Giters

leaf-ai / studio-go-runner

ML/ENN Runner for privately hosted, cloud, and data-center production deployments of StudioML.

Home Page:https://studio.ml

Repository from Github https://github.comleaf-ai/studio-go-runnerRepository from Github https://github.comleaf-ai/studio-go-runner

Defang zip bombs and add storage consumption handling

karlmutch opened this issue · comments

commented

As a user
I want to have storage limits enforced on staged artifacts
In order that zip bombs are disabled and storage is constrained within requested limits

commented

Affected areas are

 > internal/runner/localstorage.go:146
 ╷

146│ _, errGo = io.Copy(file, tarReader)

= Detected a possible denial-of-service via a zip bomb attack. By limiting
the max bytes read, you can mitigate this attack. io.CopyN() can
specify a size. Refer to https://bomb.codes/ to learn more about this
attack and other ways to mitigate it.

go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb
> internal/s3/s3.go:454

454│ _, errGo = io.Copy(file, tarReader)

= Detected a possible denial-of-service via a zip bomb attack. By limiting
the max bytes read, you can mitigate this attack. io.CopyN() can
specify a size. Refer to https://bomb.codes/ to learn more about this
attack and other ways to mitigate it.