Skip to content

fix: prevent DoS and resource exhaustion attacks #2703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Danielku15 merged 7 commits into from
May 17, 2026
Merged

fix: prevent DoS and resource exhaustion attacks #2703

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
dc438b3
fix: fail fast when hitting EOF on importers
Danielku15 May 17, 2026
c6a5eb5
fix: add max decoding buffer threshold to importers
Danielku15 May 17, 2026
0d76d06
fix: add loop boundary safety
Danielku15 May 17, 2026
bbc7f5b
test: add corrupt file test coverage
Danielku15 May 17, 2026
2f450e4
refactor: pass max buffer to binarystylesheet
Danielku15 May 17, 2026
dc9de53
build: fix typed array generics
Danielku15 May 17, 2026
3d7d3ba
test: string contains assertions
Danielku15 May 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions packages/alphatab/src/ImporterSettings.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,4 +63,16 @@ export class ImporterSettings {
* ![Disabled](https://alphatab.net/img/reference/property/beattextaslyrics-disabled.png)
*/
public beatTextAsLyrics: boolean = false;

/**
* This setting controls the escape hatch for handling potentially malicous or corrupt
* input files. At selected spots in the codebase, we use this buffer size as maximum
* allowed sizes. e.g. during unzipping or decoding strings.
* This prevents resource exhaustion, especially when alphaTab is used on server side.
* Increase this buffer size if you need to handle very big files.
* @defaultValue `128000000`
* @category Core
* @since 1.9.0
*/
public maxDecodingBufferSize: number = 128000000;
}
11 changes: 11 additions & 0 deletions packages/alphatab/src/generated/ImporterSettingsJson.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,15 @@ export interface ImporterSettingsJson {
* ![Disabled](https://alphatab.net/img/reference/property/beattextaslyrics-disabled.png)
*/
beatTextAsLyrics?: boolean;
/**
* This setting controls the escape hatch for handling potentially malicous or corrupt
* input files. At selected spots in the codebase, we use this buffer size as maximum
* allowed sizes. e.g. during unzipping or decoding strings.
* This prevents resource exhaustion, especially when alphaTab is used on server side.
* Increase this buffer size if you need to handle very big files.
* @defaultValue `128000000`
* @category Core
* @since 1.9.0
*/
maxDecodingBufferSize?: number;
}
4 changes: 4 additions & 0 deletions packages/alphatab/src/generated/ImporterSettingsSerializer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ export class ImporterSettingsSerializer {
o.set("encoding", obj.encoding);
o.set("mergepartgroupsinmusicxml", obj.mergePartGroupsInMusicXml);
o.set("beattextaslyrics", obj.beatTextAsLyrics);
o.set("maxdecodingbuffersize", obj.maxDecodingBufferSize);
return o;
}
public static setProperty(obj: ImporterSettings, property: string, v: unknown): boolean {
Expand All @@ -36,6 +37,9 @@ export class ImporterSettingsSerializer {
case "beattextaslyrics":
obj.beatTextAsLyrics = v! as boolean;
return true;
case "maxdecodingbuffersize":
obj.maxDecodingBufferSize = v! as number;
return true;
}
return false;
}
Expand Down
10 changes: 5 additions & 5 deletions packages/alphatab/src/importer/BinaryStylesheet.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,18 +76,18 @@ export class BinaryStylesheet {
private readonly _types: Map<string, DataType> = new Map();
public readonly raw: Map<string, unknown> = new Map();

public constructor(data?: Uint8Array) {
public constructor(data?: Uint8Array, maxDecodingBufferSize: number = 0) {
if (data) {
this._read(data);
this._read(data, maxDecodingBufferSize);
}
}

private _read(data: Uint8Array) {
private _read(data: Uint8Array, maxDecodingBufferSize: number) {
// BinaryStylesheet apears to be big-endien
const readable: ByteBuffer = ByteBuffer.fromBuffer(data);
const entryCount: number = IOHelper.readInt32BE(readable);
for (let i: number = 0; i < entryCount; i++) {
const key: string = GpBinaryHelpers.gpReadString(readable, readable.readByte(), 'utf-8');
const key: string = GpBinaryHelpers.gpReadString(readable, readable.readByte(), 'utf-8', maxDecodingBufferSize);
const type: DataType = readable.readByte() as DataType;
this._types.set(key, type);
switch (type) {
Expand All @@ -104,7 +104,7 @@ export class BinaryStylesheet {
this.addValue(key, fvalue);
break;
case DataType.String:
const s: string = GpBinaryHelpers.gpReadString(readable, IOHelper.readInt16BE(readable), 'utf-8');
const s: string = GpBinaryHelpers.gpReadString(readable, IOHelper.readInt16BE(readable), 'utf-8', maxDecodingBufferSize);
this.addValue(key, s);
break;
case DataType.Point:
Expand Down
2 changes: 1 addition & 1 deletion packages/alphatab/src/importer/CapellaImporter.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ export class CapellaImporter extends ScoreImporter {

public readScore(): Score {
Logger.debug(this.name, 'Loading ZIP entries');
const fileSystem: ZipReader = new ZipReader(this.data);
const fileSystem: ZipReader = new ZipReader(this.data, this.settings.importer.maxDecodingBufferSize);
let entries: ZipEntry[];
let xml: string | null = null;
entries = fileSystem.read();
Expand Down
Loading
Loading