fix(security): validate decompressed file size to prevent ZIP bomb attacks#960
Open
anshul23102 wants to merge 4 commits into
Open
fix(security): validate decompressed file size to prevent ZIP bomb attacks#960anshul23102 wants to merge 4 commits into
anshul23102 wants to merge 4 commits into
Conversation
- Add _required_env() helper function to enforce mandatory configuration - Update jwt_secret to use _required_env() instead of fallback to default - Application now fails fast at startup if JWT_SECRET is not set - Prevents token forgery attacks from known default secrets Closes imDarshanGK#707
- Import get_current_user dependency from security module - Add authentication requirement to all history endpoints - Filter history records by current_user.id to prevent cross-user access - Ensure users can only access their own analysis history - Save user_id when storing new history entries Closes imDarshanGK#708
- Add TRUST_PROXY_HEADERS environment variable to control proxy header trust - Only use X-Forwarded-For if explicitly enabled via TRUST_PROXY_HEADERS=true - Default to disabled (uses direct connection IP) for security - Use rightmost IP in X-Forwarded-For chain (most recent hop) - Prevents trivial per-IP rate limit bypass from spoofed headers - Improves rate limiting accuracy in production deployments Closes imDarshanGK#709
…tacks - Move file size validation to occur AFTER decompression - Use actual decompressed size (len(raw)) instead of spoofable central directory header - Add per-file size limit (2MB) to catch individual bomb files - Track cumulative decompressed size and enforce total limit - Abort extraction if any limit exceeded during decompression - Prevents ZIP bombs that report small compressed size but expand to gigabytes Closes imDarshanGK#710
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes the ZIP bomb vulnerability by validating decompressed file sizes instead of relying on spoofable compressed metadata. The endpoint now safely handles malicious ZIP files that claim small size but expand to gigabytes.
Problem
The analyze_zip endpoint checked file size from the ZIP central directory header (info.file_size) BEFORE decompression. Attackers can forge this header to report tiny sizes while the actual decompressed data is gigabytes, causing:
Solution
Changes
Security Impact
Testing
Related Issue
Closes #710
This contribution is part of GSSoC 2026. Please consider adding the gssoc-approved label when reviewed.