Skip to content

internal/format: bound header size during Parse#699

Closed
sweis wants to merge 1 commit intoFiloSottile:mainfrom
sweis:claude/add-header-size-limit-HXoHp
Closed

internal/format: bound header size during Parse#699
sweis wants to merge 1 commit intoFiloSottile:mainfrom
sweis:claude/add-header-size-limit-HXoHp

Conversation

@sweis
Copy link
Copy Markdown
Contributor

@sweis sweis commented Mar 12, 2026

format.Parse accumulates stanza bodies with no cap on total header bytes, so
a crafted header can exhaust memory in an automated age.Decrypt caller before
any MAC is checked.

Fix: wrap the input in a counting reader that errors at 16 MiB. The payload
reader is reconstituted from bufio's overread prepended to the original input
as before; the rr == input short-circuit is removed since the wrapper makes
it unreachable.

Test: go test ./internal/format/ -run TestParseHeaderSizeLimit -v
(feeds an infinite-stanza-body reader; pre-fix this would read forever.)

@sweis sweis closed this Mar 19, 2026
@sweis sweis reopened this Mar 19, 2026
@FiloSottile FiloSottile mentioned this pull request Mar 20, 2026
Open
@FiloSottile
Copy link
Copy Markdown
Owner

FiloSottile commented Mar 20, 2026

Opened #701 to discuss this. Feel free to close the PR for now.

@sweis sweis closed this Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sweis @FiloSottile @claude