Expanding archive files without controlling resource consumption is security-sensitive

Successful Zip Bomb attacks occur when an application expands untrusted archive files without controlling the size of the expanded data, which can lead to denial of service. A Zip bomb is usually a malicious archive file of a few kilobytes of compressed data but turned into gigabytes of uncompressed data. To achieve this extreme compression ratio, attackers will compress irrelevant data (eg: a long string of repeated bytes).

Ask Yourself Whether

Archives to expand are untrusted and:

• There is no validation of the number of entries in the archive.
• There is no validation of the total size of the uncompressed data.
• There is no validation of the ratio between the compressed and uncompressed archive entry.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

• Define and control the ratio between compressed and uncompressed data, in general the data compression ratio for most of the legit archives is 1 to 3.
• Define and control the threshold for maximum total size of the uncompressed data.
• Count the number of file entries extracted from the archive and abort the extraction if their number is greater than a predefined threshold, in particular it's not recommended to recursively expand archives (an entry of an archive could be also an archive).

See

• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
• CERT, IDS04-J. - Safely extract files from ZipInputStream
• bamsoftware.com - A better Zip Bomb