Details
-
Type:
Security Hotspot Detection
-
Status: Active
-
Resolution: Unresolved
-
Message:Make sure that expanding this archive file is safe here.
-
Default Severity:Critical
-
Impact:High
-
Likelihood:Low
-
Default Quality Profiles:Sonar way
-
Targeted languages:TypeScript
-
Covered Languages:C#, C, C++, Java, JavaScript, Objective-C, PHP, Python, VB.Net
-
Remediation Function:Constant/Issue
-
Constant Cost:10min
-
Analysis Level:Semantic Analysis
-
Analysis Scope:Main Sources
-
CERT:IDS04-J.
-
CWE:CWE-409
-
OWASP:A5, A6
Description
Successful Zip Bomb attacks occur when an application expands untrusted archive files without controlling the size of the expanded data, which can lead to denial of service. A Zip bomb is usually a malicious archive file of a few kilobytes of compressed data but turned into gigabytes of uncompressed data. To achieve this extreme compression ratio, attackers will compress irrelevant data (eg: a long string of repeated bytes).
Ask Yourself Whether
Archives to expand are untrusted and:
- There is no validation of the number of entries in the archive.
- There is no validation of the total size of the uncompressed data.
- There is no validation of the ratio between the compressed and uncompressed archive entry.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- Define and control the ratio between compressed and uncompressed data, in general the data compression ratio for most of the legit archives is 1 to 3.
- Define and control the threshold for maximum total size of the uncompressed data.
- Count the number of file entries extracted from the archive and abort the extraction if their number is greater than a predefined threshold, in particular it's not recommended to recursively expand archives (an entry of an archive could be also an archive).
See
- OWASP Top 10 2017 Category A6 - Security Misconfiguration
- MITRE, CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
- CERT, IDS04-J. - Safely extract files from ZipInputStream
- bamsoftware.com - A better Zip Bomb
Attachments
Issue Links
- is implemented by
-
CPP-2756 Rule S5042: Expanding archive files is security-sensitive
-
- Closed
-
-
SONARJAVA-2969 Rule S5042 Expanding archive files is security-sensitive
-
- Closed
-
-
SONARPHP-1103 Rule S5042: Expanding archive files is security-sensitive
-
- Closed
-
-
SONARPY-495 Rule S5042: Expanding archive files is security-sensitive
-
- Closed
-
-
SONARPY-792 Rule S5042 should raise on tarfile.extractall and not tarfile.open
-
- Open
-
-
SONARJAVA-3532 S5042 should focus on zipbomb attacks
-
- Closed
-
- links to
1.
|
Java | RSPEC-5043 |
|
Active | Unassigned | |
2.
|
C# | RSPEC-5044 |
|
Active | Unassigned | |
3.
|
VB.NET | RSPEC-5046 |
|
Active | Unassigned | |
4.
|
Python | RSPEC-5598 |
|
Active | Unassigned | |
5.
|
C-Family | RSPEC-6062 |
|
Active | Unassigned | |
6.
|
PHP | RSPEC-6072 |
|
Active | Unassigned | |
7.
|
Javascript | RSPEC-6097 |
|
Active | Unassigned |