← back to index

S5042 — Expanding archive files should not be done without controlling resource consumption

Language: VB.NET  |  Type: CODE_SMELL  |  Severity: Major

Tags: cwe, former-hotspot

This rule is deprecated, and will eventually be removed.

Successful Zip Bomb attacks occur when an application expands untrusted archive files without controlling the size of the expanded data, which can lead to denial of service. A Zip bomb is usually a malicious archive file of a few kilobytes of compressed data but turned into gigabytes of uncompressed data. To achieve this extreme compression ratio, attackers will compress irrelevant data (eg: a long string of repeated bytes).

Why is this an issue?

Expanding archive files without controlling the size of the extracted data can lead to denial of service. A Zip bomb is a malicious archive of a few kilobytes of compressed data that expands into gigabytes of uncompressed data by compressing highly repetitive content. Applications that fail to validate the number of entries, total uncompressed size, or compression ratio of an archive are vulnerable to this attack.

What is the potential impact?

Denial of service

An attacker who can supply a malicious archive can exhaust the server’s disk space, memory, or CPU by triggering unbounded decompression. This can make the application completely unavailable to legitimate users and may require manual intervention to recover the affected system.

How to fix it in .NET

Validate the number of entries, total uncompressed size, and compression ratio when extracting archive files.

Code examples

Noncompliant code example

For Each entry As ZipArchiveEntry in archive.Entries
    ' entry.FullName could contain parent directory references ".." and the destinationPath variable could become outside of the desired path
    string destinationPath = Path.GetFullPath(Path.Combine(path, entry.FullName))
    entry.ExtractToFile(destinationPath) ' Noncompliant, extracts the entry to a file

    Dim stream As Stream
    stream = entry.Open() ' Noncompliant, the entry is about to be extracted
Next

Compliant solution

Const ThresholdRatio As Double = 10
Const ThresholdSize As Long = 1024L * 1024 * 1024 ' 1 GB
Const ThresholdEntries As Integer = 10000
Dim TotalSizeArchive As Long, TotalEntryArchive As Integer, TotalEntrySize As Long, Cnt As Integer
Dim Buffer(1023) As Byte
Using ZipToOpen As New FileStream("ZipBomb.zip", FileMode.Open), Archive As New ZipArchive(ZipToOpen, ZipArchiveMode.Read)
    For Each Entry As ZipArchiveEntry In Archive.Entries
        Using s As Stream = Entry.Open
            TotalEntryArchive += 1
            TotalEntrySize = 0
            Do
                Cnt = s.Read(Buffer, 0, Buffer.Length)
                TotalEntrySize += Cnt
                TotalSizeArchive += Cnt
                If TotalEntrySize / Entry.CompressedLength > ThresholdRatio Then Exit Do    ' Ratio between compressed And uncompressed data Is highly suspicious, looks Like a Zip Bomb Attack
            Loop While Cnt > 0
        End Using
        If TotalSizeArchive > ThresholdSize Then Exit For       ' The uncompressed data size Is too much for the application resource capacity
        If TotalEntryArchive > ThresholdEntries Then Exit For   ' Too much entries in this archive, can lead to inodes exhaustion of the system
    Next
End Using

Resources

Articles & blog posts

Standards