Skip to content

Limit token size to 250 KB#345

Closed
princekhunt wants to merge 1 commit intompdavis:masterfrom
princekhunt:master
Closed

Limit token size to 250 KB#345
princekhunt wants to merge 1 commit intompdavis:masterfrom
princekhunt:master

Conversation

@princekhunt
Copy link

@princekhunt princekhunt commented Mar 31, 2024

No description provided.

@princekhunt princekhunt mentioned this pull request Mar 31, 2024
Open
@smittysmee
Copy link

smittysmee commented Apr 29, 2024

Bump on this

smittysmee
smittysmee reviewed May 2, 2024
View reviewed changes
jose/jwe.py
'Hello, World!'
"""

# limit the token size to 250 KB
Copy link

@smittysmee smittysmee May 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# limit the token size to 250 KB
# limit the token size to 250 KB - when this token is processed by the server, it results in significant memory allocation and processing time during decompression.

bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request May 6, 2024
@bmwiedemann
Update python-python-jose to version 3.3.0 / rev 7 via SR 1172135
fb0ad57 
https://build.opensuse.org/request/show/1172135
by user dgarcia + anag+factory
- Add upstream patches:
   * CVE-2024-33663.patch, bsc#1223417, gh#mpdavis/python-jose#349
   * CVE-2024-33664.patch, bsc#1223422, gh#mpdavis/python-jose#345
   * fix-tests-ecdsa-019.patch, gh#mpdavis/python-jose#350
@alistairwatts
Copy link
Contributor

alistairwatts commented May 7, 2024

Unfortunately the proposed fix just checks that the incoming uncompressed data is no more than than 250KB. I don't know what the maximum size a maliciously crafted 250KB token could expand to, but I imagine it could be significant. Some basic tests suggest that a 250KB token can expand to about 250MB.

In addition to sensibly checking the size of the compressed token, I would suggest changing the decompress function in jwe.py to use the decompress method on an instance of zlib.Decompress. The decompress method accepts a max_length which can limit the size of the decompressed data.

@smittysmee
Copy link

smittysmee commented May 21, 2024

@princekhunt see above ☝️

@alistairwatts
Copy link
Contributor

alistairwatts commented May 21, 2024

I've already opened a pull request for a more robust fix. See #352

@smittysmee
Copy link

smittysmee commented May 21, 2024

👌

@twwildey
Copy link
Collaborator

twwildey commented May 30, 2024

This appears duplicative to #352 - I will close this in favor of the other PR.

@twwildey twwildey closed this May 30, 2024
This was referenced Jan 21, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@smittysmee smittysmee smittysmee left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@princekhunt @smittysmee @alistairwatts @twwildey