[Go]: DOS through Decompression

[am0o0]

Query PR

github/codeql#13553

Language

Go

CVE(s) ID list

• CVE-2023-26483 includes both formValue as user controlled source and a zipBomb sink
• CVE-2023-28119
• CVE-2023-0475 is a root cause of CVE-2023-0821 which both marked as a DOS

Report

Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks. Attackers can compress a huge file which created by repeated similar byte and convert it to a small compressed file.
Added modeling for multiple Go CLI third parties.
Added modeling for User controlled remote sources for multipart/file uploads.
The only good sanitizer that I found is using of "io.LimitReader" and "io.CopyN" which the query will sanitize the results that contain these two methods.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Yes

[am0o0]

@Kwstubbs please let me know if this can help you, I have a python script to generate some gzip,br,zip,zstd files and serve them in a http server too, also I have some public good resources.

[Kwstubbs]

@amammad thanks, due to the large amount of queries submitted these will probably be split among multiple members of the team. We will be discussing this next week so we will get back to you then.

[am0o0]

@Kwstubbs Can I update some of my pull requests? I make some improvements that can reduce review time too!

[Kwstubbs]

@amammad Feel free to update the PRs. Also please send me those tools, scripts, resources. I will test out them this week.

[Kwstubbs]

@amammad Hey amammad, for each DOS language query could you include the databases for at least one of the CVEs that you mention in the description? I am starting to work on triaging this week. Thank you!

[am0o0]

@Kwstubbs DB_CVE-2023-26483.tar.gz

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Initial triage.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[am0o0]

@Kwstubbs I forgot to mention that the gosaml2 also cover the Form values as user controlled source too which I've already write a model for that too. I updated the submission too.

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed