zip-bomb | Zip bomb for Browser and Node.js | Runtime Evironment library

 by   harshjv JavaScript Version: 1.0.0 License: MIT

X-RayKey FeaturesCode SnippetsCommunity Discussions(2)VulnerabilitiesInstallSupport

kandi X-RAY | zip-bomb Summary

kandi X-RAY | zip-bomb Summary

zip-bomb is a JavaScript library typically used in Server, Runtime Evironment, Nodejs applications. zip-bomb has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can install using 'npm i zip-bomb' or download it from GitHub, npm.

CAUTION THIS IS JUST AN EXPERIMENT. USE THIS AT YOUR OWN RISK. READ MORE ABOUT ZIP BOMB HERE. Zip bomb for Browser and Node.js.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              zip-bomb has a low active ecosystem.
              It has 10 star(s) with 4 fork(s). There are no watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              zip-bomb has no issues reported. There are no pull requests.
              It has a neutral sentiment in the developer community.
              The latest version of zip-bomb is 1.0.0

            kandi-Quality Quality

              zip-bomb has no bugs reported.

            kandi-Security Security

              zip-bomb has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

            kandi-License License

              zip-bomb is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              zip-bomb releases are not available. You will need to build from source code and install.
              Deployable package is available in npm.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of zip-bomb
            Get all kandi verified functions for this library.

            zip-bomb Key Features

            No Key Features are available at this moment for zip-bomb.

            zip-bomb Examples and Code Snippets

            No Code Snippets are available at this moment for zip-bomb.

            Community Discussions

            Trending Discussions on zip-bomb

            How to detect a zip-bomb with Java 10
            Using apache poi - Zip Bomb detected

            QUESTION

            How to detect a zip-bomb with Java 10
            Asked 2020-May-12 at 09:59

            Apache POI is opening zip-files on a regular basis because Microsoft Excel/Word/... files are zip-files in their newer format. In order to prevent some types of denial-of-service-attacks, it has functionality when opening Zip-files to not read files which expand a lot and thus could be used to overwhelm the main memory by providing a small malicious file which explodes when uncompressed into memory. Apache POI calls this zip-bomb-protection.

            Up to Java 9 it could use some workaround via reflection to inject a counting-InputStream into ZipFile/ZipEntry to detect an explosion in expanded data and this way prevent zip-bombs.

            However in Java 10 this is not possible any more because the implementation of ZipFile was changed in a way that prevents this (hard cast to ZipFile$ZipFileInputStream in ZipFile).

            So we are looking for a different way to count the number of extracted bytes during extracting to be able to stop as soon as the compression ratio reaches a certain limit.

            Is there a way to do zip-bomb-detection differently without resorting to reflection?

            ...

            ANSWER

            Answered 2019-Mar-07 at 13:45

            I can't imagine why you needed a reflection/injection hack in the first place. You seem to pass not a filename but some instance like zipfile or zipinputstream.

            If you have a file (or can save to a file first), then you can first check the zip file entries sizes (not even decompressing) before handing it to the vulnerable library. Even if you needed to pass a zipfie, you could extend the zipfile class to proxy calls.

            If you have zip stream and really cannot temp-save to disk and must read as a zipinputstream somehow, then override methods of zipinputstream (getnextentry, read, etc).

            Source https://stackoverflow.com/questions/49585900

            QUESTION

            Using apache poi - Zip Bomb detected
            Asked 2018-Oct-07 at 01:22

            When I am trying to write data to excel sheet using apache poi which contains more than 64000 records, where SXSSF is used and I am getting the below error,

            Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Counter: 820224, cis.counter: 8192, ratio: 0.009987515605493134Limits: MIN_INFLATE_RATIO: 0.01

            I found a solution stating by adding ZipSecureFile.setMinInflateRatio(0.009) and I need to know why it is happening and what is the limit I need to provide for the above error ad where to add the solution, reference for the solution: (How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate?)

            Please let me know if there is any other solution for this

            ...

            ANSWER

            Answered 2017-Jul-04 at 08:21

            "Zip bomb" is a term used for an attack vector where a small zip file expands to a very large uncompressed file and thus can cause issues like exhausting memory or disk space.

            Usually such zips are created with the intent of causing a denial of service attack on systems that receive zip files from external sources.

            As .xlsx files are actually zipped files which contain XML files, there is a chance of causing such a zip bomb vulnerability in POI.

            In order to prevent this from happening, Apache POI has some safeguards built in and enabled by default. So if you create a file with unusual content, e.g. many rows/columns with the same content, you can run into these safeguards and receive the exception as shown above.

            If you fully control the creation of the processed files, you can adjust the setting given in the error message to avoid the exception.

            See https://bz.apache.org/bugzilla/show_bug.cgi?id=58499 for the related issue and ZIp-bomb exception while writing a large formatted Excel (.xlsx) and How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate? for similar discussions.

            Source https://stackoverflow.com/questions/44897500

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install zip-bomb

            You can install using 'npm i zip-bomb' or download it from GitHub, npm.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Reuse Trending Solutions

            build-a-realtime-voice-to-image-generator-using-generative-ai
            build-a-realtime-voice-to-image-generator-using-generative-ai
            Build a Realtime Voice-to-Image Generator using Generative AI
            image-resizing-using-opencv-in-python
            image-resizing-using-opencv-in-python
            Image Resizing using OpenCV in Python
            build-your-own-gpt4all-content-generator
            build-your-own-gpt4all-content-generator
            Build your own Custom GPT Content Generator (Open-Source ChatGPT Alternative)
            validate-an-email-address-in-javascript
            validate-an-email-address-in-javascript
            How to Validate an Email Address in JavaScript
            age-calculator-using-javascript
            age-calculator-using-javascript
            Age Calculator using JavaScript
            addressing-bias-in-ai---toolkit-for-fairness,-explainability-and-privacy
            addressing-bias-in-ai---toolkit-for-fairness,-explainability-and-privacy
            Addressing Bias in AI - Toolkit for Fairness, Explainability and Privacy
            javascript-node-js-payment-processing
            javascript-node-js-payment-processing
            15 best JavaScript Node.js Payment libraries
            build-credit-risk-predictor-using-federated-learning
            build-credit-risk-predictor-using-federated-learning
            Build Credit Risk predictor using Federated Learning
            top-10-javascript-tours-and-guides-libraries-in-2023
            top-10-javascript-tours-and-guides-libraries-in-2023
            10 Best JavaScript Tours and Guides Libraries in 2023
            disease-predictor
            disease-predictor
            Disease Predictor using Pandas & Scikit
            python-face-recognition
            python-face-recognition
            28 best Python Face Recognition libraries

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            Install
          • npm

            npm i zip-bomb

            • CLONE
          • HTTPS

            https://github.com/harshjv/zip-bomb.git

          • CLI

            gh repo clone harshjv/zip-bomb

          • sshUrl

            git@github.com:harshjv/zip-bomb.git

            • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Runtime EvironmentServerNodejs

            Reuse Runtime Evironment Kits

            How to insert a document/data into a MongoDB collection using Java
            How To Build a Progress Bar with ReactJS
            React Selecting Option with Object as Attribute Value 
            How to Create a Guess a Number Game with ReactJS
            How to Show and Hide ReactJS Components
            See all related Kits

            Reuse Server Kits

            Best Python Web Development Frameworks
            Fake_News_Detection_with_web_interface
            Zero Hassle Pharma Management
            Waste Food Management
            5 best Ruby Coding Assessment libraries
            See all related Kits

            Consider Popular Runtime Evironment Libraries

            electron

            by electron

            30-seconds-of-code

            by 30-seconds

            node

            by nodejs

            TypeScript

            by microsoft

            nodebestpractices

            by goldbergyoni

            See all Runtime Evironment Libraries

            Try Top Libraries by harshjv

            github-repo-size

            by harshjvJavaScript

            q2a-bootstrap

            by harshjvPHP

            threes-c

            by harshjvC

            tab-ninja

            by harshjvJavaScript

            docker-texlive-2015

            by harshjvShell

            See all Learning Libraries

            Open Weaver – Develop Applications Faster with Open Source

            kandi

            Community and Support

            Company

            Follow

            • © 2023 Open Weaver Inc.