Problem/Motivation

The module could be used to upload zip bombs.
This would allow an attacker with the permission to create nodes to quickly fill the server disk.

Steps to reproduce

  1. Generate a zip bomb with this script: https://github.com/damianrusinek/zip-bomb
  2. Create a bundle with a zip file field
  3. As a user that can create nodes in this bundle, upload the zip bomb: it is extracted

Proposed resolution

I think it is possible to use this kind of library to detect zip bombs: https://packagist.org/packages/selective/archive-bomb-scanner

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork field_zip_file-3556310

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

vhin0210 made their first commit to this issue’s fork.

vhin0210 opened merge request !12

  • vhin0210 committed 9c3798df on 1.x 
    feat: #3556310 Module could be used to upload zip bombs

  • vhin0210 committed 1cf3baee on 1.x 
    feat: #3556310 Module could be used to upload zip bombs
vhin0210’s picture

vhin0210 commented
Status: Active » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.