Language: VB.NET | Type: CODE_SMELL | Severity: Major
Tags: cwe, former-hotspot
This rule is deprecated, and will eventually be removed.
Successful Zip Bomb attacks occur when an application expands untrusted archive files without controlling the size of the expanded data, which can lead to denial of service. A Zip bomb is usually a malicious archive file of a few kilobytes of compressed data but turned into gigabytes of uncompressed data. To achieve this extreme compression ratio, attackers will compress irrelevant data (eg: a long string of repeated bytes).
Expanding archive files without controlling the size of the extracted data can lead to denial of service. A Zip bomb is a malicious archive of a few kilobytes of compressed data that expands into gigabytes of uncompressed data by compressing highly repetitive content. Applications that fail to validate the number of entries, total uncompressed size, or compression ratio of an archive are vulnerable to this attack.
An attacker who can supply a malicious archive can exhaust the server’s disk space, memory, or CPU by triggering unbounded decompression. This can make the application completely unavailable to legitimate users and may require manual intervention to recover the affected system.
Validate the number of entries, total uncompressed size, and compression ratio when extracting archive files.
For Each entry As ZipArchiveEntry in archive.Entries
' entry.FullName could contain parent directory references ".." and the destinationPath variable could become outside of the desired path
string destinationPath = Path.GetFullPath(Path.Combine(path, entry.FullName))
entry.ExtractToFile(destinationPath) ' Noncompliant, extracts the entry to a file
Dim stream As Stream
stream = entry.Open() ' Noncompliant, the entry is about to be extracted
Next
Const ThresholdRatio As Double = 10
Const ThresholdSize As Long = 1024L * 1024 * 1024 ' 1 GB
Const ThresholdEntries As Integer = 10000
Dim TotalSizeArchive As Long, TotalEntryArchive As Integer, TotalEntrySize As Long, Cnt As Integer
Dim Buffer(1023) As Byte
Using ZipToOpen As New FileStream("ZipBomb.zip", FileMode.Open), Archive As New ZipArchive(ZipToOpen, ZipArchiveMode.Read)
For Each Entry As ZipArchiveEntry In Archive.Entries
Using s As Stream = Entry.Open
TotalEntryArchive += 1
TotalEntrySize = 0
Do
Cnt = s.Read(Buffer, 0, Buffer.Length)
TotalEntrySize += Cnt
TotalSizeArchive += Cnt
If TotalEntrySize / Entry.CompressedLength > ThresholdRatio Then Exit Do ' Ratio between compressed And uncompressed data Is highly suspicious, looks Like a Zip Bomb Attack
Loop While Cnt > 0
End Using
If TotalSizeArchive > ThresholdSize Then Exit For ' The uncompressed data size Is too much for the application resource capacity
If TotalEntryArchive > ThresholdEntries Then Exit For ' Too much entries in this archive, can lead to inodes exhaustion of the system
Next
End Using