[I] Limit archive member count to prevent zip bomb attacks (tooling-trusted-releases)

Tue, 27 Jan 2026 13:32:32 -0800 


andrewmusselman opened a new issue, #604:
URL: https://github.com/apache/tooling-trusted-releases/issues/604

   ## Summary
   
   Archive extraction does not limit the number of members, allowing zip bomb 
attacks with millions of small files that overwhelm the filesystem with 
metadata operations.
   
   ## ASVS Requirements
   
   - 5.2.1 - Verify that file processing cannot cause denial of service
   
   ## Related Audit Reports
   
   - [5.2.1.md](ASVS/reports/44ee502/L1/5.2.1.md) - Archive member count 
findings
   
   ## Affected Files
   
   - `atr/tarzip.py` - Archive extraction functions
   
   ## Current Behavior
   
   Archives are extracted without checking total member count, allowing attacks 
with extremely large numbers of small files.
   
   ## Risk
   
   - Filesystem exhaustion (inode depletion)
   - Memory exhaustion building file lists
   - Denial of service
   - Worker process starvation
   
   ## Recommended Fix
   
   ```python
   # atr/tarzip.py
   from typing import Final
   
   MAX_ARCHIVE_MEMBERS: Final[int] = 100000  # Configurable limit
   
   def extract_archive_safely(archive_path: Path, dest_path: Path) -> None:
       """Extract archive with member count limits."""
       with tarfile.open(archive_path, 'r:*') as tar:
           members = tar.getmembers()
           if len(members) > MAX_ARCHIVE_MEMBERS:
               raise ValueError(
                   f"Archive contains too many members: {len(members)} > 
{MAX_ARCHIVE_MEMBERS}"
               )
           # Continue with existing size/path checks...
           for member in members:
               # existing extraction logic
   ```
   
   ## Acceptance Criteria
   
   - [ ] Maximum member count limit enforced (recommend 10,000)
   - [ ] Clear error message when limit exceeded
   - [ ] Configurable limit for legitimate large archives
   - [ ] Applied to both tar and zip extraction
   - [ ] Test cases for archives with excessive member counts


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to