Skip to content
This repository has been archived by the owner on Jan 22, 2025. It is now read-only.

Limit extracted data size from genesis.tar.bz2 and snapshot.tar.bz2 #8427

Closed
mvines opened this issue Feb 25, 2020 · 6 comments · Fixed by #8959
Closed

Limit extracted data size from genesis.tar.bz2 and snapshot.tar.bz2 #8427

mvines opened this issue Feb 25, 2020 · 6 comments · Fixed by #8959
Assignees
@ryoqun
Labels
security Pull requests that address a security vulnerability
Milestone
v1.1.0

Comments

@mvines
Copy link
Contributor

mvines commented Feb 25, 2020

As a DoS attack an RPC node could potentially serve up a genesis.tar.bz2 or snapshot.tar.bz2 that fills the disk of the victim validator, by building a file full of 0s or some other content that compresses very well.
@mvines mvines added this to the v1.1.0 milestone Feb 25, 2020
@mvines
Copy link
Contributor Author

mvines commented Feb 25, 2020

@ryoqun - can you take this one please?

@mvines mvines mentioned this issue Feb 25, 2020
Closed
@ryoqun
Copy link
Contributor

ryoqun commented Feb 25, 2020

@ryoqun - can you take this one please?

Sure!

I think this attack is one of those zip bomb attacks.

@ryoqun ryoqun mentioned this issue Feb 25, 2020
Open
@ryoqun
Copy link
Contributor

ryoqun commented Feb 25, 2020

@sakridge I think this fix will be really tiny but it would mildly conflict with split multi-file snapshot download you're working on now?

@sakridge
Copy link
Contributor

@ryoqun shouldn't be a problem, I think the conflict will be small.

@mvines mvines mentioned this issue Feb 26, 2020
Merged
@sakridge
Copy link
Contributor

With the --trusted-validator feature limited snapshot fetch to certain nodes, maybe this is lower priority?

@mvines
Copy link
Contributor Author

mvines commented Feb 27, 2020

The tarballs are still downloaded from any rando RPC node, so they can still blow up the disk before the actual contents (genesis/snapshot hash) can be approved or rejected

@mvines mvines modified the milestones: v1.1.0, v1.0.1, v1.0.2, v1.0.3, v1.0.4, v1.0.5 Mar 1, 2020
@mvines mvines modified the milestones: v1.0.5, v1.0.6, v1.0.7, v1.0.8 Mar 10, 2020
@mvines mvines modified the milestones: v1.0.8, v1.0.9 Mar 19, 2020
@ryoqun ryoqun mentioned this issue Mar 19, 2020
Merged
@mvines mvines modified the milestones: v1.0.9, v1.0.10 Mar 24, 2020
@mvines mvines modified the milestones: v1.0.10, v1.1.0 Mar 24, 2020
@ryoqun ryoqun mentioned this issue Mar 25, 2020
Closed
4 tasks
@leoluk leoluk added the security Pull requests that address a security vulnerability label Sep 16, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ryoqun ryoqun

Labels
security Pull requests that address a security vulnerability
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

Strictly validate the contents of snapshot/genesis ryoqun/solana
4 participants
@ryoqun @leoluk @sakridge @mvines