Prevent decompression bomb

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: go-security/decompression-bomb

Language: Go

Severity: Warning

Category: Security

CWE: 409

Description

Reading continuously from a compressed file without any limit of bytes may read too much data and lead to a denial of service (DoS). Prefer reading data by chunks of bytes.

Learn More

Non-Compliant Code Examples

package main

import (
	"bytes"
	"compress/bzip2"
	"io"
	"os"
)

func main() {
	buff := []byte{42, 51}
	b := bytes.NewReader(buff)

	r, err := zlib.NewReader(b)
	if err != nil {
		panic(err)
	}
	_, err = io.CopyBuffer(os.Stdout, r)
	if err != nil {
		panic(err)
	}

	r.Close()
}

package main

import (
	"bytes"
	"compress/zlib"
	"io"
	"os"
)

func main() {
	buff := []byte{42, 51}
	b := bytes.NewReader(buff)

	r, err := zlib.NewReader(b)
	if err != nil {
		panic(err)
	}
	_, err = io.Copy(os.Stdout, r)
	if err != nil {
		panic(err)
	}

	r.Close()
}

Compliant Code Examples

package main

import (
	"bytes"
	"compress/bzip2"
	"io"
	"os"
)

func main() {
	buff := []byte{42, 51}
	b := bytes.NewReader(buff)

	r, err := zlib.NewReader(b)
	if err != nil {
		panic(err)
	}
	_, err = io.CopyN(os.Stdout, r, 64)
	if err != nil {
		panic(err)
	}

	r.Close()
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis