Skip to content

J
jadx
Commit c4765939 authored by Sergey Toshin's avatar Sergey Toshin
Browse files
Options

Changes MAX_SIZE_DIFF in ZipSecurity, and adds extra logging

parent 089467a4
Hide whitespace changes
Inline Side-by-side
Showing with 3 additions and 1 deletion
jadx-core/src/main/java/jadx/core/utils/files/ZipSecurity.java
View file @ c4765939
...@@ -10,7 +10,7 @@ public class ZipSecurity { ...@@ -10,7 +10,7 @@ public class ZipSecurity {
private static final Logger LOG = LoggerFactory.getLogger(ZipSecurity.class); private static final Logger LOG = LoggerFactory.getLogger(ZipSecurity.class);
// size of uncompressed zip entry shouldn't be bigger of compressed in MAX_SIZE_DIFF times // size of uncompressed zip entry shouldn't be bigger of compressed in MAX_SIZE_DIFF times
private static final int MAX_SIZE_DIFF = 10; private static final int MAX_SIZE_DIFF = 25;
private static boolean isInSubDirectory(File base, File file) { private static boolean isInSubDirectory(File base, File file) {
if (file == null) { if (file == null) {
...@@ -45,6 +45,8 @@ public class ZipSecurity { ...@@ -45,6 +45,8 @@ public class ZipSecurity {
long compressedSize = entry.getCompressedSize(); long compressedSize = entry.getCompressedSize();
long uncompressedSize = entry.getSize(); long uncompressedSize = entry.getSize();
if(compressedSize < 0 || uncompressedSize < 0) { if(compressedSize < 0 || uncompressedSize < 0) {
LOG.error("Zip bomp attack detected, invalid sizes: compressed {}, uncompressed {}, name {}",
compressedSize, uncompressedSize, entry.getName());
return true; return true;
} }
if(compressedSize * MAX_SIZE_DIFF < uncompressedSize) { if(compressedSize * MAX_SIZE_DIFF < uncompressedSize) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment