fix: add a maxOutputLength option to zlib inflate

Author: panva

docs/classes/util_errors.JWEDecompressionFailed.md

@@ -0,0 +1,82 @@
+# Class: JWEDecompressionFailed
+
+## [💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+---
+
+An error subclass thrown when a JWE ciphertext decompression fails.
+
+**`Example`**
+
+Checking thrown error is this one using a stable error code
+
+```js
+if (err.code === 'ERR_JWE_DECOMPRESSION_FAILED') {
+  // ...
+}
+```
+
+**`Example`**
+
+Checking thrown error is this one using `instanceof`
+
+```js
+if (err instanceof jose.errors.JWEDecompressionFailed) {
+  // ...
+}
+```
+
+## Table of contents
+
+### Constructors
+
+- [constructor](util_errors.JWEDecompressionFailed.md#constructor)
+
+### Properties
+
+- [code](util_errors.JWEDecompressionFailed.md#code)
+- [message](util_errors.JWEDecompressionFailed.md#message)
+
+### Accessors
+
+- [code](util_errors.JWEDecompressionFailed.md#code-1)
+
+## Constructors
+
+### constructor
+
+• **new JWEDecompressionFailed**(`message?`)
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `message?` | `string` |
+
+## Properties
+
+### code
+
+• **code**: `string` = `'ERR_JWE_DECOMPRESSION_FAILED'`
+
+A unique error code for the particular error subclass.
+
+___
+
+### message
+
+• **message**: `string` = `'decompression operation failed'`
+
+## Accessors
+
+### code
+
+• `Static` `get` **code**(): ``"ERR_JWE_DECOMPRESSION_FAILED"``
+
+A unique error code for the particular error subclass.
+
+#### Returns
+
+``"ERR_JWE_DECOMPRESSION_FAILED"``

docs/modules/util_errors.md

@@ -13,6 +13,7 @@ Support from the community to continue maintaining and improving this module is
 - [JOSEAlgNotAllowed](../classes/util_errors.JOSEAlgNotAllowed.md)
 - [JOSEError](../classes/util_errors.JOSEError.md)
 - [JOSENotSupported](../classes/util_errors.JOSENotSupported.md)
+- [JWEDecompressionFailed](../classes/util_errors.JWEDecompressionFailed.md)
 - [JWEDecryptionFailed](../classes/util_errors.JWEDecryptionFailed.md)
 - [JWEInvalid](../classes/util_errors.JWEInvalid.md)
 - [JWKInvalid](../classes/util_errors.JWKInvalid.md)

src/runtime/node/zlib.ts

@@ -6,5 +6,6 @@ import type { InflateFunction, DeflateFunction } from '../../types.d'
 const inflateRaw = promisify(inflateRawCb)
 const deflateRaw = promisify(deflateRawCb)
 
-export const inflate: InflateFunction = (input: Uint8Array) => inflateRaw(input)
+export const inflate: InflateFunction = (input: Uint8Array) =>
+  inflateRaw(input, { maxOutputLength: 250_000 })
 export const deflate: DeflateFunction = (input: Uint8Array) => deflateRaw(input)

test/jwe/flattened.decrypt.test.mjs

@@ -1,5 +1,7 @@
 import test from 'ava'
 import * as crypto from 'crypto'
+import { promisify } from 'node:util'
+import { inflateRaw as inflateRawCb } from 'node:zlib'
 
 const { FlattenedEncrypt, flattenedDecrypt } = await import('#dist')
 
@@ -228,3 +230,37 @@ test('decrypt PBES2 p2c limit', async (t) => {
     code: 'ERR_JWE_INVALID',
   })
 })
+
+test('decrypt inflate output length limit', async (t) => {
+  {
+    const jwe = await new FlattenedEncrypt(new Uint8Array(250000))
+      .setProtectedHeader({ alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
+      .encrypt(new Uint8Array(32))
+
+    await flattenedDecrypt(jwe, new Uint8Array(32))
+  }
+
+  {
+    const jwe = await new FlattenedEncrypt(new Uint8Array(250000 + 1))
+      .setProtectedHeader({ alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
+      .encrypt(new Uint8Array(32))
+
+    await t.throwsAsync(flattenedDecrypt(jwe, new Uint8Array(32)), {
+      message: 'decompression operation failed',
+      code: 'ERR_JWE_DECOMPRESSION_FAILED',
+    })
+  }
+
+  {
+    const jwe = await new FlattenedEncrypt(new Uint8Array(1000 + 1))
+      .setProtectedHeader({ alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
+      .encrypt(new Uint8Array(32))
+
+    const inflateRawPromise = promisify(inflateRawCb)
+    const inflateRaw = async (buffer) => inflateRawPromise(buffer, { maxOutputLength: 1000 })
+
+    await t.throwsAsync(flattenedDecrypt(jwe, new Uint8Array(32), { inflateRaw }), {
+      code: 'ERR_BUFFER_TOO_LARGE',
+    })
+  }
+})