How to detect and avoid zip bombs with this library?

[jlarmstrongiv]

Is support already built in? Will checkSignature ensure that an entry’s size is not larger than expected or is there another way?

I haven’t seen any mentions of zip bomb in this library, but I’d like to double check how to handle it. Thank you!

[jlarmstrongiv]

For example, yauzl has the validateEntrySizes option

[gildas-lormeau]

zip.js does not unzip files recursively. That already reduces the attack surface quite a bit. For example, you can open the zip file provided here: https://github.com/iamtraction/ZOD without crashing your browser with this demo: https://gildas-lormeau.github.io/zip.js/demos/demo-read-file.html.

Can you think of any other types of attack?

[gildas-lormeau]

For the record, 42.zip can also be downloaded here: https://unforgettable.dk/.

I've also done additional tests with the following files and they don't cause particular issues when reading them, i.e. the browser does not crash and the entries can be uncompressed safely.

• https://www.bamsoftware.com/hacks/zipbomb/
• https://github.com/AyrA/ZipBomb
• https://web.archive.org/web/20160130230432/http://www.steike.com/code/useless/zip-file-quine/
• https://research.swtch.com/zip

[jlarmstrongiv]

Thank you for the explanation and examples! Those were the ones I had in mind 👍

Though, is it still possible for a file to lie about the entry sizes? E.g. compressedSize and uncompressedSize

[gildas-lormeau]

It is indeed possible to lie about the uncompressedSize value. However, I have just implemented a fix for this issue. It will be available in the next version.

I don't really see how to test whether compressedSize is valid or not, except by testing for overlapping entries. The problem is that the specification allows for this kind of oddity. However, a program using zip.js could easily verify if there are overlapping entries by checking their offset and compressedSize properties.

[jlarmstrongiv]

Great! I’m very happy to see a fix for uncompressedSize, and that’s the main value I will check against.

While it would be nice if zip.js did the sanity check you described for compressedSize (maybe as an option), you’ve already covered the most important concerns I had.

Thank you very much for your clarifications and bug fixes!

[gildas-lormeau]

I have implemented a new checkOverlappingEntry option (see commit).

If this option is set to true and if Entry#getData() detects that the current entry is overlapping a previous entry on which Entry#getData() has also been called then Entry#getData() will throw an ERR_OVERLAPPING_ENTRY error.

This means that you need to call Entry#getData() on all the entries to be 100% sure there are 0 overlapping entries in a zip file. Because of this, I've also added the option checkOverlappingEntryOnly which validates the entry without touching the compressed data.

There is also some code showing how to use the options:

• https://github.com/gildas-lormeau/zip.js/blob/a576562b33c50f9db141d889be4c73633fe1c22b/tests/all/test-overlapping-entries.js
• https://github.com/gildas-lormeau/zip.js/blob/a576562b33c50f9db141d889be4c73633fe1c22b/tests/all/test-overlapping-entries-only.js

These new options are available in the version v2.7.71.