zeek/testing/btest/scripts/base/protocols/http/deeply-nested-mime.zeek at 72ea7fc06c8d8a8f9116822df682a55dc70a85a6 - Mirror/zeek - git.uphillsecurity.com: We code.

Mirror/zeek

mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00

Arne Welzel 2a858d252e MIME: Cap nested MIME analysis depth to 100

OSS-Fuzz managed to produce a MIME multipart message construction with
thousands of nested entities (or that's what Zeek makes out of it anyhow).
Prevent such deep analysis by capping at a nesting depth of 100,
preventing unnecessary resource usage. A new weird named exceeded_mime_max_depth
is reported when this limit is reached.

This change reduces the runtime of the OSS-Fuzz reproducer from ~45 seconds
to ~2.5 seconds.

The test PCAP was produced from a Python script using the email package
and sending the rendered version via POST to a HTTP server.

Closes #208

2024-01-17 10:18:13 -07:00

7 lines

320 B

Text

Raw Blame History

 # @TEST-DOC: HTTP POST request with 100 nestesd message/rfc822 entities, causing an analysis depth of 200 or so, Zeek stops at 100 and produces a weird.
 #
 # @TEST-EXEC: zeek -b -r $TRACES/http/deeply-nested-mime.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
 @load base/protocols/http