Preventing ZIP Bombs: How Pompelmi Protects Your Application
Deep dive into ZIP bomb attacks and how Pompelmi's multi-layered defense mechanisms keep your Node.js applications safe.
Preventing ZIP Bombs: How Pompelmi Protects Your Application
ZIP bombs are a deceptively simple yet devastating attack vector. A tiny compressed file can expand to gigabytes or even terabytes of data, consuming all available memory and disk space, effectively bringing your application to a halt.
Understanding ZIP Bombs
A ZIP bomb exploits the compression algorithm’s efficiency. By creating files with highly repetitive patterns, attackers can achieve extreme compression ratios. The infamous 42.zip is only 42 kilobytes but expands to 4.5 petabytes when fully decompressed.
The Anatomy of an Attack
- Attacker uploads a small, innocent-looking ZIP file
- Your server attempts to process or extract it
- Memory exhaustion occurs as the file expands
- Service disruption or complete server crash
Pompelmi’s Multi-Layered Defense
Pompelmi employs several strategies to detect and prevent ZIP bomb attacks:
1. Entry Count Limits
Pass the maxEntries option to createZipBombGuard:
import { createZipBombGuard } from 'pompelmi';
const zipGuard = createZipBombGuard({ maxEntries: 1000, // Prevent archives with excessive files});2. Nesting Depth Control
{ maxZipDepth: 3 // Limit recursive archive inspection}ZIP bombs often use nested archives (ZIPs within ZIPs). Pompelmi tracks nesting depth and rejects overly complex structures.
2. Uncompressed Size Validation
Before extraction, Pompelmi reads ZIP central-directory headers to calculate the total declared uncompressed size and rejects the file before decompressing a single byte:
const zipGuard = createZipBombGuard({ maxTotalUncompressedBytes: 100 * 1024 * 1024, // 100 MB total});3. Compression Ratio Guard
const zipGuard = createZipBombGuard({ maxCompressionRatio: 100, // Block files compressed > 100x});4. Composing with Other Scanners
Wire the ZIP guard alongside content heuristics:
import { composeScanners, CommonHeuristicsScanner } from 'pompelmi';
const scanner = composeScanners( [ ['zipGuard', createZipBombGuard({ maxEntries: 500, maxTotalUncompressedBytes: 50 * 1024 * 1024, maxCompressionRatio: 50, })], ['heuristics', CommonHeuristicsScanner], ], { parallel: false, stopOn: 'malicious', tagSourceName: true });Best Practices
- Always set reasonable limits based on your use case
- Monitor compression ratios for anomalies
- Log suspicious uploads for security auditing
- Educate users about file upload policies
- Keep Pompelmi updated for latest threat detection
Conclusion
ZIP bombs remain a significant threat, but with proper defenses, they’re completely preventable. Pompelmi’s comprehensive approach ensures your application stays safe without sacrificing legitimate functionality.
Related posts:
- MIME sniffing and magic bytes
- 17 common file upload security mistakes
- Pompelmi vs ClamAV: choosing the right scanner
Ready to protect your application? Check out our Getting Started guide.