Recipe Name:
Validate Zip Entries
Description:
Ensure the zip entry is validated for nesting depth and size
Level:
warning
Language:
- java
Tags:
- security
- Java basic
Documentation
Zip entries should be validated to prevent unexpected processing issues.
When processing zip files supplied by an untrusted source, there are a number of potential issues. The size of individual entries after decompression can prove to be multiple times larger than their compressed counterparts. This could lead to issues with memory or other limited system resources. Next to the size, the depth to which zip files can be nested or the depth of the folder structures they contain, can lead to memory or performance issues as well, potentially taking the system down. An example of such an attack is a so-called "decompression bomb" in which a zip of 42 kilobytes is decompressed to 4.5 petabytes.
Recipe
id: scw:java:zip-validation
version: 10
metadata:
name: Validate Zip Entries
shortDescription: Ensure the zip entry is validated for nesting depth and size
level: warning
language: java
cweCategory: 409
enabled: true
descriptionFile: descriptions/Validate_Zip_Entries.html
tags: security;Java basic
search:
methodcall:
name: getNextEntry
type: java.util.zip.ZipInputStream
availableFixes: []