2

So there are two ways attacking some server that accepts zips.

  1. Slip Zips (with path traversal) so u save stuff outside the zip

  2. You upload a zip bomb which is incredible small but it huge when uncompressing https://en.wikipedia.org/wiki/Zip_bomb

So first one can be avoided by simple checks. https://snyk.io/research/zip-slip-vulnerability#java

But how to I avoid running into the second one?

Count the byte that I wrote during unzipping and if there are more then X bytes cancel?

Alex
  • 521
  • 7
  • 17
  • https://security.stackexchange.com/questions/203206/how-to-protect-websites-against-zip-bombs-and-reference-bombs – Matthew Kerian Jun 25 '19 at 22:56
  • The solution you linked to for dealing with Zip file entry names still has security issues. I'd go as far as suggesting clients should not have any role in choose file names, at least [platform dependent] whitelist like you would everywhere else. If you have to save untrusted data as a file then prepend with some *anti-magic numbers*. – Tom Hawtin - tackline Sep 01 '19 at 12:32

0 Answers0