archive/zip: provide API for resource limits #33036
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Security
Milestone
Zip unpacking can generate outputs thousands of times larger than the input. We should provide a security API that lets callers limit the resources that can be spent for unpacking untrusted archives.
It might be enough to limit the output size, if CPU and memory are always dependent on it.
See https://www.bamsoftware.com/hacks/zipbomb/ and #33026
The text was updated successfully, but these errors were encountered: