github
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/BadExample.java
Lines changed: 25 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/BadExample.java
Lines changed: 25 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp
Lines changed: 38 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp
Lines changed: 38 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql
Lines changed: 21 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql
Lines changed: 21 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/GoodExample.java
Lines changed: 33 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/GoodExample.java
Lines changed: 33 additions & 0 deletions
@@ -0,0 +1,25 @@
+package org.example;
+
+import java.nio.file.StandardCopyOption;
+import java.util.Enumeration;
+import java.io.IOException;
+import java.util.zip.*;
+import java.util.zip.ZipEntry;
+import java.io.File;
+import java.nio.file.Files;
+
+
+class BadExample {
+    public static void ZipInputStreamUnSafe(String filename) throws IOException {
+        File f = new File(filename);
+        try (ZipFile zipFile = new ZipFile(f)) {
+            Enumeration<? extends ZipEntry> entries = zipFile.entries();
+
+            while (entries.hasMoreElements()) {
+                ZipEntry ze = entries.nextElement();
+                File out = new File("./tmp/tmp.txt");
+                Files.copy(zipFile.getInputStream(ze), out.toPath(), StandardCopyOption.REPLACE_EXISTING);
+            }
+        }
+    }
+}
@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Extracting Compressed files with any compression algorithm like gzip can cause a denial of service attack.</p>
+<p>Attackers can create a huge file by just repeating a single byte and compress it to a small file.</p>  
+
+</overview>
+<recommendation>
+
+<p>When decompressing a user-provided compressed file, verify the decompression ratio or decompress the files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>  
+
+</recommendation>
+<example>
+
+<p>
+In the following example, the decompressed file size is not checked before decompression, exposing the application to a denial of service.  
+</p>  
+<sample src="BadExample.java" />  
+
+<p>  
+A better approach is shown in the following example, where a ZIP file is read within a loop and a size threshold is checked every cycle.  
+</p>  
+<sample src="GoodExample.java"/>  
+
+</example>
+<references>
+
+<li>
+<a href="https://github.com/advisories/GHSA-47vx-fqr5-j2gw">CVE-2022-4565</a>
+</li>
+<li>
+David Fifield: <a href="https://www.bamsoftware.com/hacks/zipbomb/">A better zip bomb</a>.  
+</li>
+
+</references>
+</qhelp>
@@ -0,0 +1,21 @@
+/**
+ * @name Uncontrolled file decompression
+ * @description Decompressing user-controlled files without checking the compression ratio may allow attackers to perform denial-of-service attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision high
+ * @id java/uncontrolled-file-decompression
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-409
+ */
+
+import java
+import experimental.semmle.code.java.security.DecompressionBombQuery
+import DecompressionBombsFlow::PathGraph
+
+from DecompressionBombsFlow::PathNode source, DecompressionBombsFlow::PathNode sink
+where DecompressionBombsFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
+  "potentially untrusted source"
@@ -0,0 +1,33 @@
+import java.util.zip.*;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.util.zip.ZipEntry;
+
+public class GoodExample {
+    public static void ZipInputStreamSafe(String filename) throws IOException {
+        int UncompressedSizeThreshold = 10 * 1024 * 1024; // 10MB
+        int BUFFERSIZE = 256;
+        FileInputStream fis = new FileInputStream(filename);
+        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(fis))) {
+            ZipEntry entry;
+            while ((entry = zis.getNextEntry()) != null) {
+                int count;
+                byte[] data = new byte[BUFFERSIZE];
+                FileOutputStream fos = new FileOutputStream(entry.getName());
+                BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFERSIZE);
+                int totalRead = 0;
+                while ((count = zis.read(data, 0, BUFFERSIZE)) != -1) {
+                    totalRead = totalRead + count;
+                    if (totalRead > UncompressedSizeThreshold) {
+                        System.out.println("This Compressed file can be a bomb!");
+                        break;
+                    }
+                    dest.write(data, 0, count);
+                }
+                dest.flush();
+                dest.close();
+                zis.closeEntry();
+            }
+        }
+    }
+}