You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Trifecta allows zlib (gzip) and Brotli (br) compression/decompression of requests and responses when, at build time, it is detected that the libraries to do this are present on the system.
However, in this case, this feature makes Trifecta vulnerable to a "zip bomb" attack, where a crafted highly compressed file is uploaded, and the app is tricked into trying to uncompress it in memory.
Taking the file from here and bunzipping it, we have a 1.3MB Brotli file that uncompresses to 100GB of data. When we send this file, the app will attempt to allocate the entire 100GB worth of memory. My machine is not that large, so this triggers the OOM killer, which then (luckily) kills the Trifecta process.
% ~/Code/trifecta › ./buildDir/trifecta
Database is in trifecta.sqlite, canonical URL is http://127.0.0.1:3456/
Admin users: admin
Will listen on http://127.0.0.1:3456
zsh: killed ./buildDir/trifecta
[ 2961.933094] Out of memory: Killed process 6865 (trifecta) total-vm:6445152kB, anon-rss:2927824kB, file-rss:1920kB, shmem-rss:0kB, UID:1000 pgtables:5848kB oom_score_adj:0
As a mitigation, trifecta should ensure that the following macros are never defined when httplib.h is included:
CPPHTTPLIB_ZLIB_SUPPORT
CPPHTTPLIB_BROTLI_SUPPORT
In the example above, the request goes through nginx, but the behavior is the same regardless of whether Trifecta is fronted by nginx or not.
The text was updated successfully, but these errors were encountered:
Trifecta allows zlib (
gzip
) and Brotli (br
) compression/decompression of requests and responses when, at build time, it is detected that the libraries to do this are present on the system.However, in this case, this feature makes Trifecta vulnerable to a "zip bomb" attack, where a crafted highly compressed file is uploaded, and the app is tricked into trying to uncompress it in memory.
Taking the file from here and bunzipping it, we have a 1.3MB Brotli file that uncompresses to 100GB of data. When we send this file, the app will attempt to allocate the entire 100GB worth of memory. My machine is not that large, so this triggers the OOM killer, which then (luckily) kills the Trifecta process.
To demonstrate:
As a mitigation, trifecta should ensure that the following macros are never defined when httplib.h is included:
In the example above, the request goes through nginx, but the behavior is the same regardless of whether Trifecta is fronted by nginx or not.
The text was updated successfully, but these errors were encountered: