and keys %limiter_options) {
+			# Create a copy of the input because Zlib will overwrite it
+			# :-(
+			my $input = "$$content_ref";
+			$content_ref = \$input;
+			$content_ref_iscopy++;
+		    };
+		    my ($i, $status) = Compress::Raw::Zlib::Inflate->new(
+			%limiter_options,
+			ConsumeInput => 0, # overridden by Zlib if we have %limiter_options :-(
+			WindowBits => Compress::Raw::Zlib::WANT_GZIP_OR_ZLIB(),
+		    );
+		    my $res = $i->inflate( $content_ref, \my $output );
+		    $res == Compress::Raw::Zlib::Z_BUF_ERROR()
+			and Carp::croak("Decoded content would be larger than $content_limit octets");
+		    $res == Compress::Raw::Zlib::Z_OK()
+		    or $res == Compress::Raw::Zlib::Z_STREAM_END()
+		    or die "Can't gunzip content: $res";
 		    $content_ref = \$output;
 		    $content_ref_iscopy++;
 		}
 		elsif ($ce eq 'br') {
 		    require IO::Uncompress::Brotli;
 		    my $bro = IO::Uncompress::Brotli->create;
-		    my $output = eval { $bro->decompress($$content_ref) };
+
+		    my $output;
+		    if( defined $content_limit ) {
+			$output = eval { $bro->decompress( $$content_ref, $content_limit ); }
+		    } else {
+			$output = eval { $bro->decompress($$content_ref) };
+		    }
+
 		    $@ and die "Can't unbrotli content: $@";
 		    $content_ref = \$output;
 		    $content_ref_iscopy++;
 		}
 		elsif ($ce eq "x-bzip2" or $ce eq "bzip2") {
-		    require IO::Uncompress::Bunzip2;
+		    require Compress::Raw::Bzip2;
+
+		    if( ! $content_ref_iscopy ) {
+			# Create a copy of the input because Bzlib2 will overwrite it
+			# :-(
+			my $input = "$$content_ref";
+			$content_ref = \$input;
+			$content_ref_iscopy++;
+		    };
+		    my ($i, $status) = Compress::Raw::Bunzip2->new(
+			1, # appendInput
+			0, # consumeInput
+			0, # small
+			$limiter_options{ LimitOutput } || 0,
+		    );
 		    my $output;
-		    IO::Uncompress::Bunzip2::bunzip2($content_ref, \$output, Transparent => 0)
-			or die "Can't bunzip content: $IO::Uncompress::Bunzip2::Bunzip2Error";
-		    $content_ref = \$output;
+		    $output = "\0" x $limiter_options{ Bufsize }
+			if $limiter_options{ Bufsize };
+		    my $res = $i->bzinflate( $content_ref, \$output );
+		    $res == Compress::Raw::Bzip2::BZ_OUTBUFF_FULL()
+			and Carp::croak("Decoded content would be larger than $content_limit octets");
+		    $res == Compress::Raw::Bzip2::BZ_OK()
+		    or $res == Compress::Raw::Bzip2::BZ_STREAM_END()
+			or die "Can't bunzip content: $res";
+			    $content_ref = \$output;
 		    $content_ref_iscopy++;
 		}
 		elsif ($ce eq "deflate") {
diff --git a/t/message-decode-brotlibomb.t b/t/message-decode-brotlibomb.t
@@ -0,0 +1,104 @@
+# https://rt.cpan.org/Public/Bug/Display.html?id=52572
+
+use strict;
+use warnings;
+
+use Test::More;
+
+use HTTP::Headers    qw();
+use HTTP::Response   qw();
+
+my $ok = eval {
+    require IO::Compress::Brotli;
+    require IO::Uncompress::Brotli;
+    1;
+};
+if(! $ok) {
+    plan skip_all => "IO::Compress::Brotli needed; $@";
+    exit
+}
+plan tests => 9;
+
+# Create a nasty brotli stream:
+my $size = 16 * 1024 * 1024;
+my $stream = "\0" x $size;
+
+# Compress that stream one time (since it won't compress it twice?!):
+my $compressed = $stream;
+my $bro = IO::Compress::Brotli->create;
+
+for( 1 ) {
+    my $last = $compressed;
+    $compressed = $bro->compress( $compressed );
+    $compressed .= $bro->finish();
+    note sprintf "Encoded size %d bytes after round %d", length $compressed, $_;
+};
+
+my $body = $compressed;
+
+my $headers = HTTP::Headers->new(
+    Content_Type => "application/xml",
+    Content_Encoding => 'br', # only one round needed for Brotli
+);
+my $response = HTTP::Response->new(200, "OK", $headers, $body);
+
+my $len = length $response->decoded_content;
+is($len, 16 * 1024 * 1024, "Self-test: The decoded content length is 16M as expected" );
+
+# Manual decompression check
+my $output = $compressed;
+for( 1 ) {
+    my $unbro = IO::Uncompress::Brotli->create();
+    $output = $unbro->decompress($compressed);
+};
+
+$headers = HTTP::Headers->new(
+    Content_Type => "application/xml",
+    Content_Encoding => 'br' # say my name, but only once
+);
+
+$HTTP::Message::MAXIMUM_BODY_SIZE = 1024 * 1024;
+
+$response = HTTP::Response->new(200, "OK", $headers, $body);
+is $response->max_body_size, 1024*1024, "The default maximum body size holds";
+
+$response->max_body_size( 512*1024 );
+is $response->max_body_size, 512*1024, "We can change the maximum body size";
+
+my $content;
+my $lives = eval {
+    $content = $response->decoded_content( raise_error => 1 );
+    1;
+};
+my $err = $@;
+is $lives, undef, "We die when trying to decode something larger than our global limit of 512k"
+    or diag "... using IO::Uncompress::Brotli version $IO::Uncompress::Brotli::VERSION";
+
+$response->max_body_size(undef);
+is $response->max_body_size, undef, "We can remove the maximum size restriction";
+$lives = eval {
+    $content = $response->decoded_content( raise_error => 0 );
+    1;
+};
+is $lives, 1, "We don't die when trying to decode something larger than our global limit of 1M";
+is length $content, 16 * 1024*1024, "We get the full content";
+is $content, $stream, "We really get the full content";
+
+# The best usage of ->decoded_content:
+$lives = eval {
+    $content = $response->decoded_content(
+        raise_error => 1,
+        max_body_size => 512 * 1024 );
+    1;
+};
+$err = $@;
+is $lives, undef, "We die when trying to decode something larger than our limit of 512k using a parameter"
+    or diag "... using IO::Uncompress::Brotli version $IO::Uncompress::Brotli::VERSION";
+
+=head1 SEE ALSO
+
+L<https://security.stackexchange.com/questions/51071/zlib-deflate-decompression-bomb>
+
+L<http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html>
+
+=cut
diff --git a/t/message-decode-bzipbomb.t b/t/message-decode-bzipbomb.t
@@ -0,0 +1,101 @@
+# https://rt.cpan.org/Public/Bug/Display.html?id=52572
+
+use strict;
+use warnings;
+
+use Test::More;
+plan tests => 10;
+
+use HTTP::Headers    qw( );
+use HTTP::Response   qw( );
+
+# Create a nasty bzip2 stream:
+my $size = 16 * 1024 * 1024;
+my $stream = "\0" x $size;
+
+# Compress that stream three times:
+my $compressed = $stream;
+for( 1..3 ) {
+    require IO::Compress::Bzip2;
+    my $last = $compressed;
+    IO::Compress::Bzip2::bzip2(\$last, \$compressed)
+        or die "Can't bzip2 content: $IO::Compress::Bzip2::Bzip2Error";
+    #diag sprintf "Encoded size %d bytes after round %d", length $compressed, $_;
+};
+
+my $body = $compressed;
+
+my $headers = HTTP::Headers->new(
+    Content_Type => "application/xml",
+    Content_Encoding => 'bzip2,bzip2,bzip2', # say my name three times
+);
+my $response = HTTP::Response->new(200, "OK", $headers, $body);
+
+my $len = length $response->decoded_content( raise_error => 1 );
+is($len, 16 * 1024 * 1024, "Self-test: The decoded content length is 16M as expected" );
+
+# Manual decompression check
+my $output = $compressed;
+for( 1..3 ) {
+    my $last = $output;
+    require Compress::Raw::Bzip2;
+    my ($i, $status) = Compress::Raw::Bunzip2->new(
+        1, # appendInput
+        0, # consumeInput
+        0, # small
+        1,
+    );
+    $output = "\0" x (1024*1024);
+    # Will modify $last, but we made a copy above
+    my $res = $i->bzinflate( \$last, \$output );
+};
+is length $output, 1024*1024, "We manually recreate the limited original stream";
+
+$headers = HTTP::Headers->new(
+    Content_Type => "application/xml",
+    Content_Encoding => 'bzip2,bzip2,bzip2', # say my name three times
+);
+
+$HTTP::Message::MAXIMUM_BODY_SIZE = 1024 * 1024;
+
+$response = HTTP::Response->new(200, "OK", $headers, $body);
+is $response->max_body_size, 1024*1024, "The default maximum body size holds";
+
+$response->max_body_size( 512*1024 );
+is $response->max_body_size, 512*1024, "We can change the maximum body size";
+
+my $content;
+my $lives = eval {
+    $content = $response->decoded_content( raise_error => 1 );
+    1;
+};
+my $err = $@;
+is $lives, undef, "We die when trying to decode something larger than our limit of 512k";
+
+$response->max_body_size(undef);
+is $response->max_body_size, undef, "We can remove the maximum size restriction";
+$lives = eval {
+    $content = $response->decoded_content( raise_error => 0 );
+    1;
+};
+is $lives, 1, "We don't die when trying to decode something larger than our global limit of 1M";
+is length $content, 16 * 1024*1024, "We get the full content";
+is $content, $stream, "We really get the full content";
+
+# The best usage of ->decoded_content:
+$lives = eval {
+    $content = $response->decoded_content(
+        raise_error => 1,
+        max_body_size => 512 * 1024 );
+    1;
+};
+$err = $@;
+is $lives, undef, "We die when trying to decode something larger than our limit of 512k";
+
+=head1 SEE ALSO
+
+L<https://security.stackexchange.com/questions/51071/zlib-deflate-decompression-bomb>
+
+L<http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html>
+
+=cut
diff --git a/t/message-decode-zipbomb.t b/t/message-decode-zipbomb.t
