trace_b4c939fac1b44e05bec1d952f00c0f15

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start from `internal/s3select/csv/reader.go` and trace how S3 Select processes attacker-controlled CSV object data into `nextSplit()`. Report the grounded source-to-sink path, identify the unbounded newline-scanning read, and explain why a newline-free record can exhaust memory and crash the server.

{
  "executiveSummary": "The S3 Select CSV reader in MinIO contains an unbounded line-read vulnerability in its nextSplit() function. When processing S3 Select requests against CSV-formatted objects, the reader scans input byte-by-byte for a newline character (\\n) to delimit records. Because there is no maximum size limit on the buffered line, an attacker-controlled CSV object containing a record without any newline character can cause the reader to buffer an arbitrarily large amount of data in memory, exhausting available memory and crashing the server. This is a denial-of-service vulnerability triggered through the S3 Select API endpoint by uploading a specially crafted CSV object and then issuing a SelectObjectContent request against it.",
  "reports": [
    {
      "title": "Unbounded line-read in S3 Select CSV nextSplit() causes OOM crash",
      "severity": "HIGH",
      "summary": "The CSV reader used by S3 Select's nextSplit() function reads input into a buffer scanning for a newline character (\\n) without enforcing any maximum line/record size limit. An attacker can upload a CSV object with a single record containing gigabytes of data and no newline, then issue a SelectObjectContent request. The nextSplit() function will buffer the entire record in memory, leading to excessive memory allocation, OOM, and server crash.",
      "rootCauseAnalysis": "The nextSplit() function in the S3 Select CSV reader iterates over the input byte-by-byte looking for a \\n delimiter. When no newline is found, it continues reading and appending to an internal buffer until the input stream is exhausted. There is no cap on how much data can be accumulated for a single record. The Go standard library's bufio.Scanner and similar utilities typically impose a MaxScanTokenSize (default 64KB) to prevent this class of vulnerability, but the custom CSV line-splitting logic here bypasses that protection entirely.",
      "impact": "Denial of service via OOM kill. A remote attacker with permission to upload objects and issue S3 Select queries can craft a CSV object with a newline-free record of arbitrary size. When that object is queried via SelectObjectContent, the server will attempt to buffer the entire record in memory, causing the process to be OOM-killed by the OS, taking down the MinIO server instance and disrupting all tenants.",
      "attackPath": "1. Attacker uploads a CSV object to a bucket containing a single record with no newline character (e.g., megabytes/gigabytes of data followed by EOF instead of \\n).\n2. Attacker issues an S3 SelectObjectContent request targeting that object with CSV input serialization.\n3. The S3 Select handler dispatches the request to the CSV reader.\n4. The CSV reader calls nextSplit() which reads the entire record into memory without size limit.\n5. Memory is exhausted and the server process is killed.",
      "stepsToReproduce": [
        "Upload a large CSV object to a MinIO bucket where the content contains no newline cha