Provide optional zip bomb protection #120
Comments
|
Interesting. Not sure if a such a level lib should have the necessary logic for such attacks. If a system is dealing with zip archives from untrusted sources then I would put the validation there. Also the example shows that we should limit the zip entry sizes to 100mb or some other arbitrary number. Not sure if we can find a great constant for such a thing. If a user has such a use case then they can use the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Zip bombs are small zip files that can uncompress to huge files to create a denial of service attacks.
Zt-zip does not seem to offer protection which is described in :
http://cwe.mitre.org/data/definitions/409.html
https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream
This would be nice to have
The text was updated successfully, but these errors were encountered: