-
-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit the number of attachments when parsing emails #88
Comments
I'm not sure how you ended up with that import error, Salmon doesn't import docutils at any point. To answer your second question: no, I don't think it does. Although Salmon is far more lazy about loading things that it used to be, it still relies on Python's built in |
I've played around with a test email that has about 17 million lines of
Which I guess is fine as you're meant to make sure boundaries are unique, right? |
Thanks for testing this @moggers87!
The 25 seconds of parsing could be significant if the system has a limited number of CPU cores (say 4 or 8). With a handful of emails, sent within several seconds of each other, an attacker could use up all available CPU cores, while staying under the radar of any rate limiting system.
I might be mistaken but I think the
So I think it's fine and expected to have multiple attachments at the same layer separated by the same boundary, it just can't be reused by encapsulated nested multiparts. Also, we wouldn't expect a malicious MIME message to play by the RFCs!
Would you be willing to patch this upstream to add a maximum limit of 10,000 attachments? My python is non-existent, I think the |
Neither of us have any evidence that 10,000 attachments is a problem. 25 seconds of parsing was for an email that was 69MB long and had 17 million lines of "--0". |
Sure, I mean 10,000 attachments shouldn't be a problem. It's just an upper bound (a maximum limit which should be safe) and I think your upstream parser will handle that fine. The problem is with not validating potentially hostile user data containing 4 million or 17 million empty attachments. A limit on the maximum number of attachments allowed should be in place to prevent an attacker from burning even a few seconds of CPU time, let alone 25 seconds. For instance, @ronomon/mime (a parser I have worked on) can detect and reject a hostile 20MB or 69MB payload like this in 70ms, regardless of payload size. It's just a simple limit. Seems like it's worth having, but if you disagree, feel free to close the issue! |
I think you missed my point there. |
This may be a non-issue.
I tried to install salmon to test this for myself but ran into
No module named docutils.core
.Does salmon limit the number of attachments allowed when parsing emails?
Please see: https://snyk.io/blog/how-to-crash-an-email-server-with-a-single-email/
The text was updated successfully, but these errors were encountered: