{ "info": { "author": "JunWeiSong,KunYuChen", "author_email": "sungboss2004@gmail.com", "bugtrack_url": null, "classifiers": [ "License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3)", "Operating System :: OS Independent", "Programming Language :: Python :: 3" ], "description": "# SUNZIP\n\n## Introduction\n\n### Why are we doing this?\n\nAccording to [Cara Marie](https://youtu.be/IXkX2ojrKZQ?t=331), an archive bomb a.k.a. A zip bomb is often employed to disable antivirus software, in order to create an opening for more traditional viruses. In addition, various kinds of pitfalls may occur during decompression.\n\n### Decompression pitfalls\n\n> The extraction in zipfile module might fail against some pitfalls listed below.\n\n**From file itself**\n\nDecompression may fail due to incorrect password / CRC checksum / ZIP format or\nunsupported compression method / decryption.\n\n**File System limitations**\n\nExceeding limitations on different file systems can cause decompression failed.\nSuch as allowable characters in the directory entries, length of the file name,\nlength of the pathname, size of a single file, and number of files, etc.\n\n**Resources limitations**\n\nThe lack of memory or disk volume would lead to decompression failed. \nFor example, decompression bombs (aka `ZIP Bomb`) apply to zipfile library \nthat can cause disk volume exhaustion.\n\n**Interruption**\n\nInterruption during the decompression, such as pressing control-C or killing the\ndecompression process may result in incomplete decompression of the archive.\n\n**Default behaviors of extraction**\n\nNot knowing the default extraction behaviors can cause unexpected decompression results.\nFor example, when extracting the same archive twice, it overwrites files without asking.\n\n### What is zip bomb?\nIt often appeared as a relatively small size zip file. And the unzipped file will be much larger than the zipped one.\nThis would probably cause a problem when your disk volume or memory is relatively small than the unzipped one.\n\n### How do we defense zip bomb?\n\n* Defense Layer 1 - checks perform on the server side.\n\n```\n 1. Check if it's a nested zip file. (i.e. 42.zip)\n 2. Check if the compression ratio (Uncompressed Content/Compressed Content) \n is greater than the threshold?\n 3. Check if the file format is expected for context.\n 4. Upload file size does not exceed the maximum limit. \n```\n\n* Defense Layer 2 - limit the number of resources available to the process and its children.\n\n```\n 1. Check if CPU time is greater than the threshold.\n 2. Check if the extracted part in memory is oversized. (memory usage)\n```\n\n* Defense Layer 3 - filetype-specific mitigations.\n\n Filetype: Archives\n```\n 1. Restrict output file size and number of extracted files \n to ensure the total doesn't exceed the maximum limit.\n```\n\n### How do we set thresholds?\n\n ```\n Defense Layer 1:\n Uncompressed content size: 200 MB (vt)\n Compression ratio: https://youtu.be/IXkX2ojrKZQ?t=553\n\n Defense Layer 2:\n CPU time: 2 seconds(vt)\n Memoery oversized:\n\n Defense Layer 3:\n Output file size:\n Number of extracted files:\n ```\n\n### Useful resources\n\n ```\n Bomb Codes\n https://bomb.codes/\n\n Mitigation Summary\n https://youtu.be/IXkX2ojrKZQ?t=1296\n\n Defense layers\n https://bomb.codes/mitigations\n ```\n\n\n## Install\n\n\n```bash\n$ pip3 install sunzip\n```\n\n\n## Usage\n\n```python=\nimport sunzip\n\nf = sunzip(\"archive.zip\")\n```\n\n\n**Customize your resource limit.**\n\n*Maximum compression ratio threshold*\n```python=\nf.threshold = 50\n```\n*Maximum CPU time*\n```python=\nf.cpu = 1\n```\n*Maximum memory usage*\n```python=\nf.memory = 1024\n```\n*Maximum file size*\n```python=\nf.filesize = 1024\n```\n\nIf there is no setting, the default value will be used.\n\n`extract()` would perform a series of the above checks before decompression. If all pass, the zip file will be decompressed.\n\n```python=\nimport sunzip\n\nf = sunzip(\"archive.zip\")\n\nf.extract()\n```\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/twbgc/sunzip", "keywords": "secure unzip,zipbomb", "license": "MIT Licence", "maintainer": "", "maintainer_email": "", "name": "sunzip", "package_url": "https://pypi.org/project/sunzip/", "platform": "", "project_url": "https://pypi.org/project/sunzip/", "project_urls": { "Homepage": "https://github.com/twbgc/sunzip" }, "release_url": "https://pypi.org/project/sunzip/0.0.1/", "requires_dist": null, "requires_python": "", "summary": "Provide secure unzip against zip bomb.", "version": "0.0.1" }, "last_serial": 5390276, "releases": { "0.0.1": [ { "comment_text": "", "digests": { "md5": "a68497e8111c4630886eefec87287c7a", "sha256": "8a9f8845270dc3a1be128bac3da8f966dfd9690f8fec703eea398fb9548d3f89" }, "downloads": -1, "filename": "sunzip-0.0.1-py3-none-any.whl", "has_sig": false, "md5_digest": "a68497e8111c4630886eefec87287c7a", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 4496, "upload_time": "2019-06-12T09:33:40", "url": "https://files.pythonhosted.org/packages/05/8f/0bbda2699b62068cf5459429191f00867ce38093cbd046572dd9ceb99be3/sunzip-0.0.1-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "671955da17317290bdf2e46b396f748e", "sha256": "5eaf7a4ac4abbd8a9cc39e12e56271b10737be132f2da701ca65fc3f41abd4b6" }, "downloads": -1, "filename": "sunzip-0.0.1.tar.gz", "has_sig": false, "md5_digest": "671955da17317290bdf2e46b396f748e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4489, "upload_time": "2019-06-12T09:33:42", "url": "https://files.pythonhosted.org/packages/24/07/5da29b65ba17eecd84df883d6bc0cd97c041aa51359a025fd863d9a45782/sunzip-0.0.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "a68497e8111c4630886eefec87287c7a", "sha256": "8a9f8845270dc3a1be128bac3da8f966dfd9690f8fec703eea398fb9548d3f89" }, "downloads": -1, "filename": "sunzip-0.0.1-py3-none-any.whl", "has_sig": false, "md5_digest": "a68497e8111c4630886eefec87287c7a", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 4496, "upload_time": "2019-06-12T09:33:40", "url": "https://files.pythonhosted.org/packages/05/8f/0bbda2699b62068cf5459429191f00867ce38093cbd046572dd9ceb99be3/sunzip-0.0.1-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "671955da17317290bdf2e46b396f748e", "sha256": "5eaf7a4ac4abbd8a9cc39e12e56271b10737be132f2da701ca65fc3f41abd4b6" }, "downloads": -1, "filename": "sunzip-0.0.1.tar.gz", "has_sig": false, "md5_digest": "671955da17317290bdf2e46b396f748e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4489, "upload_time": "2019-06-12T09:33:42", "url": "https://files.pythonhosted.org/packages/24/07/5da29b65ba17eecd84df883d6bc0cd97c041aa51359a025fd863d9a45782/sunzip-0.0.1.tar.gz" } ] }