cluade code review changes

gz/gz.go

@@ -8,8 +8,14 @@ package gz
 import (
 	"bytes"
 	"compress/gzip"
+	"errors"
+	"io"
 )
 
+// MaxDecompressedSize is the maximum allowed size for decompressed data (256MB).
+// This prevents decompression bomb attacks. Override if you need larger outputs.
+var MaxDecompressedSize int64 = 256 << 20
+
 func Zip(data []byte) ([]byte, error) {
 	var b bytes.Buffer
 	gz := gzip.NewWriter(&b)
@@ -37,9 +43,13 @@ func UnZip(data []byte) ([]byte, error) {
 	defer r.Close() // Ensure reader is closed to prevent resource leak
 
 	var resB bytes.Buffer
-	if _, err := resB.ReadFrom(r); err != nil {
+	if _, err := io.Copy(&resB, io.LimitReader(r, MaxDecompressedSize+1)); err != nil {
 		return nil, err
 	}
 
+	if int64(resB.Len()) > MaxDecompressedSize {
+		return nil, errors.New("gz: decompressed data exceeds maximum allowed size")
+	}
+
 	return resB.Bytes(), nil
 }