GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects â†’ twbgc â†’ sunzip

twbgc / sunzip

Licence: GPL-3.0 License
Provide secure unzip against zip bomb 💣.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

unzipsecurezipbomb

Projects that are alternatives of or similar to sunzip

ios-application
A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP!
Stars: ✭ 581 (+1715.63%)
Mutual labels:  secure
ipvpn
[WIP] Easy-to-use decentralized secure overlay private network (for any device)
Stars: ✭ 24 (-25%)
Mutual labels:  secure
spring-boot-mongodb-security-angular8
Spring Boot, Security, MongoDB, Angular 8: Build Authentication
Stars: ✭ 17 (-46.87%)
Mutual labels:  secure
unzip
Tiny unzip helper class for .NET 3.5 Client Profile and Mono 2.10, written in pure C#.
Stars: ✭ 25 (-21.87%)
Mutual labels:  unzip
anzip
Simple async unzip library for Node.js
Stars: ✭ 61 (+90.63%)
Mutual labels:  unzip
gohooks
GoHooks make it easy to send and consume secured web-hooks from a Go application
Stars: ✭ 16 (-50%)
Mutual labels:  secure
aioconnectors
Simple secure asynchronous message queue
Stars: ✭ 17 (-46.87%)
Mutual labels:  secure
aspZip
A classic ASP zip and unzip utility class that uses the native zip support from Windows (XP and above) - no components needed
Stars: ✭ 24 (-25%)
Mutual labels:  unzip
northstar
Embedded container runtime
Stars: ✭ 82 (+156.25%)
Mutual labels:  secure
pasthis
Simple stupid pastebin
Stars: ✭ 36 (+12.5%)
Mutual labels:  secure
abrute
Multi-threaded AES Brute Force File Decryption
Stars: ✭ 22 (-31.25%)
Mutual labels:  unzip
encrypted-smiley-secure-protocol
Node.JS library Encrypted Smiley ® Secure Protocol (eSSP, SSP)
Stars: ✭ 22 (-31.25%)
Mutual labels:  secure
i2pchat
🌀 i2pchat. Anonymous private secure opensource chat using end-to-end encrypted transport.
Stars: ✭ 25 (-21.87%)
Mutual labels:  secure
otp-authenticator-webapp
A 'Google Authenticator' like Single Page Application
Stars: ✭ 69 (+115.63%)
Mutual labels:  secure
macos-receiver
A MacOS TabBar (StatusBar) application that securely receives one-time passwords (OTPs) that you tapped in Raivo for iOS.
Stars: ✭ 44 (+37.5%)
Mutual labels:  secure
desktop
Desktop is an open source application for managing multi-window, cross-platform desktop applications.
Stars: ✭ 15 (-53.12%)
Mutual labels:  secure
SecureFiware
Proposing security measures and security analysis in the Fiware IoT environment.
Stars: ✭ 21 (-34.37%)
Mutual labels:  secure
secrets.clj
A library designed to generate cryptographically strong random numbers.
Stars: ✭ 64 (+100%)
Mutual labels:  secure
pi-encrypted-boot-ssh
🔑 Raspberry Pi Encrypted Boot with Remote SSH
Stars: ✭ 96 (+200%)
Mutual labels:  secure
nginx cookie flag module
Module for Nginx which allows to set the flags "HttpOnly", "secure" and "SameSite" for cookies.
Stars: ✭ 101 (+215.63%)
Mutual labels:  secure
View All Similar Projects âž”

SUNZIP

forthebadge made-with-python

PyPI Wheel Downloads version travis-ci codecov

Introduction

Why are we doing this?

According to Cara Marie, an archive bomb a.k.a. A zip bomb is often employed to disable antivirus software, in order to create an opening for more traditional viruses. In addition, various kinds of pitfalls may occur during decompression.

PyCon Korea-Click Click Boom! Bombs Over Our Minds

Description for decompression pitfalls on zipfile doc

What is zip bomb?

It often appeared as a relatively small size zip file. And the unzipped file will be much larger than the zipped one. This would probably cause a problem when your disk volume or memory is relatively small than the unzipped one.

How do we defense zip bomb?

  • Defense Layer 1 - checks perform on the server side.
    1. Check if it's a nested zip file. (i.e. 42.zip)
    2. Check if the compression ratio (Uncompressed Content/Compressed Content)
       is greater than the threshold?
    3. Check if the file format is expected for context.
    4. Upload file size does not exceed the maximum limit.
  • Defense Layer 2 - limit the number of resources available to the process and its children.
    1. Check if CPU time is greater than the threshold.
    2. Check if the extracted part in memory is oversized. (memory usage)

  • Defense Layer 3 - filetype-specific mitigations.

    Filetype: Archives

    1. Restrict output file size and number of extracted files
       to ensure the total doesn't exceed the maximum limit.

How do we set thresholds?

Defense Layer 1:
  Uncompressed content size:  200 MB (vt)
  Compression ratio:          https://youtu.be/IXkX2ojrKZQ?t=553

Defense Layer 2:
  CPU time:                   2 seconds(vt)
  Memoery oversized:

Defense Layer 3:
  Output file size:
  Number of extracted files:

Useful resources

Bomb Codes
https://bomb.codes/

Mitigation Summary
https://youtu.be/IXkX2ojrKZQ?t=1296

Defense layers
https://bomb.codes/mitigations

Install

$ pip3 install sunzip
# for development use "development mode"
# https://packaging.python.org/tutorials/installing-packages/
$ pip3 install -e <directory to project root>

Usage

# for command line usage see the help
$ sunzip-cli -h

You can find the arguments defined at the top of cli.py

import sunzip

f = sunzip.Sunzip("archive.zip")

Customize your resource limit.

Maximum compression ratio threshold

f.threshold = 50

Maximum CPU time (second)

f.cpu = 1

Maximum memory usage (byte)

f.memory = 1024

Maximum file size (byte)

f.filesize = 1024

If there is no setting, the default value will be used.

extract() would perform a series of the above checks before decompression. If all pass, the zip file will be decompressed.

import sunzip

f = sunzip.Sunzip("archive.zip")

f.extract()
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].