Add a limit to the size of the metadata and checksums files in a gem package. #7568
Commits on Apr 28, 2024
-
Add a limit to the size of the metadata and checksums files in a gem …
…package. This is to prevent a malicious gem from causing a denial of service by including a very large metadata or checksums file, which is then read into memory in its entirety just by opening the gem package. This is guaranteed to limit the amount of memory needed, since gzips (which use deflate streams for compression) have a maximum compression ratio of 1032:1, so the uncompressed size of the metadata or checksums file will be at most 1032 times the size of the (limited) amount of data read. This prevents a gem from causing 500GB of memory to be allocated to read a 500MB metadata file.
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.