0

I'm researching possible security risks when handling ZIP files, or archives in general, in web applications.

The scenario is the following. The user is able to upload any ZIP (or in general an archive) file, the web application extracts its contents and subsequently offers the extracted files to download again.

I've come across a number of possibilities this may be exploited.

  • DoS with a ZIP bomb (e.g. 42.zip)
  • Writing arbitrary files, with relative file paths (see evilarc)
  • Reading arbitrary files, with symbolic links (see How zip symlink works?)
  • I assume issues with polyglot ZIP files

The resources on the topic seem quite limited and I'm sure there's more risks associated.

What are possible security risks for web applications handling ZIP/archive files?

and

How can these be securely processed?

SaAtomic
  • 989
  • 2
  • 15
  • 27
  • *"I assume issues with polyglot ZIP files"* - if you only offer the extracted files for download but not the original ZIP then polyglots should not matter. Apart from that process it like every content you don't trust and which might trigger bugs - use a sandbox or similar (virtual machine etc) to limit the possible impact and limit available resources (CPU, memory, disk space) within this sandbox. – Steffen Ullrich Aug 28 '17 at 08:47

1 Answers1

1

And remote code execution, e.g. CVE-2016-2334

There is no 100% secure way to process them, however some mitigations are to make sure that any process used to decompose an archive file runs with the least privilege possible and to limit how long decomposition of a single archive can take place.

Swashbuckler
  • 2,115
  • 8
  • 9