Skip to content

archive/zip: provide API for resource limits #33036

Open
@FiloSottile

Description

@FiloSottile

Zip unpacking can generate outputs thousands of times larger than the input. We should provide a security API that lets callers limit the resources that can be spent for unpacking untrusted archives.

It might be enough to limit the output size, if CPU and memory are always dependent on it.

See https://www.bamsoftware.com/hacks/zipbomb/ and #33026

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.Security

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions