zip-bomb | scripts to create zip bombs | Script Programming library
kandi X-RAY | zip-bomb Summary
kandi X-RAY | zip-bomb Summary
scripts to create zip bombs. example of script from Web Security Testing Cookbook rewritten in python.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Create a zip file
- Create a zip file
- Create zip files
- Create a temporary directory
zip-bomb Key Features
zip-bomb Examples and Code Snippets
Community Discussions
Trending Discussions on zip-bomb
QUESTION
Apache POI is opening zip-files on a regular basis because Microsoft Excel/Word/... files are zip-files in their newer format. In order to prevent some types of denial-of-service-attacks, it has functionality when opening Zip-files to not read files which expand a lot and thus could be used to overwhelm the main memory by providing a small malicious file which explodes when uncompressed into memory. Apache POI calls this zip-bomb-protection.
Up to Java 9 it could use some workaround via reflection to inject a counting-InputStream into ZipFile/ZipEntry to detect an explosion in expanded data and this way prevent zip-bombs.
However in Java 10 this is not possible any more because the implementation of ZipFile was changed in a way that prevents this (hard cast to ZipFile$ZipFileInputStream in ZipFile).
So we are looking for a different way to count the number of extracted bytes during extracting to be able to stop as soon as the compression ratio reaches a certain limit.
Is there a way to do zip-bomb-detection differently without resorting to reflection?
...ANSWER
Answered 2019-Mar-07 at 13:45I can't imagine why you needed a reflection/injection hack in the first place. You seem to pass not a filename but some instance like zipfile or zipinputstream.
If you have a file (or can save to a file first), then you can first check the zip file entries sizes (not even decompressing) before handing it to the vulnerable library. Even if you needed to pass a zipfie, you could extend the zipfile class to proxy calls.
If you have zip stream and really cannot temp-save to disk and must read as a zipinputstream somehow, then override methods of zipinputstream (getnextentry, read, etc).
QUESTION
When I am trying to write data to excel sheet using apache poi which contains more than 64000 records, where SXSSF is used and I am getting the below error,
Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Counter: 820224, cis.counter: 8192, ratio: 0.009987515605493134Limits: MIN_INFLATE_RATIO: 0.01
I found a solution stating by adding ZipSecureFile.setMinInflateRatio(0.009) and I need to know why it is happening and what is the limit I need to provide for the above error ad where to add the solution, reference for the solution: (How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate?)
Please let me know if there is any other solution for this
...ANSWER
Answered 2017-Jul-04 at 08:21"Zip bomb" is a term used for an attack vector where a small zip file expands to a very large uncompressed file and thus can cause issues like exhausting memory or disk space.
Usually such zips are created with the intent of causing a denial of service attack on systems that receive zip files from external sources.
As .xlsx files are actually zipped files which contain XML files, there is a chance of causing such a zip bomb vulnerability in POI.
In order to prevent this from happening, Apache POI has some safeguards built in and enabled by default. So if you create a file with unusual content, e.g. many rows/columns with the same content, you can run into these safeguards and receive the exception as shown above.
If you fully control the creation of the processed files, you can adjust the setting given in the error message to avoid the exception.
See https://bz.apache.org/bugzilla/show_bug.cgi?id=58499 for the related issue and ZIp-bomb exception while writing a large formatted Excel (.xlsx) and How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate? for similar discussions.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install zip-bomb
You can use zip-bomb like any standard Python library. You will need to make sure that you have a development environment consisting of a Python distribution including header files, a compiler, pip, and git installed. Make sure that your pip, setuptools, and wheel are up to date. When using pip it is generally recommended to install packages in a virtual environment to avoid changes to the system.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
