righettod
diff --git a/‎docs/eu/righettod/ProcessingMode.html‎
Lines changed: 312 additions & 229 deletions b/‎docs/eu/righettod/ProcessingMode.html‎
Lines changed: 312 additions & 229 deletions
diff --git a/‎docs/eu/righettod/SecurityUtils.html‎
Lines changed: 1648 additions & 1232 deletions b/‎docs/eu/righettod/SecurityUtils.html‎
Lines changed: 1648 additions & 1232 deletions
diff --git a/‎docs/eu/righettod/class-use/ProcessingMode.html‎
Lines changed: 127 additions & 102 deletions b/‎docs/eu/righettod/class-use/ProcessingMode.html‎
Lines changed: 127 additions & 102 deletions
diff --git a/‎docs/src-html/eu/righettod/SecurityUtils.html‎
Lines changed: 36 additions & 25 deletions b/‎docs/src-html/eu/righettod/SecurityUtils.html‎
Lines changed: 36 additions & 25 deletions
diff --git a/‎…in/java/eu/righettod/ProcessingMode.java‎ ‎…ava/eu/righettod/ProcessingModeType.java‎src/main/java/eu/righettod/ProcessingMode.java renamed to src/main/java/eu/righettod/ProcessingModeType.java
Lines changed: 1 addition & 1 deletion b/‎…in/java/eu/righettod/ProcessingMode.java‎ ‎…ava/eu/righettod/ProcessingModeType.java‎src/main/java/eu/righettod/ProcessingMode.java renamed to src/main/java/eu/righettod/ProcessingModeType.java
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/main/java/eu/righettod/SecurityUtils.java‎
Lines changed: 48 additions & 8 deletions b/‎src/main/java/eu/righettod/SecurityUtils.java‎
Lines changed: 48 additions & 8 deletions
diff --git a/‎src/test/java/eu/righettod/TestSecurityUtils.java‎
Lines changed: 41 additions & 6 deletions b/‎src/test/java/eu/righettod/TestSecurityUtils.java‎
Lines changed: 41 additions & 6 deletions
@@ -3,7 +3,7 @@
 /**
  * Enumeration used by the method <code>SecurityUtils.ensureSerializedObjectIntegrity()</code> to define its working mode.
  */
-public enum ProcessingMode {
+public enum ProcessingModeType {
     /**
      * Protection mode: Add the integrity HMAC to the linked serialized object.
      */
 
@@ -74,6 +74,7 @@
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.zip.GZIPInputStream;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 
@@ -735,9 +736,9 @@ public static boolean isExcelCSVSafe(String csvFilePath) {
      * Provide a way to add an integrity marker (<a href="https://en.wikipedia.org/wiki/HMAC">HMAC</a>) to a serialized object serialized using the <a href="https://www.baeldung.com/java-serialization">java native system</a> (binary).<br>
      * The goal is to provide <b>a temporary workaround</b> to try to prevent deserialization attacks and give time to move to a text-based serialization approach.
      *
-     * @param processingMode Define the mode of processing i.e. protect or validate. ({@link eu.righettod.ProcessingMode})
-     * @param input          When the processing mode is "protect" than the expected input (string) is a java serialized object encoded in Base64 otherwise (processing mode is "validate") expected input is the output of this method when the "protect" mode was used.
-     * @param secret         Secret to use to compute the SHA256 HMAC.
+     * @param processingModeType Define the mode of processing i.e. protect or validate. ({@link ProcessingModeType})
+     * @param input              When the processing mode is "protect" than the expected input (string) is a java serialized object encoded in Base64 otherwise (processing mode is "validate") expected input is the output of this method when the "protect" mode was used.
+     * @param secret             Secret to use to compute the SHA256 HMAC.
      * @return A map with the following keys: <ul><li><b>PROCESSING_MODE</b>: Processing mode used to compute the result.</li><li><b>STATUS</b>: A boolean indicating if the processing was successful or not.</li><li><b>RESULT</b>: Always contains a string representing the protected serialized object in the format <code>[SERIALIZED_OBJECT_BASE64_ENCODED]:[SERIALIZED_OBJECT_HMAC_BASE64_ENCODED]</code>.</li></ul>
      * @throws Exception If any exception occurs.
      * @see "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
@@ -749,11 +750,11 @@ public static boolean isExcelCSVSafe(String csvFilePath) {
      * @see "https://en.wikipedia.org/wiki/HMAC"
      * @see "https://smattme.com/posts/how-to-generate-hmac-signature-in-java/"
      */
-    public static Map<String, Object> ensureSerializedObjectIntegrity(ProcessingMode processingMode, String input, byte[] secret) throws Exception {
+    public static Map<String, Object> ensureSerializedObjectIntegrity(ProcessingModeType processingModeType, String input, byte[] secret) throws Exception {
         Map<String, Object> results;
         String resultFormatTemplate = "%s:%s";
         //Verify input provided to be consistent
-        if (processingMode == null) {
+        if (processingModeType == null) {
             throw new IllegalArgumentException("The processing mode is mandatory!");
         }
         if (input == null || input.trim().isEmpty()) {
@@ -762,7 +763,7 @@ public static Map<String, Object> ensureSerializedObjectIntegrity(ProcessingMode
         if (secret == null || secret.length == 0) {
             throw new IllegalArgumentException("The HMAC secret is mandatory!");
         }
-        if (processingMode.equals(ProcessingMode.VALIDATE) && input.split(":").length != 2) {
+        if (processingModeType.equals(ProcessingModeType.VALIDATE) && input.split(":").length != 2) {
             throw new IllegalArgumentException("Input data provided is invalid for the processing mode specified!");
         }
         //Processing
@@ -773,8 +774,8 @@ public static Map<String, Object> ensureSerializedObjectIntegrity(ProcessingMode
         SecretKeySpec key = new SecretKeySpec(secret, hmacAlgorithm);
         mac.init(key);
         results = new HashMap<>();
-        results.put("PROCESSING_MODE", processingMode.toString());
-        switch (processingMode) {
+        results.put("PROCESSING_MODE", processingModeType.toString());
+        switch (processingModeType) {
             case PROTECT -> {
                 byte[] objectBytes = b64Decoder.decode(input);
                 byte[] hmac = mac.doFinal(objectBytes);
@@ -1542,4 +1543,43 @@ public static Map<SensitiveInformationType, Set<String>> extractAllSensitiveInfo
 
         return data;
     }
+
+    /**
+     * Apply a collection of validations on a bytes array provided representing GZIP compressed data:
+     * <ul>
+     * <li>Are valid GZIP compressed data.</li>
+     * <li>The number of bytes once decompressed is under the specified limit.</li>
+     * </ul>
+     * <br><b>Note:</b> The value <code>Integer.MAX_VALUE - 8</code> was chosen because during my tests on Java 25 (JDK 64 bits on Windows 11 Pro), it was possible to decompress such amount of data with the default JVM settings without causing an <a href="https://docs.oracle.com/en/java/javase/25/docs/api//java.base/java/lang/OutOfMemoryError.html">Out Of Memory error</a>.
+     *
+     * @param compressedBytes                    Array of bytes containing the GZIP compressed data to check.
+     * @param maxCountOfDecompressedBytesAllowed Maximum number of decompressed bytes allowed. Default to 10 MB if the specified value is inferior to 1 or superior to Integer.MAX_VALUE - 8.
+     * @return True only if the file pass all validations.
+     * @see "https://en.wikipedia.org/wiki/Gzip"
+     * @see "https://www.rapid7.com/db/modules/auxiliary/dos/http/gzip_bomb_dos/"
+     */
+    public static boolean isGZIPCompressedDataSafe(byte[] compressedBytes, long maxCountOfDecompressedBytesAllowed) {
+        boolean isSafe = false;
+        try {
+            long limit = maxCountOfDecompressedBytesAllowed;
+            long totalRead = 0L;
+            byte[] buffer = new byte[8 * 1024];
+            int read;
+            if (limit < 1 || limit > (Integer.MAX_VALUE - 8)) {
+                limit = 10_000_000;
+            }
+            try (ByteArrayInputStream bis = new ByteArrayInputStream(compressedBytes); GZIPInputStream gzipInputStream = new GZIPInputStream(new BufferedInputStream(bis))) {
+                while ((read = gzipInputStream.read(buffer)) != -1) {
+                    totalRead += read;
+                    if (totalRead > limit) {
+                        throw new Exception();
+                    }
+                }
+            }
+            isSafe = true;
+        } catch (Exception e) {
+            isSafe = false;
+        }
+        return isSafe;
+    }
 }
@@ -28,6 +28,7 @@
 import java.time.ZoneId;
 import java.time.format.DateTimeFormatter;
 import java.util.*;
+import java.util.zip.GZIPOutputStream;
 
 import static org.junit.jupiter.api.Assertions.*;
 
@@ -55,6 +56,15 @@ private long getTestFileSize(String testFileName) {
         return new File(getTestFilePath(testFileName)).length();
     }
 
+    private byte[] createGZipCompressedData(int uncompressedDataSizeWanted) throws Exception {
+        byte[] raw = new byte[uncompressedDataSizeWanted];
+        Arrays.fill(raw, (byte) 'X');
+        try (ByteArrayOutputStream baos = new ByteArrayOutputStream(); GZIPOutputStream gzos = new GZIPOutputStream(baos)) {
+            gzos.write(raw);
+            gzos.finish();
+            return baos.toByteArray();
+        }
+    }
 
     @Test
     public void isWeakPINCode() {
@@ -339,9 +349,9 @@ public void ensureSerializedObjectIntegrity() throws Exception {
         Base64.Decoder b64Decoder = Base64.getDecoder();
         String testUserSerializedBytesEncoded = b64Encoder.encodeToString(testUserSerializedBytes.toByteArray());
         //Test "protect" processing
-        Map<String, Object> results = SecurityUtils.ensureSerializedObjectIntegrity(ProcessingMode.PROTECT, testUserSerializedBytesEncoded, secret);
+        Map<String, Object> results = SecurityUtils.ensureSerializedObjectIntegrity(ProcessingModeType.PROTECT, testUserSerializedBytesEncoded, secret);
         assertEquals(3, results.size());
-        assertEquals(ProcessingMode.PROTECT.toString(), results.get("PROCESSING_MODE"));
+        assertEquals(ProcessingModeType.PROTECT.toString(), results.get("PROCESSING_MODE"));
         assertEquals(Boolean.TRUE, results.get("STATUS"));
         String protectedSerializedObject = (String) results.get("RESULT");
         String[] parts = protectedSerializedObject.split(":");
@@ -350,9 +360,9 @@ public void ensureSerializedObjectIntegrity() throws Exception {
         assertNotEquals(0, b64Decoder.decode(parts[1]).length);
         //Test "validate" processing
         //--Case validation succeed (HMAC match)
-        results = SecurityUtils.ensureSerializedObjectIntegrity(ProcessingMode.VALIDATE, protectedSerializedObject, secret);
+        results = SecurityUtils.ensureSerializedObjectIntegrity(ProcessingModeType.VALIDATE, protectedSerializedObject, secret);
         assertEquals(3, results.size());
-        assertEquals(ProcessingMode.VALIDATE.toString(), results.get("PROCESSING_MODE"));
+        assertEquals(ProcessingModeType.VALIDATE.toString(), results.get("PROCESSING_MODE"));
         assertEquals(Boolean.TRUE, results.get("STATUS"));
         assertEquals(protectedSerializedObject, results.get("RESULT"));
         //--Case validation failed due to malicious serialized object provided (HMAC not match)
@@ -363,8 +373,8 @@ public void ensureSerializedObjectIntegrity() throws Exception {
         alteredObject[0] += 1;
         encodedSerializedObject = b64Encoder.encodeToString(alteredObject);
         String alteredInput = encodedSerializedObject + ":" + encodedHMAC;
-        results = SecurityUtils.ensureSerializedObjectIntegrity(ProcessingMode.VALIDATE, alteredInput, secret);
-        assertEquals(ProcessingMode.VALIDATE.toString(), results.get("PROCESSING_MODE"));
+        results = SecurityUtils.ensureSerializedObjectIntegrity(ProcessingModeType.VALIDATE, alteredInput, secret);
+        assertEquals(ProcessingModeType.VALIDATE.toString(), results.get("PROCESSING_MODE"));
         assertEquals(Boolean.FALSE, results.get("STATUS"));
         assertNotEquals(alteredInput, results.get("RESULT"));
     }
@@ -748,7 +758,32 @@ public void extractAllSensitiveInformation() {
                 throw new RuntimeException(e);
             }
         });
+    }
 
+    @Test
+    public void isGZIPCompressedDataSafe() throws Exception {
+        String falseNegativeMsgTemplate = "Array of %s bytes with limit to %s bytes must be detected as unsafe!";
+        String falsePositiveMsgTemplate = "Array of %s bytes with limit to %s bytes must be detected as safe!";
+        //Test invalid cases
+        //--Large compressed data > limit of 5MB
+        byte[] testData = createGZipCompressedData(Integer.MAX_VALUE - 2);
+        long limit = 5_000_000;//5 MB
+        boolean isSafe = SecurityUtils.isGZIPCompressedDataSafe(testData, limit);
+        assertFalse(isSafe, String.format(falseNegativeMsgTemplate, testData.length, limit));
+        //--Large compressed data > default limit of 10 MB
+        limit = 0;//trigger the usage of the default limit
+        isSafe = SecurityUtils.isGZIPCompressedDataSafe(testData, limit);
+        assertFalse(isSafe, String.format(falseNegativeMsgTemplate, testData.length, limit));
+        //Test valid cases
+        //--2MB initial data compressed < limit of 5MB
+        testData = createGZipCompressedData(2_000_000);//2 MB
+        limit = 5_000_000;//5 MB
+        isSafe = SecurityUtils.isGZIPCompressedDataSafe(testData, limit);
+        assertTrue(isSafe, String.format(falsePositiveMsgTemplate, testData.length, limit));
+        //--2MB initial data compressed < default limit of 10 MB
+        limit = 0;//trigger the usage of the default limit
+        isSafe = SecurityUtils.isGZIPCompressedDataSafe(testData, limit);
+        assertTrue(isSafe, String.format(falsePositiveMsgTemplate, testData.length, limit));
     }
 }