pub const MAX_DECOMPRESSED_LEN: usize = _; // 268_443_648usizeExpand description
Hard ceiling on the size of the decompressed body emitted by
DiskArtifactStore::get.
Defends against zstd “zip bomb” inputs that decompress at very high
ratios (a few MB of attacker-controlled bytes can otherwise expand
to gigabytes). The decoder is driven through
std::io::Read::take with a probe of MAX_DECOMPRESSED_LEN + 1
so we can distinguish “exactly cap” (allowed) from “>cap” (rejected)
without ever allocating past the cap.
SECURITY (memory-amplification fix): this MUST stay tied to
MAX_PAYLOAD_LEN. Every blob the store can hold was put-capped at
MAX_PAYLOAD_LEN uncompressed bytes, so a legitimate decode never
needs to yield more than that. Sizing the read cap larger (the old
1 GiB = 4x value) handed an attacker holding a valid/leaked key a
4x memory-amplification primitive: a blob that put refused at
256 MiB could still be hand-crafted to decompress to ~1 GiB on the
read path. We therefore pin the read cap to the put cap plus a small
fixed framing slack (a few KiB) so no legitimately-put blob — which
is at most MAX_PAYLOAD_LEN uncompressed — is ever rejected, while
the read path can no longer be coerced into a larger allocation than
the write path would have admitted.