51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
131 lines
2.7 KiB
Plaintext
131 lines
2.7 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://docs.python.org/3.5/library/tarfile.html[tarfile] module:
|
|
|
|
----
|
|
import tarfile
|
|
|
|
tfile = tarfile.open("TarBomb.tar")
|
|
tfile.extractall('./tmp/') # Sensitive
|
|
tfile.close()
|
|
----
|
|
|
|
For https://docs.python.org/dev/library/zipfile.html[zipfile] module:
|
|
|
|
----
|
|
import zipfile
|
|
|
|
zfile = zipfile.ZipFile('ZipBomb.zip', 'r')
|
|
zfile.extractall('./tmp/') # Sensitive
|
|
zfile.close()
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://docs.python.org/3.5/library/tarfile.html[tarfile] module:
|
|
|
|
[source,python]
|
|
----
|
|
import tarfile
|
|
|
|
THRESHOLD_ENTRIES = 10000
|
|
THRESHOLD_SIZE = 1000000000
|
|
THRESHOLD_RATIO = 10
|
|
|
|
totalSizeArchive = 0;
|
|
totalEntryArchive = 0;
|
|
|
|
tfile = tarfile.open("TarBomb.tar")
|
|
for entry in tfile:
|
|
tarinfo = tfile.extractfile(entry)
|
|
|
|
totalEntryArchive += 1
|
|
sizeEntry = 0
|
|
result = b''
|
|
while True:
|
|
sizeEntry += 1024
|
|
totalSizeArchive += 1024
|
|
|
|
ratio = sizeEntry / entry.size
|
|
if ratio > THRESHOLD_RATIO:
|
|
# ratio between compressed and uncompressed data is highly suspicious, looks like a Zip Bomb Attack
|
|
break
|
|
|
|
chunk = tarinfo.read(1024)
|
|
if not chunk:
|
|
break
|
|
|
|
result += chunk
|
|
|
|
if totalEntryArchive > THRESHOLD_ENTRIES:
|
|
# too much entries in this archive, can lead to inodes exhaustion of the system
|
|
break
|
|
|
|
if totalSizeArchive > THRESHOLD_SIZE:
|
|
# the uncompressed data size is too much for the application resource capacity
|
|
break
|
|
|
|
tfile.close()
|
|
----
|
|
|
|
For https://docs.python.org/dev/library/zipfile.html[zipfile] module:
|
|
|
|
[source,python]
|
|
----
|
|
import zipfile
|
|
|
|
THRESHOLD_ENTRIES = 10000
|
|
THRESHOLD_SIZE = 1000000000
|
|
THRESHOLD_RATIO = 10
|
|
|
|
totalSizeArchive = 0;
|
|
totalEntryArchive = 0;
|
|
|
|
zfile = zipfile.ZipFile('ZipBomb.zip', 'r')
|
|
for zinfo in zfile.infolist():
|
|
print('File', zinfo.filename)
|
|
data = zfile.read(zinfo)
|
|
|
|
totalEntryArchive += 1
|
|
|
|
totalSizeArchive = totalSizeArchive + len(data)
|
|
ratio = len(data) / zinfo.compress_size
|
|
if ratio > THRESHOLD_RATIO:
|
|
# ratio between compressed and uncompressed data is highly suspicious, looks like a Zip Bomb Attack
|
|
break
|
|
|
|
if totalSizeArchive > THRESHOLD_SIZE:
|
|
# the uncompressed data size is too much for the application resource capacity
|
|
break
|
|
|
|
if totalEntryArchive > THRESHOLD_ENTRIES:
|
|
# too much entries in this archive, can lead to inodes exhaustion of the system
|
|
break
|
|
|
|
zfile.close()
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|