v2.4.1: gzipDecode is now decompression-bomb safe

Symmetry fix. brotli-decode.ts has had a 1 MB MAX_DECOMPRESSED_SIZE
cap with a real on-chain-style fixture
(testdata/brotli-decompression-bomb.txt.br -> 1 GB unzipped) since
forever. The gzip path in inscription-parser.service.helper.ts had
a bare 'while (true) chunks.push(value)' loop and would happily
allocate gigabytes if a future inscription used gzip Content-Encoding
to ship a HAHAHA-style bomb.

Now:
  - gzipDecode tracks running totalSize, throws
    MAX_DECOMPRESSED_SIZE_MESSAGE the moment the streamed output
    crosses the cap, cancels the reader so the underlying
    DecompressionStream stops pulling, and returns the sentinel
    bytes the same way brotliDecodeUint8Array does.
  - writer.write() / writer.close() now .catch() the abort error
    that follows reader.cancel() (was unhandled before).

  - testdata/gzip-decompression-bomb.sh mirrors brotli-decompression-bomb.sh
    line for line (s/brotli/gzip/), with a one-line note about gzip's
    auto-removal of the source file.
  - testdata/gzip-decompression-bomb.txt.gz committed (949 KB compressed,
    decompresses to ~1 GB).
  - inscription-parser.service.gzip.spec.ts no longer has the
    /* it('should survive a decompression bomb') ... TODO! */ placeholder;
    it now has a real assertion that returns MAX_DECOMPRESSED_SIZE_MESSAGE,
    matching brotli's spec exactly.

861 tests pass in both jest configs (was 860).

Note: the on-chain inscription that motivated this is one of the
HAHAHA-bomb cats (in the first ~300 cat21 mints). The exact txid
is unknown -- the synthetic fixture is sufficient for regression.

\xf0\x9f\x98\xba

Author: hans-crypto

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ordpool-parser",
-  "version": "2.4.0",
+  "version": "2.4.1",
   "description": "Zero-dependency TypeScript parser for Bitcoin digital artifacts: Inscriptions, Runes, BRC-20, SRC-20, CAT-21, Atomicals, Labitbu, OpenTimestamps. Works in Node.js and browsers.",
   "repository": {
     "type": "git",

src/inscription/inscription-parser.service.gzip.spec.ts

@@ -1,5 +1,8 @@
-import { readInscriptionAsBase64, readTransaction } from '../../testdata/test.helper';
+import { MAX_DECOMPRESSED_SIZE_MESSAGE } from '../lib/brotli-decode';
+import { bytesToBinaryString } from '../lib/conversions';
+import { readBinaryFileAsUint8Array, readInscriptionAsBase64, readTransaction } from '../../testdata/test.helper';
 import { InscriptionParserService } from './inscription-parser.service';
+import { gzipDecode } from './inscription-parser.service.helper';
 
 describe('Inscription parser', () => {
 
@@ -16,9 +19,10 @@ describe('Inscription parser', () => {
     expect(actualFileData).toEqual(expectedFileData);
   });
 
-  /*
-  it('should survive a decompression bomb', () => {
-    // TODO! add mitigations!
+  it('should survive a decompression bomb', async () => {
+    const bomb = readBinaryFileAsUint8Array('gzip-decompression-bomb.txt.gz');
+    const contentRaw = await gzipDecode(bomb);
+    const content = bytesToBinaryString(contentRaw);
+    expect(content).toEqual(MAX_DECOMPRESSED_SIZE_MESSAGE);
   });
-  */
 });

src/inscription/inscription-parser.service.helper.ts

@@ -1,4 +1,4 @@
-import { INVALID_COMPRESSED_DATA_MESSAGE, MAX_DECOMPRESSED_SIZE_MESSAGE, brotliDecode } from "../lib/brotli-decode";
+import { INVALID_COMPRESSED_DATA_MESSAGE, MAX_DECOMPRESSED_SIZE, MAX_DECOMPRESSED_SIZE_MESSAGE, brotliDecode } from "../lib/brotli-decode";
 import { hexToBytes, isStringInArrayOfStrings, littleEndianBytesToNumber } from "../lib/conversions";
 import { bytesToHex } from "../lib/conversions";
 import { OP_ENDIF, OP_FALSE, OP_IF, OP_PUSHBYTES_3 } from "../lib/op-codes";
@@ -217,10 +217,18 @@ export function brotliDecodeUint8Array(bytes: Uint8Array): Uint8Array {
 }
 
 /**
- * Decompresses gzip-encoded bytes via DecompressionStream. Returns
- * INVALID_COMPRESSED_DATA_MESSAGE (UTF-8) on decode failure -- mirrors
- * brotliDecodeUint8Array. Throws only when DecompressionStream itself
- * is unavailable (host environment, not a data problem).
+ * Decompresses gzip-encoded bytes via DecompressionStream. Returns:
+ * - the decompressed bytes on success
+ * - MAX_DECOMPRESSED_SIZE_MESSAGE (UTF-8) if the result would exceed the cap
+ * - INVALID_COMPRESSED_DATA_MESSAGE (UTF-8) on any other decode failure
+ *
+ * Mirrors brotliDecodeUint8Array's behaviour. Decompression-bomb safety: a
+ * malicious gzip payload that expands to gigabytes is aborted as soon as the
+ * streamed output crosses MAX_DECOMPRESSED_SIZE -- we never allocate the full
+ * pathological output.
+ *
+ * Throws only when DecompressionStream itself is unavailable (host
+ * environment, not a data problem).
  */
 export async function gzipDecode(bytes: Uint8Array): Promise<Uint8Array> {
   if (typeof DecompressionStream === 'undefined') {
@@ -232,12 +240,15 @@ export async function gzipDecode(bytes: Uint8Array): Promise<Uint8Array> {
   try {
     const ds = new DecompressionStream('gzip');
 
-    // Write the input bytes to the stream
+    // Write the input bytes to the stream. We swallow the per-call rejections
+    // so that cancelling the reader on a bomb doesn't surface as an
+    // unhandled "ABORT_ERR" from the still-in-flight writer.
     const writer = ds.writable.getWriter();
-    writer.write(bytes);
-    writer.close();
+    writer.write(bytes).catch(() => { /* aborted on bomb cancel */ });
+    writer.close().catch(() => { /* aborted on bomb cancel */ });
 
-    // Read and concatenate the output bytes
+    // Read and concatenate the output bytes, aborting if the running total
+    // would exceed MAX_DECOMPRESSED_SIZE (decompression-bomb mitigation).
     const reader = ds.readable.getReader();
     const chunks: Uint8Array[] = [];
     let totalSize = 0;
@@ -249,6 +260,12 @@ export async function gzipDecode(bytes: Uint8Array): Promise<Uint8Array> {
       if (value) {
         chunks.push(value);
         totalSize += value.byteLength;
+        if (totalSize > MAX_DECOMPRESSED_SIZE) {
+          // Cancel the stream so the underlying DecompressionStream stops
+          // pulling more input -- we don't want to keep decompressing a bomb.
+          await reader.cancel();
+          throw new Error(MAX_DECOMPRESSED_SIZE_MESSAGE);
+        }
       }
     }
 
@@ -261,7 +278,10 @@ export async function gzipDecode(bytes: Uint8Array): Promise<Uint8Array> {
     }
 
     return result;
-  } catch {
+  } catch (error) {
+    if (error instanceof Error && error.message === MAX_DECOMPRESSED_SIZE_MESSAGE) {
+      return new TextEncoder().encode(MAX_DECOMPRESSED_SIZE_MESSAGE);
+    }
     return new TextEncoder().encode(INVALID_COMPRESSED_DATA_MESSAGE);
   }
 }

testdata/gzip-decompression-bomb.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Script to create a gzip decompression bomb for testing
+# Warning: The uncompressed file is 1 GB large!
+
+# Configurable parameters
+OUTPUT_FILE="gzip-decompression-bomb.txt"
+COMPRESSED_FILE="${OUTPUT_FILE}.gz"
+REPEAT_STRING="HAHAHAHAHA"
+REPEAT_COUNT=100000000 # Number of times the string is repeated
+
+# Delete the OUTPUT_FILE and COMPRESSED_FILE if they exist
+[ -f "$OUTPUT_FILE" ] && rm "$OUTPUT_FILE"
+[ -f "$COMPRESSED_FILE" ] && rm "$COMPRESSED_FILE"
+
+# Create a single long line of repetitive data
+printf "%0.s$REPEAT_STRING" $(seq 1 $REPEAT_COUNT) > "$OUTPUT_FILE"
+
+# Compress the file using gzip
+# (gzip removes the uncompressed source by default; brotli doesn't, hence the
+# explicit `rm` in the brotli equivalent.)
+gzip --best "$OUTPUT_FILE"
+
+echo "Created and compressed bomb file: $COMPRESSED_FILE"