Recipe Name:
Validate Zip Entries
Description:
Ensure the zip entry is validated for nesting depth and size
Level:
warning
Language:
  • java
Tags:
  • security
  • Java basic
Documentation

Zip entries should be validated to prevent unexpected processing issues.

When processing zip files supplied by an untrusted source, there are a number of potential issues. The size of individual entries after decompression can prove to be multiple times larger than their compressed counterparts. This could lead to issues with memory or other limited system resources. Next to the size, the depth to which zip files can be nested or the depth of the folder structures they contain, can lead to memory or performance issues as well, potentially taking the system down. An example of such an attack is a so-called "decompression bomb" in which a zip of 42 kilobytes is decompressed to 4.5 petabytes.

Recipe
id: scw:java:zip-validation
version: 10
metadata:
  name: Validate Zip Entries
  shortDescription: Ensure the zip entry is validated for nesting depth and size
  level: warning
  language: java
  cweCategory: 409
  enabled: true
  descriptionFile: descriptions/Validate_Zip_Entries.html
  tags: security;Java basic
search:
  methodcall:
    name: getNextEntry
    type: java.util.zip.ZipInputStream
availableFixes: []