[Feature] Scan zip file before uploading to avoid ZipBomb attack (#700)

zhou9584 · Le Zhou · web-flow · commit 7d41386ba523 · 2025-06-12T15:12:50.000+08:00
## Description  ### Linked GitHub issue ID: # ## Pull Request Checklist  - [ ] Tests for the changes have been added (for bug fixes / features) - [x] Code compiles correctly with all tests are passed. - [x] I've read the [contributing guide](https://github.com/microsoft/HydraLab/blob/main/CONTRIBUTING.md#making-changes-to-the-code) and followed the recommended practices. - [ ] [Wikis](https://github.com/microsoft/HydraLab/wiki) or [README](https://github.com/microsoft/HydraLab/blob/main/README.md) have been reviewed and added / updated if needed (for bug fixes / features) ### Does this introduce a breaking change? *If this introduces a breaking change for Hydra Lab users, please describe the impact and migration path.* - [ ] Yes - [ ] No ## How you tested it *Please make sure the change is tested, you can test it by adding UTs, do local test and share the screenshots, etc.* Please check the type of change your PR introduces: - [ ] Bugfix - [x] Feature - [ ] Technical design - [ ] Build related changes - [ ] Refactoring (no functional changes, no api changes) - [ ] Code style update (formatting, renaming) or Documentation content changes - [ ] Other (please describe): ### Feature UI screenshots or Technical design diagrams *If this is a relatively large or complex change, kick it off by drawing the tech design with PlantUML and explaining why you chose the solution you did and what alternatives you considered, etc...* --------- Co-authored-by: Le Zhou <zhoule@microsoft.com>
diff --git a/common/src/main/java/com/microsoft/hydralab/common/util/PkgUtil.java b/common/src/main/java/com/microsoft/hydralab/common/util/PkgUtil.java
@@ -44,6 +44,10 @@ public static JSONObject analysisFile(File file, EntityType entityType) {
                 } else if (file.getName().endsWith(FILE_SUFFIX.IPA_FILE)) {
                     res = analysisIpaFile(file);
                 } else if (file.getName().endsWith(FILE_SUFFIX.ZIP_FILE)) {
+                    // check for zip bomb attacks
+                    if (ZipBombChecker.isZipBomb(file)) {
+                        throw new HydraLabRuntimeException("Zip file is too large, possible zip bomb attack.");
+                    }
                     res = analysisZipFile(file);
                 }
 
@@ -112,11 +116,16 @@ private static JSONObject analysisIpaFile(File ipa) {
         try {
             String name, pkgName, version;
             File zipFile = convertToZipFile(ipa, FILE_SUFFIX.IPA_FILE);
+            if (ZipBombChecker.isZipBomb(zipFile)) {
+                throw new HydraLabRuntimeException("Zip file is too large, possible zip bomb attack.");
+            }
             Assert.notNull(zipFile, "Convert .ipa file to .zip file failed.");
             File file = getPlistFromZip(zipFile, zipFile.getParent());
             //Need third-party jar package dd-plist
             Assert.notNull(file, "Analysis .ipa file failed.");
             analysisPlist(file, res);
+        } catch (HydraLabRuntimeException ex) {
+            throw ex;
         } catch (Exception e) {
             e.printStackTrace();
         }
diff --git a/common/src/main/java/com/microsoft/hydralab/common/util/ZipBombChecker.java b/common/src/main/java/com/microsoft/hydralab/common/util/ZipBombChecker.java
@@ -0,0 +1,71 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package com.microsoft.hydralab.common.util;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipInputStream;
+
+public class ZipBombChecker {
+    private static final long MAX_UNCOMPRESSED_SIZE = 1024 * 1024 * 1024; // 1024 MB
+    private static final int MAX_ENTRIES = 10000;
+    private static final int MAX_NESTING_DEPTH = 5;
+
+    public static boolean isZipBomb(File file) {
+        return isZipBomb(file, 0);
+    }
+
+    private static boolean isZipBomb(File file, int depth) {
+        if (depth > MAX_NESTING_DEPTH) {
+            return true;
+        }
+
+        long totalUncompressedSize = 0;
+        int entryCount = 0;
+
+        try (ZipInputStream zis = new ZipInputStream(new FileInputStream(file))) {
+            ZipEntry entry;
+            byte[] buffer = new byte[8192];
+
+            while ((entry = zis.getNextEntry()) != null) {
+                entryCount++;
+                if (entryCount > MAX_ENTRIES) {
+                    return true;
+                }
+
+                if (!entry.isDirectory()) {
+                    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+                    int read;
+                    while ((read = zis.read(buffer)) != -1) {
+                        baos.write(buffer, 0, read);
+                        totalUncompressedSize += read;
+                        if (totalUncompressedSize > MAX_UNCOMPRESSED_SIZE) {
+                            return true;
+                        }
+                    }
+                    // check if the entry is a nested zip file
+                    if (entry.getName().toLowerCase().endsWith(".zip")) {
+                        byte[] nestedZipBytes = baos.toByteArray();
+                        File tempZip = File.createTempFile("nested", ".zip");
+                        try (FileOutputStream fos = new FileOutputStream(tempZip)) {
+                            fos.write(nestedZipBytes);
+                        }
+                        boolean nestedBomb = isZipBomb(tempZip, depth + 1);
+                        tempZip.delete();
+                        if (nestedBomb) {
+                            return true;
+                        }
+                    }
+                }
+                zis.closeEntry();
+            }
+        } catch (Exception e) {
+            return true; // If there's an error reading the zip, treat it as a potential zip bomb
+        }
+        return false;
+    }
+}
