ZIP Bombs

What is a ZIP bomb?

Unlike traditional warfare bombs, a ZIP bomb is neither nuclear nor hydrogen bomb. It is a software based attack in which a seemingly small ZIP file, when decompressed, expands disproportionately, causing system disruption.

A ZIP bomb can:

a) Extract into a large number of files, overwhelming the file system.
b) Consume excessive disk space, filling storage disproportionately.
c) Do both, leading to system slowdown or failure.

For example, a ZIP file as small as 1 KB could expand to 10 GB or 100 GB when decompressed, or generate thousands of files, consuming critical file system metadata space.

How does OpenSpecimen detect whether the input ZIP is a bomb or not?

1. OpenSpecimen doesn't blindly inflate the entire ZIP file at once. It inflates the ZIP file chunk by chunk at a time. The size of the chunk is 8KB. After every chunk, OpenSpecimen computes the compression ratio (that is, size of the inflated file / compressed file size). If, at any point in time, during the inflation, the compression ratio exceeds 10 it considers the input file as a bomb and spits out the error bomb to the users. Example error messages below:

   Open

   

2. OpenSpecimen does not allow any ZIP that contains more than 100 entries or when the inflated size exceeds 1 GB.

   1. Error when the count of entries in the ZIP file exceed 100

      Open

      

   2. Error when the inflated size exceeds 1 GB

      Open