JWEObject.decrypt must reject compressed cipher texts that are too large

Issue #545 resolved
Vladimir Dzhuvinov created an issue

Proposed cut off: 250KBytes.

Implement max length of 100K chars (cipher text of compressed plain text).

Comments (9)

  1. Marten Vogel

    Hi Vladimir,

    i am developer using nimbus for the transmission of much larger (compressed ) payloads than the now enforced 100_000 chars.
    I would be more than grateful if you could give some feedback on why the decision to restrict the compressed plain text was made ?

    Thank you so much in advance !

    Best regards,
    Martin

  2. Vladimir Dzhuvinov reporter

    Hi Marten,

    A recent sec audit revealed that without a limit on the compressed payload, lib deployments can be vulnerable to ZIP bomb attacks:

    https://en.wikipedia.org/wiki/Zip_bomb

    We are trying to figure out a way to configure the limit, but we first had to close this path to exploit compression with JWEs.

    I suggest you go back to a previous version until we figure out how to make this configurable via the lib API.

  3. Michael Schmidt

    Hi Vladimir,

    I am also working on a project where nimbus is used to transfer larger objects. Did you find a way to configure the limit?

    Best regards,
    Michael

  4. Marc Powell

    This max-limit is also preventing our project from upgrading to the latest Nimbus version.

    Is the configuration of this limit on the roadmap?

    Thank you.

  5. Log in to comment