| tags: | |
| - security | |
| - proof-of-concept | |
| - protobuf | |
| license: mit | |
| # Protocol Buffers Api methods materialization DoS PoC | |
| This repository contains a benign security research PoC for a `.pb` artifact | |
| that drives repeated-message materialization during | |
| `api_pb2.Api.ParseFromString(...)`. | |
| Files: | |
| - `control_one_name.pb` | |
| - `malicious_methods_5000000.pb` | |
| - `reproduce.py` | |
| Observed behavior: | |
| - control artifact: | |
| - parses successfully with no `methods` entries | |
| - malicious artifact: | |
| - parses successfully with `5,000,000` `methods` entries | |
| - materially increases peak RSS during normal parse | |
| Tested runtime: | |
| ```bash | |
| python3 -m pip install protobuf==7.35.1 | |
| ``` | |