Skip to content

Add decompress ratio check#52

Merged
elecharny merged 1 commit into
apache:2.2.Xfrom
ppkarwasz:feat/decompression-ratio
May 22, 2026
Merged

Add decompress ratio check#52
elecharny merged 1 commit into
apache:2.2.Xfrom
ppkarwasz:feat/decompression-ratio

Conversation

@ppkarwasz
Copy link
Copy Markdown
Member

@ppkarwasz ppkarwasz commented May 20, 2026

Adds two configuration knobs to CompressionFilter to control the maximum decompression ratio of deflate streams:

  • maxDecompressRatio (default 100): the maximum decompression ratio accepted by the filter. The ratio is computed cumulatively over the total bytes read and written, so an individual highly-compressed chunk does not on its own trip the check.
  • decompressRatioMinSize (default 1 MiB): a grace size below which the ratio check is skipped, avoiding false positives on small payloads where the initial chunks are highly-compressed.

Given the growing number of CompressionFilter constructor parameters, it may be worth introducing a builder pattern, if the project agrees.

@ppkarwasz
Add decompress ratio check
90cd035 
Adds two configuration knobs to `CompressionFilter` to control the maximum decompression ratio of deflate streams:

- `maxDecompressRatio` (default 100): the maximum decompression ratio accepted by the filter. The ratio is computed cumulatively over the total bytes read and written, so an individual highly-compressed chunk does not on its own trip the check.
- `decompressRatioMinSize` (default 1 MiB): a grace size below which the ratio check is skipped, avoiding false positives on small payloads where the initial chunks are highly-compressed.

Given the growing number of `CompressionFilter` constructor parameters, it may be worth introducing a builder pattern, if the project agrees.
@ppkarwasz
Copy link
Copy Markdown
Member Author

ppkarwasz commented May 20, 2026

These knobs are loosely based on other deflators like mod_deflate, which applies similar limits:

  • DeflateInflateRatioLimit (analogous to maxDecompressRatio) defaults to 200.
  • Rather than a grace size, mod_deflate only rejects a stream once the cumulative ratio stays above the limit for DeflateInflateRatioBurst + 1 (default 4) consecutive output buffers. With the default 8 KiB buffer, that corresponds to roughly 32 KiB of decompressed output, well below our 1 MiB decompressRatioMinSize.

@elecharny elecharny merged commit db05969 into apache:2.2.X May 22, 2026
@elecharny
Copy link
Copy Markdown
Contributor

elecharny commented May 22, 2026

Hi Piotr,

sounds good.

And +1 for the builder pattern.

Thanks for the PR!

@ppkarwasz ppkarwasz deleted the feat/decompression-ratio branch May 22, 2026 08:52
@elecharny
Copy link
Copy Markdown
Contributor

elecharny commented May 22, 2026

Hi @ppkarwasz,

I have pushed the fluent API for the CompressionFilter class (94832ef), easing the injection of some of the parameters. Two things:

  • I haven't changed the Zlib class because nobody is supposed to instanciate it but the Filter
  • I have changed two of the parameters to make them non-final in order to be able to create setters for them.

Just let me know if that seems correct from your side. I will backport it to 2.1.X and 2.0.X.

Thanks!

@elecharny
Copy link
Copy Markdown
Contributor

elecharny commented May 23, 2026

Correction: the commit is f207407

@ppkarwasz
Copy link
Copy Markdown
Member Author

ppkarwasz commented May 23, 2026

LGTM, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ppkarwasz @elecharny