- edited description
- changed title to JWEObject.decrypt must reject compressed cipher texts that are too large
JWEObject.decrypt must reject compressed cipher texts that are too large
Proposed cut off: 250KBytes.
Implement max length of 100K chars (cipher text of compressed plain text).
Comments (9)
-
reporter -
reporter - changed status to resolved
-
Hi Vladimir,
i am developer using nimbus for the transmission of much larger (compressed ) payloads than the now enforced 100_000 chars.
I would be more than grateful if you could give some feedback on why the decision to restrict the compressed plain text was made ?Thank you so much in advance !
Best regards,
Martin -
reporter Hi Marten,
A recent sec audit revealed that without a limit on the compressed payload, lib deployments can be vulnerable to ZIP bomb attacks:
https://en.wikipedia.org/wiki/Zip_bomb
We are trying to figure out a way to configure the limit, but we first had to close this path to exploit compression with JWEs.
I suggest you go back to a previous version until we figure out how to make this configurable via the lib API.
-
Thanks
-
Hi Vladimir,
I am also working on a project where nimbus is used to transfer larger objects. Did you find a way to configure the limit?
Best regards,
Michael -
This max-limit is also preventing our project from upgrading to the latest Nimbus version.
Is the configuration of this limit on the roadmap?
Thank you.
-
Hi Vladimir,
we would also be happy about a configurable solution.
Best regards
-
I created #570 to track the problem related to the fixed upper limit and give it some higher visibility :)
- Log in to comment