Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5042

Expanding archive files without controlling resource consumption is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure that expanding this archive file is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      TypeScript
    • Covered Languages:
      C#, C, C++, Java, JavaScript, Objective-C, PHP, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • CERT:
      IDS04-J.
    • CWE:
      CWE-409
    • OWASP:
      A5, A6

      Description

      Successful Zip Bomb attacks occur when an application expands untrusted archive files without controlling the size of the expanded data, which can lead to denial of service. A Zip bomb is usually a malicious archive file of a few kilobytes of compressed data but turned into gigabytes of uncompressed data. To achieve this extreme compression ratio, attackers will compress irrelevant data (eg: a long string of repeated bytes).

      Ask Yourself Whether

      Archives to expand are untrusted and:

      • There is no validation of the number of entries in the archive.
      • There is no validation of the total size of the uncompressed data.
      • There is no validation of the ratio between the compressed and uncompressed archive entry.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Define and control the ratio between compressed and uncompressed data, in general the data compression ratio for most of the legit archives is 1 to 3.
      • Define and control the threshold for maximum total size of the uncompressed data.
      • Count the number of file entries extracted from the archive and abort the extraction if their number is greater than a predefined threshold, in particular it's not recommended to recursively expand archives (an entry of an archive could be also an archive).

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5043 Language-Specification Active Unassigned
          2.
          C# RSPEC-5044 Language-Specification Active Unassigned
          3.
          VB.NET RSPEC-5046 Language-Specification Active Unassigned
          4.
          Python RSPEC-5598 Language-Specification Active Unassigned
          5.
          C-Family RSPEC-6062 Language-Specification Active Unassigned
          6.
          PHP RSPEC-6072 Language-Specification Active Unassigned
          7.
          Javascript RSPEC-6097 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              alexandre.gigleux Alexandre Gigleux
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: