Deflate decompression doesn't fail for truncated input #175

vojtarylko · 2022-09-14T11:57:20Z

I tried to extend HTTPRequestDecompressorTest with this test case:

    func testDecompressionTruncatedInput() throws {
        // Truncated compressed data
        let compressed = ByteBuffer(bytes: [120, 156, 99, 0])

        let channel = EmbeddedChannel()
        try channel.pipeline.addHandler(NIOHTTPRequestDecompressor(limit: .none)).wait()
        let headers = HTTPHeaders([("Content-Encoding", "deflate"), ("Content-Length", "\(compressed.readableBytes)")])
        try channel.writeInbound(HTTPServerRequestPart.head(.init(version: .init(major: 1, minor: 1), method: .POST, uri: "https://nio.swift.org/test", headers: headers)))

        do {
            try channel.writeInbound(HTTPServerRequestPart.body(compressed))
            XCTFail("writeInbound should fail")
        } catch let error as NIOHTTPDecompression.DecompressionError {
            switch error {
            case .inflationError(Int(Z_BUF_ERROR)):
                // ok
                break
            default:
                XCTFail("Unexptected error: \(error)")
            }
        }
    }

As you can see I'm sending truncated invalid compressed data. I'd expect to get DecompressionError.inflationError(-5). Instead decompression succeeds.

(I guess root cause is in z_stream_s.inflatePart(to:minimumCapacity:) which always calls inflate with Z_NO_FLUSH parameter.)

Is the problem in my test case, or in the NIO code?

The text was updated successfully, but these errors were encountered:

Lukasa · 2022-09-14T14:08:25Z

NIOHTTPRequestDecompressor does not assume the message is finished until it receives a HTTPServerRequestPart.end. In this instance I suspect we should see an error if we also send .end, but looking at the code I wonder if we're discarding the error result from dropping the decoder. It may be worth adding a send of .end after the send of .body, and then checking to see if there's an error reported here that we're losing:

swift-nio-extras/Sources/NIOHTTPCompression/HTTPDecompression.swift

Line 114 in 5334d94

inflateEnd(&self.stream)

vojtarylko · 2022-09-14T14:55:24Z

The inflateEnd(&self.stream) returns just Z_OK when I add try channel.writeInbound(HTTPServerRequestPart.end(nil)) into test.

@vojtarylko

Motivation Currently we don't confirm that the decompression has completed successfully. This means that we can incorrectly spin forever attempting to decompress past the end of a message, and that we can fail to notice that a message is truncated. Neither of these is good. Modifications Propagate the message zlib gives us as to whether or not decompression is done, and keep track of it. Add some tests written by @vojtarylko to validate the behaviour. Result Correctly police the bounds of the messages. Resolves apple#175 and apple#176.

@vojtarylko

Motivation Currently we don't confirm that the decompression has completed successfully. This means that we can incorrectly spin forever attempting to decompress past the end of a message, and that we can fail to notice that a message is truncated. Neither of these is good. Modifications Propagate the message zlib gives us as to whether or not decompression is done, and keep track of it. Add some tests written by @vojtarylko to validate the behaviour. Result Correctly police the bounds of the messages. Resolves apple#175 and apple#176.

Lukasa · 2022-09-15T17:29:02Z

Good catch, resolved by #177.

@vojtarylko

Motivation Currently we don't confirm that the decompression has completed successfully. This means that we can incorrectly spin forever attempting to decompress past the end of a message, and that we can fail to notice that a message is truncated. Neither of these is good. Modifications Propagate the message zlib gives us as to whether or not decompression is done, and keep track of it. Add some tests written by @vojtarylko to validate the behaviour. Result Correctly police the bounds of the messages. Resolves #175 and #176.

@vojtarylko

Motivation Currently we don't confirm that the decompression has completed successfully. This means that we can incorrectly spin forever attempting to decompress past the end of a message, and that we can fail to notice that a message is truncated. Neither of these is good. Modifications Propagate the message zlib gives us as to whether or not decompression is done, and keep track of it. Add some tests written by @vojtarylko to validate the behaviour. Result Correctly police the bounds of the messages. Resolves apple#175 and apple#176. (cherry picked from commit 6c84d24)

@vojtarylko

Motivation Currently we don't confirm that the decompression has completed successfully. This means that we can incorrectly spin forever attempting to decompress past the end of a message, and that we can fail to notice that a message is truncated. Neither of these is good. Modifications Propagate the message zlib gives us as to whether or not decompression is done, and keep track of it. Add some tests written by @vojtarylko to validate the behaviour. Result Correctly police the bounds of the messages. Resolves apple#175 and apple#176. (cherry picked from commit 6c84d24)

Lukasa mentioned this issue Sep 15, 2022

Correctly validate the bounds of decompression #177

Merged

Lukasa closed this as completed in #177 Sep 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deflate decompression doesn't fail for truncated input #175

Deflate decompression doesn't fail for truncated input #175

vojtarylko commented Sep 14, 2022

Lukasa commented Sep 14, 2022

vojtarylko commented Sep 14, 2022

Lukasa commented Sep 15, 2022

Deflate decompression doesn't fail for truncated input #175

Deflate decompression doesn't fail for truncated input #175

Comments

vojtarylko commented Sep 14, 2022

Lukasa commented Sep 14, 2022

vojtarylko commented Sep 14, 2022

Lukasa commented Sep 15, 2022