Validate entry sizes when extracting #403
Update (2019-09-25): Assigned CVE-2019-16892
To extract zip files safely:
Fix #193 ("Protection Against Zip Bombs")
Currently there is no way to safely check how much data the
This can lead to denial of service through disk exhaustion if the input is a zip bomb.
The approach taken here is based on the
The "much" in "much more" above is because rubyzip writes the data in chunks (currently 32KiB), and it may write up to one chunk more than expected, but that should be negligible, and there will be an error that signals that rubyzip wrote more data than expected.
Zip files with incorrectly reported uncompressed sizes that worked before will now fail with a
Zip.validate_entry_sizes = false
EDIT: Following discussion below,
I have updated the README to say that the caller should be checking the size before extracting. I also reorganised some of the options, since there are now quite a few.
It probably merits at least a minor version bump.
Thanks to the GE Digital Cyber Security Team for providing a proof of concept, which was the basis for the test case.
Thanks to @thejoshwolfe for providing (I think) a good example of how to handle this, in
I think this looks OK too.
Minor question though: There looks to be changes unrelated to this PR in the README. Headers and text moved around.
Also, it should definitely have a minor version bump, but maybe it should be a major bump. Do we have a feel for how much code out there might suddenly start failing unexpectedly? One strategy might be to release it as a minor bump with
Thanks both for the quick turnaround!
Could you elaborate on what you have in mind here? At the moment it will throw an error if the file's reported uncompressed size is incorrect.
I reorganised the README for other options, because I thought the list was getting too long as I added yet another one. The content of the sections about the existing options should all be unchanged.
Nothing very precise... but I have been using the
Your suggestion of defaulting
Sorry to be a pain. Could we use
(I realise that there are other parts of the library code that use
Right... that would be better, but unfortunately I used
unning bundle-audit to check for insecure dependencies... Updating ruby-advisory-db ... From https://github.com/rubysec/ruby-advisory-db * branch master -> FETCH_HEAD Already up to date. Updated ruby-advisory-db ruby-advisory-db: 406 advisories Name: rubyzip Version: 1.2.3 Advisory: CVE-2019-16892 Criticality: Unknown URL: rubyzip/rubyzip#403 Title: Denial of Service in rubyzip ("zip bombs") Solution: upgrade to >= 1.3.0 Vulnerabilities found! Failed. Security vulnerabilities were found.