zip-bomb | Zip bomb for Browser and Node.js | Runtime Evironment library

 by   harshjv JavaScript Version: 1.0.0 License: MIT

kandi X-RAY | zip-bomb Summary

kandi X-RAY | zip-bomb Summary

zip-bomb is a JavaScript library typically used in Server, Runtime Evironment, Nodejs applications. zip-bomb has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can install using 'npm i zip-bomb' or download it from GitHub, npm.

CAUTION THIS IS JUST AN EXPERIMENT. USE THIS AT YOUR OWN RISK. READ MORE ABOUT ZIP BOMB HERE. Zip bomb for Browser and Node.js.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              zip-bomb has a low active ecosystem.
              It has 10 star(s) with 4 fork(s). There are no watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              zip-bomb has no issues reported. There are no pull requests.
              It has a neutral sentiment in the developer community.
              The latest version of zip-bomb is 1.0.0

            kandi-Quality Quality

              zip-bomb has no bugs reported.

            kandi-Security Security

              zip-bomb has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

            kandi-License License

              zip-bomb is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              zip-bomb releases are not available. You will need to build from source code and install.
              Deployable package is available in npm.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of zip-bomb
            Get all kandi verified functions for this library.

            zip-bomb Key Features

            No Key Features are available at this moment for zip-bomb.

            zip-bomb Examples and Code Snippets

            No Code Snippets are available at this moment for zip-bomb.

            Community Discussions

            QUESTION

            How to detect a zip-bomb with Java 10
            Asked 2020-May-12 at 09:59

            Apache POI is opening zip-files on a regular basis because Microsoft Excel/Word/... files are zip-files in their newer format. In order to prevent some types of denial-of-service-attacks, it has functionality when opening Zip-files to not read files which expand a lot and thus could be used to overwhelm the main memory by providing a small malicious file which explodes when uncompressed into memory. Apache POI calls this zip-bomb-protection.

            Up to Java 9 it could use some workaround via reflection to inject a counting-InputStream into ZipFile/ZipEntry to detect an explosion in expanded data and this way prevent zip-bombs.

            However in Java 10 this is not possible any more because the implementation of ZipFile was changed in a way that prevents this (hard cast to ZipFile$ZipFileInputStream in ZipFile).

            So we are looking for a different way to count the number of extracted bytes during extracting to be able to stop as soon as the compression ratio reaches a certain limit.

            Is there a way to do zip-bomb-detection differently without resorting to reflection?

            ...

            ANSWER

            Answered 2019-Mar-07 at 13:45

            I can't imagine why you needed a reflection/injection hack in the first place. You seem to pass not a filename but some instance like zipfile or zipinputstream.

            If you have a file (or can save to a file first), then you can first check the zip file entries sizes (not even decompressing) before handing it to the vulnerable library. Even if you needed to pass a zipfie, you could extend the zipfile class to proxy calls.

            If you have zip stream and really cannot temp-save to disk and must read as a zipinputstream somehow, then override methods of zipinputstream (getnextentry, read, etc).

            Source https://stackoverflow.com/questions/49585900

            QUESTION

            Using apache poi - Zip Bomb detected
            Asked 2018-Oct-07 at 01:22

            When I am trying to write data to excel sheet using apache poi which contains more than 64000 records, where SXSSF is used and I am getting the below error,

            Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Counter: 820224, cis.counter: 8192, ratio: 0.009987515605493134Limits: MIN_INFLATE_RATIO: 0.01

            I found a solution stating by adding ZipSecureFile.setMinInflateRatio(0.009) and I need to know why it is happening and what is the limit I need to provide for the above error ad where to add the solution, reference for the solution: (How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate?)

            Please let me know if there is any other solution for this

            ...

            ANSWER

            Answered 2017-Jul-04 at 08:21

            "Zip bomb" is a term used for an attack vector where a small zip file expands to a very large uncompressed file and thus can cause issues like exhausting memory or disk space.

            Usually such zips are created with the intent of causing a denial of service attack on systems that receive zip files from external sources.

            As .xlsx files are actually zipped files which contain XML files, there is a chance of causing such a zip bomb vulnerability in POI.

            In order to prevent this from happening, Apache POI has some safeguards built in and enabled by default. So if you create a file with unusual content, e.g. many rows/columns with the same content, you can run into these safeguards and receive the exception as shown above.

            If you fully control the creation of the processed files, you can adjust the setting given in the error message to avoid the exception.

            See https://bz.apache.org/bugzilla/show_bug.cgi?id=58499 for the related issue and ZIp-bomb exception while writing a large formatted Excel (.xlsx) and How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate? for similar discussions.

            Source https://stackoverflow.com/questions/44897500

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install zip-bomb

            You can install using 'npm i zip-bomb' or download it from GitHub, npm.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            Install
          • npm

            npm i zip-bomb

          • CLONE
          • HTTPS

            https://github.com/harshjv/zip-bomb.git

          • CLI

            gh repo clone harshjv/zip-bomb

          • sshUrl

            git@github.com:harshjv/zip-bomb.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link