Python: Add modelling for zstd.compression#21002
Conversation
See https://docs.python.org/3/library/compression.zstd.html for information about this library. As far as I can tell, the `zstd` library is not vulnerable to things like ZipSlip, but it _could_ be vulnerable to a decompression bomb attack, so I extended those models accordingly.
tausbn
force-pushed
the
tausbn/python-add-models-for-zstd-compression
branch
from
f102f9f to
ad68a5e
Compare
tausbn
changed the title
zstd.compressionzstd.compression
tausbn
force-pushed
the
tausbn/python-add-models-for-zstd-compression
branch
from
e1af093 to
d2c7147
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds modeling support for Python 3.14's new compression.zstd library to detect potential decompression bomb vulnerabilities. The implementation follows the established pattern used for other compression libraries like gzip, bz2, and lzma.
- Extends the decompression bomb detection to include
zstd.open()andzstd.ZstdFile()calls when used in read mode - Adds test cases to verify the new detection capability
- Updates auto-generated expected test results
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| python/ql/test/experimental/query-tests/Security/CWE-409/test.py | Adds test cases for zstd.open() and zstd.ZstdFile() decompression bomb vulnerabilities |
| python/ql/test/experimental/query-tests/Security/CWE-409/DecompressionBombs.expected | Updates auto-generated expected test results with new test case line numbers |
| python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll | Implements the Zstd module with decompression sink detection logic for Python 3.14+ |
| python/ql/lib/change-notes/2025-12-09-add-modelling-of-zstd-compression.md | Documents the addition of compression.zstd library support |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
yoff
left a comment
yoff
left a comment
There was a problem hiding this comment.
One variable name looks off. Nice approach with making space for the test, seems easy to implement. If the PR diff display were better at highlighting changes characters (more than changed lines), it would be super easy to verify that only line numbers changed.
python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll
Outdated
Show resolved
Hide resolved
Co-authored-by: yoff <yoff@github.com>
See https://docs.python.org/3/library/compression.zstd.html for information about this library.
As far as I can tell, the
zstdlibrary is not vulnerable to things like ZipSlip, but it could be vulnerable to a decompression bomb attack, so I extended those models accordingly.