fix(security): cap bsdtar extraction size to prevent decompression bomb DoS [DEVA11Y-484]#25
Open
maunilm wants to merge 1 commit into
Open
fix(security): cap bsdtar extraction size to prevent decompression bomb DoS [DEVA11Y-484]#25maunilm wants to merge 1 commit into
maunilm wants to merge 1 commit into
Conversation
…mb DoS [DEVA11Y-484] CWE-400 / OWASP A05. bsdtar was invoked with no decompressed-size or entry-count limit in both the Swift SPM plugin and the bash/zsh/fish CLI wrappers, so an attacker who can influence the download URL (the HTTPS-only --download-url / BROWSERSTACK_A11Y_CLI_DOWNLOAD_URL override, or TLS interception) could serve a decompression bomb that exhausts the developer/CI disk. Swift plugin (BrowserStackAccessibilityLint.swift): - curl now passes --max-filesize (100 MB) to cap the compressed download. - A background watchdog terminates bsdtar once the *decompressed* footprint on disk exceeds 200 MB (a pipe-level cap would only bound compressed bytes, which is useless against a bomb). Applied to both the remote and local extraction paths. - locateExecutable now bounds enumeration at 10,000 entries. Shell wrappers (bash/zsh/fish cli.sh): - curl --max-filesize caps the compressed download. - bsdtar output is piped through `head -c` (200 MB) with pipefail so an oversized archive aborts instead of filling the disk. Real CLI artifact is ~34 MB compressed / ~64 MB decompressed, so the caps leave ~3x headroom and do not affect legitimate downloads. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
bsdtarwas invoked with no decompressed-size or entry-count limit, so an attacker who can influence the download URL (the HTTPS-only--download-url/BROWSERSTACK_A11Y_CLI_DOWNLOAD_URLoverride, or TLS interception of the default endpoint) could serve a decompression bomb that exhausts developer/CI disk space.scripts/bash/cli.sh; zsh/fish were byte-identical).What changed
Plugins/BrowserStackAccessibilityLint.swiftcurlnow passes--max-filesize(100 MB) to cap the compressed download.bsdtaronce the decompressed footprint on disk exceeds 200 MB. A cap on thecurl→bsdtarpipe would only bound compressed bytes — useless against a bomb — so the guard measures bytes written to disk. Applied to both the remote and local extraction paths.locateExecutablebounds enumeration at 10,000 entries (secondary CPU/IO drain from archives with millions of empty entries).scripts/{bash,zsh,fish}/cli.shcurl --max-filesizecaps the compressed download.bsdtar … -Ooutput is piped throughhead -c(200 MB) withset -o pipefail; an oversized archive aborts (and deletes the partial binary) instead of filling the disk.Why these limits don't break legitimate use
The real CLI artifact (macos arm64) is ~34 MB compressed / ~64 MB decompressed, so the 100 MB / 200 MB caps leave ~3× headroom for growth.
Note on scope vs. the ticket
The ticket's primary vector (MitM on a plaintext download) is already closed by DEVA11Y-479 (override restricted to HTTPS; default URL is HTTPS). This PR is defense-in-depth against the remaining vectors: an attacker-controlled HTTPS override endpoint, or TLS interception. Practical severity is arguably below the stated CVSS 5.3, but the guard is cheap and correct.
Verification
swiftc -typecheck -parse-as-libraryagainst the toolchainPackagePluginmodule: clean.bash -non all three scripts: clean.bsdtar -O | head -cpipeline: a 1 MB payload with a 4 KB cap aborts (pipefail→ status 1); with a 200 MB cap it extracts normally.Jira
DEVA11Y-484 · umbrella APPSEC-415
🤖 Generated with Claude Code