-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zip bomb prevention? #13
Comments
|
Unfortunately that field cannot be trusted as it can be forged by an On Mon, Apr 27, 2015 at 8:42 PM Josh Wolfe notifications@github.com wrote:
|
Hm. I think you're right. One thing you can do without patching any modules is to unpipe the stream, and repipe it to a null sink. This allows all the bytes to flow from yauzl and zlib without either of them suspecting anything is wrong. This will surely avoid any annoying stream errors in yauzl and zlib, but it's not ideal for CPU and memory usage. (I've actually never tried to use Another idea is for yauzl to count the bytes flowing out of zlib and make sure it matches the |
Thanks for the ideas! I did experiment with re-piping, but as you said, it will consume a lot of CPU and memory while shoveling away all the unneeded bits and therefore causing a sort of denial-of-service. The second suggestion sounds great! (Although I'm guessing you'll then run into the zlib bug mentioned in the sample code..) |
I'm having trouble reproducing this zlib crash. I'm using node v0.10.37:
I want to make sure the zlib crash isn't a problem with the solution I'm writing for this issue. I actually have a test case already that provokes a zlib error by trying to decompress corrupted data:
Does |
With the release version of yauzl, variable (To me it seems that calling the |
If it is of any help, here's an updated reproduction sample with invalid uncompressed sizes: https://github.com/timotm/node-zip-bomb/tree/invalid_size |
oh. uh. right. my bad. I was using some local modifications. I can reproduce the zlib crash now. I'm hoping there's a "correct" way to interrupt the zlib stream and suppress any errors due to the force close. I'll keep investigating. |
So it looks like all you need to do is emit an error on one of the streams in the pipe, and all the streams shut down cleanly. |
Hi,
How is one supposed to abort processing of zip entry / file while processing entries?
Some background: I want to prevent a zip bomb from hogging CPU/memory resources, and would like to check for actual, cumulative uncompressed size while uncompressing an entry. For that, I implemented my own Writable stream which raises an error (through callback) when it gets too much data. I then catch this error and currently I call
.close()
for the readStream I got in yauzl'sentry
callback.However, this seems to trigger a bug in node's zlib implementation (I tried both 0.10.28 and 0.12.2) and aborts the execution:
While I theoretically could patch my way around this, I naturally wouldn't want to fork both zlib.js and your library. So can I abort the processing of an entry / entire zip file by some other way cleanly, without any excessive CPU or memory usage?
Full sample code available at https://github.com/timotm/node-zip-bomb
The text was updated successfully, but these errors were encountered: