Use of a Broken or Risky Cryptographic Algorithm

Rule ID: go_gosec_filesystem_decompression_bomb
Languages: go
Source: decompression_bomb.yml

Description

Decompression bombs are a form of attack against an application or service that processes compressed files. The attacker crafts a compressed file that is small in size, but when decompressed, expands to a much larger size that is disproportionate to the original. This can exhaust system resources like CPU, memory, or disk space, leading to a Denial of Service (DoS).

Remediations

Implement measures to mitigate the impact of decompression bombs:

✅ Limit Decompression Size

Use io.LimitReader to restrict the amount of data that a reader will decompress. This prevents the decompression of large files that could fill up memory or disk space.

✅ Monitor Resource Usage

Implement resource monitoring to watch for unexpected spikes in CPU, memory, or disk usage, which could indicate an attempted decompression bomb attack.

✅ Input Validation

Validate the size and type of the input before decompressing. If possible, reject files that do not meet expected criteria.

✅ Fail Safely

Ensure that your application can handle errors from the decompression process safely, without crashing or becoming unresponsive.

✅ Regular Updates

Keep compression libraries up to date with the latest security patches to protect against known vulnerabilities.

✅ User Education

Educate users about the risks of decompression bombs if they are able to upload compressed files.

import (
  "compress/gzip"
  "io"
  "log"
  "os"
)

func main() {
  // Open the gzip file
  f, err := os.Open("example.gz")
  if err != nil {
    log.Fatal(err)
  }
  defer f.Close()

  // Create a gzip reader on the file
  r, err := gzip.NewReader(f)
  if err != nil {
    log.Fatal(err)
  }
  defer r.Close()

  // Define a limit for decompression
  const maxDecompressSize = 10 * 1024 * 1024 // 10 MB

  // Limit the size of the reader
  limitedReader := io.LimitReader(r, maxDecompressSize)

  // Use the limited reader to decompress, preventing the decompression bomb from expanding fully
  if _, err := io.Copy(os.Stdout, limitedReader); err != nil {
    log.Fatal(err)
  }
}

Associated CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_decompression_bomb

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_decompression_bomb

Ready to take the next step? Learn more about Bearer Cloud.