Golang copyN When Decompression
What does this mean ?
The rule specifically detects usage of io.Copy on file decompression.This is a potential issue because io.Copy:copies from src to dst until either EOF is reached on src or an error occurs.
What can happen ?
A malicious payload might cause your program to decompress an unexpectedly big amount of data and go out of memory, causing denial of service as mentioned in the warning message.
Recommendation
Using io.CopyN removes the warning because (quote) it "copies n bytes (or until an error) from src to dst", thus giving you (the program writer) control of how many bytes to copy. So you could pass an arbitrarily large n that you set based on the available resources of your application, or copy in chunks.
Sample Code
Vulnerable :
if _, err := io.Copy(targetFile, fileReader); err != nil {
return err
}
Non Vulnerable :
for {
_, err := io.CopyN(targetFile, fileReader, 1024)
if err != nil {
if err == io.EOF {
break
}
return err
}
}