add a basic guard against mundane zipbombz (#13877)

ewdurbin · web-flow · commit 77c043272645 · 2023-06-06T14:45:20.000-04:00
* add a basic guard against mundane zipbombz

* lint
diff --git a/tests/unit/forklift/test_legacy.py b/tests/unit/forklift/test_legacy.py
@@ -624,6 +624,15 @@ def test_zipfile_unsupported_compression(self, tmpdir, method):
 
         assert not legacy._is_valid_dist_file(f, "")
 
+    def test_zipfile_exceeds_compression_threshold(self, tmpdir):
+        f = str(tmpdir.join("test.zip"))
+
+        with zipfile.ZipFile(f, "w") as zfp:
+            zfp.writestr("PKG-INFO", b"this is the package info")
+            zfp.writestr("1.dat", b"0" * 10240, zipfile.ZIP_DEFLATED)
+
+        assert not legacy._is_valid_dist_file(f, "")
+
     def test_egg_no_pkg_info(self, tmpdir):
         f = str(tmpdir.join("test.egg"))
 
diff --git a/warehouse/forklift/legacy.py b/warehouse/forklift/legacy.py
@@ -28,6 +28,7 @@
 import packaging_legacy.version
 import pkg_resources
 import requests
+import sentry_sdk
 import wtforms
 import wtforms.validators
 
@@ -81,6 +82,8 @@
 
 PATH_HASHER = "blake2_256"
 
+COMPRESSION_RATIO_THRESHOLD = 10
+
 
 # Wheel platform checking
 
@@ -670,6 +673,19 @@ def _is_valid_dist_file(filename, filetype):
     # If our file is a zipfile, then ensure that it's members are only
     # compressed with supported compression methods.
     if zipfile.is_zipfile(filename):
+        # Ensure the compression ratio is not absurd (decompression bomb)
+        compressed_size = os.stat(filename).st_size
+        with zipfile.ZipFile(filename) as zfp:
+            decompressed_size = sum(e.file_size for e in zfp.infolist())
+        if decompressed_size / compressed_size > COMPRESSION_RATIO_THRESHOLD:
+            sentry_sdk.capture_message(
+                f"File {filename} ({filetype}) exceeds compression ratio "
+                "of {COMPRESSION_RATIO_THRESHOLD} "
+                "({decompressed_size}/{compressed_size})"
+            )
+            return False
+
+        # Check that the compression type is valid
         with zipfile.ZipFile(filename) as zfp:
             for zinfo in zfp.infolist():
                 if zinfo.compress_type not in {
@@ -680,6 +696,9 @@ def _is_valid_dist_file(filename, filetype):
 
     tar_fn_match = _tar_filenames_re.search(filename)
     if tar_fn_match:
+        # TODO: Ideally Ensure the compression ratio is not absurd
+        # (decompression bomb), like we do for wheel/zip above.
+
         # Ensure that this is a valid tar file, and that it contains PKG-INFO.
         z_type = tar_fn_match.group("z_type") or ""
         try:
