--- tags: - security - proof-of-concept - protobuf license: mit --- # Protocol Buffers SourceCodeInfo location materialization DoS PoC This repository contains a benign security research PoC for a `.pb` artifact that drives repeated-message materialization during `descriptor_pb2.SourceCodeInfo.ParseFromString(...)`. Files: - `control_one_location.pb` - `malicious_location_5000000.pb` - `reproduce.py` Observed behavior: - control artifact: - parses successfully with one `location` entry - malicious artifact: - parses successfully with `5,000,000` `location` entries - materially increases peak RSS during normal parse Tested runtime: ```bash python3 -m pip install protobuf==7.35.1 ``` Public reproduction: ```bash curl -L -O https://huggingface.co/hacnho/protobuf-sourcecodeinfo-location-dos-poc/resolve/main/control_one_location.pb curl -L -O https://huggingface.co/hacnho/protobuf-sourcecodeinfo-location-dos-poc/resolve/main/malicious_location_5000000.pb curl -L -O https://huggingface.co/hacnho/protobuf-sourcecodeinfo-location-dos-poc/resolve/main/reproduce.py python3 reproduce.py --control control_one_location.pb --malicious malicious_location_5000000.pb ``` Public files: - `https://huggingface.co/hacnho/protobuf-sourcecodeinfo-location-dos-poc/resolve/main/control_one_location.pb` - `https://huggingface.co/hacnho/protobuf-sourcecodeinfo-location-dos-poc/resolve/main/malicious_location_5000000.pb` - `https://huggingface.co/hacnho/protobuf-sourcecodeinfo-location-dos-poc/resolve/main/reproduce.py`