Skip to main content

Provide secure unzip against zip bomb.

Project description

SUNZIP

forthebadge made-with-python


PyPI Wheel Downloads version travis-ci codecov

Introduction

Why are we doing this?

According to Cara Marie, an archive bomb a.k.a. A zip bomb is often employed to disable antivirus software, in order to create an opening for more traditional viruses. In addition, various kinds of pitfalls may occur during decompression.

PyCon Korea-Click Click Boom! Bombs Over Our Minds

Description for decompression pitfalls on zipfile doc

What is zip bomb?

It often appeared as a relatively small size zip file. And the unzipped file will be much larger than the zipped one. This would probably cause a problem when your disk volume or memory is relatively small than the unzipped one.

How do we defense zip bomb?

  • Defense Layer 1 - checks perform on the server side.
    1. Check if it's a nested zip file. (i.e. 42.zip)
    2. Check if the compression ratio (Uncompressed Content/Compressed Content)
       is greater than the threshold?
    3. Check if the file format is expected for context.
    4. Upload file size does not exceed the maximum limit.
  • Defense Layer 2 - limit the number of resources available to the process and its children.
    1. Check if CPU time is greater than the threshold.
    2. Check if the extracted part in memory is oversized. (memory usage)
  • Defense Layer 3 - filetype-specific mitigations.

    Filetype: Archives

    1. Restrict output file size and number of extracted files
       to ensure the total doesn't exceed the maximum limit.

How do we set thresholds?

Defense Layer 1:
  Uncompressed content size:  200 MB (vt)
  Compression ratio:          https://youtu.be/IXkX2ojrKZQ?t=553

Defense Layer 2:
  CPU time:                   2 seconds(vt)
  Memoery oversized:

Defense Layer 3:
  Output file size:
  Number of extracted files:

Useful resources

Bomb Codes
https://bomb.codes/

Mitigation Summary
https://youtu.be/IXkX2ojrKZQ?t=1296

Defense layers
https://bomb.codes/mitigations

Install

$ pip3 install sunzip
# for development use "development mode"
# https://packaging.python.org/tutorials/installing-packages/
$ pip3 install -e <directory to project root>

Usage

# for command line usage see the help
$ sunzip-cli -h

You can find the arguments defined at the top of cli.py

import sunzip

f = sunzip.Sunzip("archive.zip")

Customize your resource limit.

Maximum compression ratio threshold

f.threshold = 50

Maximum CPU time (second)

f.cpu = 1

Maximum memory usage (byte)

f.memory = 1024

Maximum file size (byte)

f.filesize = 1024

If there is no setting, the default value will be used.

extract() would perform a series of the above checks before decompression. If all pass, the zip file will be decompressed.

import sunzip

f = sunzip.Sunzip("archive.zip")

f.extract()

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sunzip-0.0.5.tar.gz (5.9 kB view details)

Uploaded Source

Built Distribution

sunzip-0.0.5-py3-none-any.whl (17.8 kB view details)

Uploaded Python 3

File details

Details for the file sunzip-0.0.5.tar.gz.

File metadata

  • Download URL: sunzip-0.0.5.tar.gz
  • Upload date:
  • Size: 5.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.25.0 setuptools/49.2.1 requests-toolbelt/0.9.1 tqdm/4.54.0 CPython/3.9.0

File hashes

Hashes for sunzip-0.0.5.tar.gz
Algorithm Hash digest
SHA256 c3616c9520d6ec55c5ac057d310c64b0ac6c6b9ed6f943e091c784e2232a1a0a
MD5 a873660d4a93a3e920e003d1530a8f3c
BLAKE2b-256 e1135a1029956e6a24299353e4bd4d30b41b37d91b75144a8e5b75625d4b816c

See more details on using hashes here.

File details

Details for the file sunzip-0.0.5-py3-none-any.whl.

File metadata

  • Download URL: sunzip-0.0.5-py3-none-any.whl
  • Upload date:
  • Size: 17.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.25.0 setuptools/49.2.1 requests-toolbelt/0.9.1 tqdm/4.54.0 CPython/3.9.0

File hashes

Hashes for sunzip-0.0.5-py3-none-any.whl
Algorithm Hash digest
SHA256 5875f16fe412938e3d53bbc53af3356fab46b48eacdc059bfe4c5c8a2d03abf5
MD5 bf45b28b043c891cb74e83b55be5b337
BLAKE2b-256 7ef253ef897173fdac039c56faca2eada39ac3d4fc84d093429dae20106a7352

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page