Limit token size to 250 KB #345
Conversation
|
Bump on this |
| @@ -76,6 +76,11 @@ def decrypt(jwe_str, key): | |||
| >>> jwe.decrypt(jwe_string, 'asecret128bitkey') | |||
| 'Hello, World!' | |||
| """ | |||
|
|
|||
| # limit the token size to 250 KB | |||
There was a problem hiding this comment.
| # limit the token size to 250 KB | |
| # limit the token size to 250 KB - when this token is processed by the server, it results in significant memory allocation and processing time during decompression. |
https://build.opensuse.org/request/show/1172135 by user dgarcia + anag+factory - Add upstream patches: * CVE-2024-33663.patch, bsc#1223417, gh#mpdavis/python-jose#349 * CVE-2024-33664.patch, bsc#1223422, gh#mpdavis/python-jose#345 * fix-tests-ecdsa-019.patch, gh#mpdavis/python-jose#350
|
Unfortunately the proposed fix just checks that the incoming uncompressed data is no more than than 250KB. I don't know what the maximum size a maliciously crafted 250KB token could expand to, but I imagine it could be significant. Some basic tests suggest that a 250KB token can expand to about 250MB. In addition to sensibly checking the size of the compressed token, I would suggest changing the |
|
@princekhunt see above ☝️ |
|
I've already opened a pull request for a more robust fix. See #352 |
|
👌 |
|
This appears duplicative to #352 - I will close this in favor of the other PR. |
No description provided.