How to prevent malicious user-uploaded zips from destroying the service in Node.js

Question

I am trying to handle user-uploaded zip files in a Node.js web service. However, there are some situations where things can go wrong:

The user uploads a zip file that contains symbolic links
The zip file contains a file that is too big

For situation 1, I can check for symbolic links after unzipping, but this solution is a black-list approach. Is there a better solution?

For situation 2, I can check the unzipped size before unzipping, but this field could be arbitrarily modified and cannot be checked to prevent bad users.

So is there a more general solution to this?

You need to control how items are unzipped and not extract items that are symbolic links and stop extracting an item when it is found to be too big. You should tell us how you are extracting the zip files. — Dan D., Feb 17 '18 at 07:38

score 0 · Answer 1 · answered Feb 17 '18 at 07:31

0

for 1: try to encode the link by encodeURIComponent(), I didn't sure if it's ok

for 2: use Nginx to limit the file size

answered Feb 17 '18 at 07:31

quantong zhao

61
3

How to prevent malicious user-uploaded zips from destroying the service in Node.js

1 Answers1