• Home
• org.sonarsource.dotnet
• sonar-vbnet-plugin
• 10.6.0.109712
• source code
• S5042.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.plugins.vbnet.S5042.html Maven / Gradle / Ivy

Successful Zip Bomb attacks occur when an application expands untrusted archive files without controlling the size of the expanded data, which can
lead to denial of service. A Zip bomb is usually a malicious archive file of a few kilobytes of compressed data but turned into gigabytes of
uncompressed data. To achieve this extreme compression ratio, attackers will
compress irrelevant data (eg: a long string of repeated bytes).
Ask Yourself Whether
Archives to expand are untrusted and:

  
 There is no validation of the number of entries in the archive. 
  
 There is no validation of the total size of the uncompressed data. 
  
 There is no validation of the ratio between the compressed and uncompressed archive entry. 

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices

  
 Define and control the ratio between compressed and uncompressed data, in general the data compression ratio for most of the legit archives is
  1 to 3. 
  
 Define and control the threshold for maximum total size of the uncompressed data. 
  
 Count the number of file entries extracted from the archive and abort the extraction if their number is greater than a predefined threshold, in
  particular it’s not recommended to recursively expand archives (an entry of an archive could be also an archive). 

Sensitive Code Example
For Each entry As ZipArchiveEntry in archive.Entries
    ' entry.FullName could contain parent directory references ".." and the destinationPath variable could become outside of the desired path
    string destinationPath = Path.GetFullPath(Path.Combine(path, entry.FullName))
    entry.ExtractToFile(destinationPath) ' Sensitive, extracts the entry to a file

    Dim stream As Stream
    stream = entry.Open() ' Sensitive, the entry is about to be extracted
Next

Compliant Solution
Const ThresholdRatio As Double = 10
Const ThresholdSize As Integer = 1024 * 1024 * 1024 ' 1 GB
Const ThresholdEntries As Integer = 10000
Dim TotalSizeArchive, TotalEntryArchive, TotalEntrySize, Cnt As Integer
Dim Buffer(1023) As Byte
Using ZipToOpen As New FileStream("ZipBomb.zip", FileMode.Open), Archive As New ZipArchive(ZipToOpen, ZipArchiveMode.Read)
    For Each Entry As ZipArchiveEntry In Archive.Entries
        Using s As Stream = Entry.Open
            TotalEntryArchive += 1
            TotalEntrySize = 0
            Do
                Cnt = s.Read(Buffer, 0, Buffer.Length)
                TotalEntrySize += Cnt
                TotalSizeArchive += Cnt
                If TotalEntrySize / Entry.CompressedLength > ThresholdRatio Then Exit Do    ' Ratio between compressed And uncompressed data Is highly suspicious, looks Like a Zip Bomb Attack
            Loop While Cnt > 0
        End Using
        If TotalSizeArchive > ThresholdSize Then Exit For       ' The uncompressed data size Is too much for the application resource capacity
        If TotalEntryArchive > ThresholdEntries Then Exit For   ' Too much entries in this archive, can lead to inodes exhaustion of the system
    Next
End Using

See

  
 OWASP - Top 10 2021 Category A1 - Broken Access Control 
  
 OWASP - Top 10 2021 Category A5 - Security Misconfiguration 
  
 OWASP - Top 10 2017 Category A5 - Broken Access Control
  
  
 OWASP - Top 10 2017 Category A6 - Security
  Misconfiguration 
  
 CWE - CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification) 
  
 bamsoftware.com - A better Zip Bomb