You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Zip bombs or compression bombs are trick archives that are custom structured to generate Terabytes of garbage (or zeros) from a small archive. It turns out go-getter's decompression options and detectors are susceptible to this. This is behaviour by design but it might be a good idea if go-getter verified an archive's size will fit in storage before decompression. This doesn't just apply to zip files but also xz, zstd, etc. Downloading a zip bomb today is actually detected and block by Chrome and some browsers to prevent you from accidentally filling your partition.
A crafty Nomad job of type "system" could instantly bring down an entire Nomad DC if the artifact is downloaded to all nodes and expanded to fill all storage. This pseudojob is missing the exec driver.
$ ~/go/bin/go-getter https://www.bamsoftware.com/hacks/zipbomb/zblg.zip /tmp/
2023/01/19 13:11:00 Error downloading: write /tmp/1: no space left on device
The text was updated successfully, but these errors were encountered:
Zip bombs or compression bombs are trick archives that are custom structured to generate Terabytes of garbage (or zeros) from a small archive. It turns out go-getter's decompression options and detectors are susceptible to this. This is behaviour by design but it might be a good idea if go-getter verified an archive's size will fit in storage before decompression. This doesn't just apply to zip files but also xz, zstd, etc. Downloading a zip bomb today is actually detected and block by Chrome and some browsers to prevent you from accidentally filling your partition.
A crafty Nomad job of type "system" could instantly bring down an entire Nomad DC if the artifact is downloaded to all nodes and expanded to fill all storage. This pseudojob is missing the
exec
driver.Beware zip bombs and please use caution if trying to reproduce this:
https://www.bamsoftware.com/hacks/zipbomb/
The text was updated successfully, but these errors were encountered: