Missing configuration against decompression bomb

• Rule ID: go_gosec_filesystem_decompression_bomb
• Languages: go
• Source: decompression_bomb.yml

Description

Decompression bombs pose a risk by exploiting applications that process compressed files. These attacks involve a compressed file that is small in size but expands to a significantly larger size when decompressed. This can overwhelm system resources such as CPU, memory, or disk space, causing a Denial of Service (DoS).

Remediations

• Do limit the decompression size. Use io.LimitReader, for example, to restrict the amount of data that a reader will decompress. This prevents the decompression of large files that could fill up memory or disk space.

  const maxDecompressSize = 10 * 1024 * 1024 // 10 MB
  limitedReader := io.LimitReader(r, maxDecompressSize)

• Do monitor resource usage to detect unexpected increases in CPU, memory, or disk usage, which may indicate an attack.
• Do validate the size and type of input files before decompression. Reject files that do not meet predefined criteria to avoid processing potentially harmful data.
• Do ensure your application fails safely. It should handle decompression errors without crashing or becoming unresponsive.
• Do regularly update your compression libraries to incorporate the latest security patches and protect against known vulnerabilities.
• Do educate users about the risks associated with decompression bombs, especially if they have the ability to upload compressed files.

Associated CWE

• CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_decompression_bomb

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_decompression_bomb