Ws: Is there any zip-bomb thing risk while using permessage-deflate?

Created on 29 Mar 2020  路  5Comments  路  Source: websockets/ws

picture LongTengDao

Most helpful comment

  1. No, but please try yourself.
  2. Yes, I mean maxPayload.
picture lpinca on 30 Mar 2020
1 😄1

All 5 comments

No, the size is checked after every chunk returned by the deflate stream and if the threshold is exceeded the deflate stream and the connection are closed.

lpinca picture lpinca on 29 Mar 2020

@lpinca Hi, there are two farther questions:

  1. Won't each deflate stream chunk bomb inside zlib?
  2. threshold means min size to compress in docs, do you mean maxPayload instead?
LongTengDao picture LongTengDao on 30 Mar 2020
  1. No, but please try yourself.
  2. Yes, I mean maxPayload.
lpinca picture lpinca on 30 Mar 2020
1 😄1

@lpinca Thank you!

I see. So the maxPayload option is a limit to data after uncompress, not for original data, I think it's good to write it in docs (maybe there could be an option for orginal data limit? I'm not sure).

LongTengDao picture LongTengDao on 30 Mar 2020

The maxPayload limit is checked multiple times:

  1. It is checked at the WebSocket frame level using the payload length info (original data).
  2. It is checked for fragmented messages after every fragment, ensuring that the sum of the payload lengths of all fragments is smaller than maxPayload.
  3. It is checked after every compressed chunk.
lpinca picture lpinca on 30 Mar 2020
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Canicio picture Canicio  路  16Comments
hansmiller75a picture hansmiller75a  路  15Comments
yosiat picture yosiat  路  26Comments
wyzxxx123 picture wyzxxx123  路  20Comments
peradym picture peradym  路  16Comments