Potential DoS vulnerability via decompression bomb

[philipjonsen]

DESCRIPTION

A maliciously crafted archive may produce a large amount of data on decompression that may lead to a denial-of-service (DoS) attack on the application.

It is recommended to use io.CopyN instead of io.Copy and io.CopyBuffer to control the number of bytes copied from the decompression reader.

BAD PRACTICE

package main

import (
"bytes"
"compress/zlib"
"io"
"os"
)

func foo(b io.Reader) {
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}

_, err = io.Copy(os.Stdout, r)
if err != nil {
    panic(err)
}

r.Close()

}

RECOMMENDED:

package main

import (
"bytes"
"compress/zlib"
"io"
"os"
)

func foo(b io.Reader) {
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}

_, err = io.CopyN(os.Stdout, r, 1024) // "n" may change depending on the application
if err != nil {
    panic(err)
}

r.Close()

}
REFERENCES
CWE-409

Problematic code: /hive/blob/master/internal/libdocker/builder.go#L213-L213