GGraziadei commented on PR #8653:
URL: https://github.com/apache/storm/pull/8653#issuecomment-4448737430
Hi @rzo1, thank you for your review!
- I have restructured the delegation chain by attempting Zstd decompression
first, falling back to Gzip, and finally defaulting to the standard Thrift
implementation. This is the hierarchy implemented by
`ZstdBridgeThriftSerializationDelegate`:
`ZstdThriftSerializationDelegate` -> `GzipThriftSerializationDelegate` ->
`ThriftSerializationDelegate`
- I’ve refactored ZstdUtils to bolster security and improve error handling,
specifically by implementing protection against zip bomb attacks. The updated
utility now includes configurable parameters to enforce a maximum uncompressed
byte limit (defaulting to 100MB) by utilizing a capacity limited input stream.
This ensures that decompression terminates safely if a payload exceeds defined
thresholds (during decompression), while the refined exception management
provides clearer diagnostic insights when processing malformed or malicious
compressed data.
- I improved test coverage for the delegation chain + all test cases for the
`ZstdUtils`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
