Skip to content

Commit

Permalink
fix: add a maxOutputLength option to zlib inflate
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Mar 7, 2024
1 parent 9ca2b24 commit 1b91d88
Show file tree
Hide file tree
Showing 4 changed files with 121 additions and 1 deletion.
82 changes: 82 additions & 0 deletions docs/classes/util_errors.JWEDecompressionFailed.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# Class: JWEDecompressionFailed

## [💗 Help the project](https://github.com/sponsors/panva)

Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).

---

An error subclass thrown when a JWE ciphertext decompression fails.

**`Example`**

Checking thrown error is this one using a stable error code

```js
if (err.code === 'ERR_JWE_DECOMPRESSION_FAILED') {
// ...
}
```

**`Example`**

Checking thrown error is this one using `instanceof`

```js
if (err instanceof jose.errors.JWEDecompressionFailed) {
// ...
}
```

## Table of contents

### Constructors

- [constructor](util_errors.JWEDecompressionFailed.md#constructor)

### Properties

- [code](util_errors.JWEDecompressionFailed.md#code)
- [message](util_errors.JWEDecompressionFailed.md#message)

### Accessors

- [code](util_errors.JWEDecompressionFailed.md#code-1)

## Constructors

### constructor

**new JWEDecompressionFailed**(`message?`)

#### Parameters

| Name | Type |
| :------ | :------ |
| `message?` | `string` |

## Properties

### code

**code**: `string` = `'ERR_JWE_DECOMPRESSION_FAILED'`

A unique error code for the particular error subclass.

___

### message

**message**: `string` = `'decompression operation failed'`

## Accessors

### code

`Static` `get` **code**(): ``"ERR_JWE_DECOMPRESSION_FAILED"``

A unique error code for the particular error subclass.

#### Returns

``"ERR_JWE_DECOMPRESSION_FAILED"``
1 change: 1 addition & 0 deletions docs/modules/util_errors.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ Support from the community to continue maintaining and improving this module is
- [JOSEAlgNotAllowed](../classes/util_errors.JOSEAlgNotAllowed.md)
- [JOSEError](../classes/util_errors.JOSEError.md)
- [JOSENotSupported](../classes/util_errors.JOSENotSupported.md)
- [JWEDecompressionFailed](../classes/util_errors.JWEDecompressionFailed.md)
- [JWEDecryptionFailed](../classes/util_errors.JWEDecryptionFailed.md)
- [JWEInvalid](../classes/util_errors.JWEInvalid.md)
- [JWKInvalid](../classes/util_errors.JWKInvalid.md)
Expand Down
3 changes: 2 additions & 1 deletion src/runtime/node/zlib.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,6 @@ import type { InflateFunction, DeflateFunction } from '../../types.d'
const inflateRaw = promisify(inflateRawCb)
const deflateRaw = promisify(deflateRawCb)

export const inflate: InflateFunction = (input: Uint8Array) => inflateRaw(input)
export const inflate: InflateFunction = (input: Uint8Array) =>
inflateRaw(input, { maxOutputLength: 250_000 })
export const deflate: DeflateFunction = (input: Uint8Array) => deflateRaw(input)
36 changes: 36 additions & 0 deletions test/jwe/flattened.decrypt.test.mjs
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
import test from 'ava'
import * as crypto from 'crypto'
import { promisify } from 'node:util'
import { inflateRaw as inflateRawCb } from 'node:zlib'

const { FlattenedEncrypt, flattenedDecrypt } = await import('#dist')

Expand Down Expand Up @@ -228,3 +230,37 @@ test('decrypt PBES2 p2c limit', async (t) => {
code: 'ERR_JWE_INVALID',
})
})

test('decrypt inflate output length limit', async (t) => {
{
const jwe = await new FlattenedEncrypt(new Uint8Array(250000))
.setProtectedHeader({ alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
.encrypt(new Uint8Array(32))

await flattenedDecrypt(jwe, new Uint8Array(32))
}

{
const jwe = await new FlattenedEncrypt(new Uint8Array(250000 + 1))
.setProtectedHeader({ alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
.encrypt(new Uint8Array(32))

await t.throwsAsync(flattenedDecrypt(jwe, new Uint8Array(32)), {
message: 'decompression operation failed',
code: 'ERR_JWE_DECOMPRESSION_FAILED',
})
}

{
const jwe = await new FlattenedEncrypt(new Uint8Array(1000 + 1))
.setProtectedHeader({ alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
.encrypt(new Uint8Array(32))

const inflateRawPromise = promisify(inflateRawCb)
const inflateRaw = async (buffer) => inflateRawPromise(buffer, { maxOutputLength: 1000 })

await t.throwsAsync(flattenedDecrypt(jwe, new Uint8Array(32), { inflateRaw }), {
code: 'ERR_BUFFER_TOO_LARGE',
})
}
})

0 comments on commit 1b91d88

Please sign in to comment.