Skip to main content

MAX_DECOMPRESSED_LEN

Constant MAX_DECOMPRESSED_LEN 

Source
pub const MAX_DECOMPRESSED_LEN: usize = _; // 268_443_648usize
Expand description

Hard ceiling on the size of the decompressed body emitted by DiskArtifactStore::get.

Defends against zstd “zip bomb” inputs that decompress at very high ratios (a few MB of attacker-controlled bytes can otherwise expand to gigabytes). The decoder is driven through std::io::Read::take with a probe of MAX_DECOMPRESSED_LEN + 1 so we can distinguish “exactly cap” (allowed) from “>cap” (rejected) without ever allocating past the cap.

SECURITY (memory-amplification fix): this MUST stay tied to MAX_PAYLOAD_LEN. Every blob the store can hold was put-capped at MAX_PAYLOAD_LEN uncompressed bytes, so a legitimate decode never needs to yield more than that. Sizing the read cap larger (the old 1 GiB = 4x value) handed an attacker holding a valid/leaked key a 4x memory-amplification primitive: a blob that put refused at 256 MiB could still be hand-crafted to decompress to ~1 GiB on the read path. We therefore pin the read cap to the put cap plus a small fixed framing slack (a few KiB) so no legitimately-put blob — which is at most MAX_PAYLOAD_LEN uncompressed — is ever rejected, while the read path can no longer be coerced into a larger allocation than the write path would have admitted.