Skip to content

Fix decompression bomb vulnerability via expanded size field#21

Open
Copilot wants to merge 5 commits intomainfrom
copilot/fix-decompression-bomb-vulnerability
Open

Fix decompression bomb vulnerability via expanded size field#21
Copilot wants to merge 5 commits intomainfrom
copilot/fix-decompression-bomb-vulnerability

Conversation

Copy link
Copy Markdown

Copilot AI commented May 5, 2026
edited
Loading

A compressed payload small enough to pass MAX_SIZE wire-size checks could expand arbitrarily during decompression, bypassing size limits during hashing, storage, and quota enforcement.

Changes

Protocol (SPEC.md)

  • Added field 12 [expanded size] (uint32 LE, present iff zlib-deflate flag set) to message header; same field added to each attachment header
  • Added MAX_EXPANDED_SIZE implementation variable (SHOULD equal MAX_SIZE)
  • Reject code 4 now covers both MAX_SIZE and MAX_EXPANDED_SIZE
  • Specified that decompressed data MUST exactly match expanded size; mismatch → TERMINATE

Receiver (host.go)

  • readHeader: reads h.ExpandedSize from wire when FlagDeflate set; rejects (code 4) if it exceeds MaxExpandedSize
  • readAttachmentHeaders: reads att.ExpandedSize for each compressed attachment; accumulates total expanded size (uncompressed items contribute their wire size); rejects (code 4) if total exceeds MaxExpandedSize
  • New MaxExpandedSize var loaded from FMSG_MAX_EXPANDED_SIZE env (default: MaxMessageSize)

Hash validation (defs.go)

  • hashPayload now counts bytes written during decompression and returns an error if the actual decompressed size doesn't match the declared expandedSize — ensuring tampered or malformed payloads are rejected before storage

Sender (sender.go)

  • Captures original size as ExpandedSize before overwriting Size with the compressed byte count, so outgoing headers are spec-compliant

Config

  • .env.example: added FMSG_MAX_EXPANDED_SIZE=10240

Copilot AI linked an issue May 5, 2026 that may be closed by this pull request
Decompression bomb vulnerability #20
Open
Copilot AI and others added 4 commits May 5, 2026 12:37
@markmnl
Fix decompression bomb vulnerability: add expanded size field support
12d41f4 
Agent-Logs-Url: https://github.com/markmnl/fmsgd/sessions/4cb5faf0-906d-4f64-b5dc-0b5612d4eff1

Co-authored-by: markmnl <2630321+markmnl@users.noreply.github.com>
@markmnl
Fix expanded size accumulation for uncompressed messages and attachments
17fe106 
Agent-Logs-Url: https://github.com/markmnl/fmsgd/sessions/4cb5faf0-906d-4f64-b5dc-0b5612d4eff1

Co-authored-by: markmnl <2630321+markmnl@users.noreply.github.com>
@markmnl
Update deflate tests to set ExpandedSize and validate decompressed si…
8be8e90 
…ze strictly

Agent-Logs-Url: https://github.com/markmnl/fmsgd/sessions/4cb5faf0-906d-4f64-b5dc-0b5612d4eff1

Co-authored-by: markmnl <2630321+markmnl@users.noreply.github.com>
@markmnl
Fix decompression bomb vulnerability via expanded size field
14db51c 
Agent-Logs-Url: https://github.com/markmnl/fmsgd/sessions/4cb5faf0-906d-4f64-b5dc-0b5612d4eff1

Co-authored-by: markmnl <2630321+markmnl@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix decompression bomb vulnerability by adding expanded size support Fix decompression bomb vulnerability via expanded size field May 5, 2026
Copilot AI requested a review from markmnl May 5, 2026 12:45
Copilot finished work on behalf of markmnl May 5, 2026 12:45
@markmnl markmnl marked this pull request as ready for review May 5, 2026 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markmnl markmnl Awaiting requested review from markmnl

At least 1 approving review is required to merge this pull request.

Assignees

@markmnl markmnl

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Decompression bomb vulnerability

2 participants

@markmnl