Add a limit to the size of the metadata and checksums files in a gem package. #7568
+11
−4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
indirect
approved these changes
Apr 11, 2024
martinemde
approved these changes
Apr 11, 2024
lib/rubygems/package.rb
Outdated
| @@ -528,12 +528,13 @@ def normalize_path(pathname) | |||
| # Loads a Gem::Specification from the TarEntry +entry+ | |||
|
|
|||
| def load_spec(entry) # :nodoc: | |||
| limit = 10*1024*1024 | |||
There was a problem hiding this comment.
Could become a constant, like MAX_METADATA_BYTES.
segiddins
force-pushed
the
segiddins/add-a-limit-to-the-size-of-the-metadata-and-checksums-files-in-a-gem-package
branch
from
753d6ac
to
de55c0a
Compare
…package. This is to prevent a malicious gem from causing a denial of service by including a very large metadata or checksums file, which is then read into memory in its entirety just by opening the gem package. This is guaranteed to limit the amount of memory needed, since gzips (which use deflate streams for compression) have a maximum compression ratio of 1032:1, so the uncompressed size of the metadata or checksums file will be at most 1032 times the size of the (limited) amount of data read. This prevents a gem from causing 500GB of memory to be allocated to read a 500MB metadata file.
segiddins
force-pushed
the
segiddins/add-a-limit-to-the-size-of-the-metadata-and-checksums-files-in-a-gem-package
branch
from
de55c0a
to
a596e3c
Compare
segiddins
commented
Apr 28, 2024
deivid-rodriguez
approved these changes
Apr 29, 2024
|
Merging since this has had three approvals already. We can extract the constant later. |
deivid-rodriguez
deleted the
segiddins/add-a-limit-to-the-size-of-the-metadata-and-checksums-files-in-a-gem-package
branch
deivid-rodriguez
added a commit
that referenced
this pull request
Apr 30, 2024
…ize-of-the-metadata-and-checksums-files-in-a-gem-package Add a limit to the size of the metadata and checksums files in a gem package. (cherry picked from commit 4842ad9)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is to prevent a malicious gem from causing a denial of service by
including a very large metadata or checksums file,
which is then read into memory in its entirety just by opening the gem package.
This is guaranteed to limit the amount of memory needed, since
gzips (which use deflate streams for compression) have a maximum compression
ratio of 1032:1, so the uncompressed size of the metadata or checksums file
will be at most 1032 times the size of the (limited) amount of data read.
This prevents a gem from causing 500GB of memory to be allocated
to read a 500MB metadata file.