Summary
Plugin ZIP extraction in PluginManager.cs has no size limits, compression ratio checks, or path traversal protection. This enables ZIP bomb attacks.
Affected File
src/SharpSite.Web/PluginManager.cs (lines 244-294)
Risks
- ZIP bomb: A 42KB zip can decompress to petabytes
- Disk exhaustion: No total or per-file size caps
- Path traversal: Only empty-name entries are filtered;
../ sequences not explicitly blocked
Recommended Fix
Add max total extracted size (100MB), max single file size (50MB), compression ratio check (100:1), and path normalization with directory containment validation.
Estimated Effort
2-3 hours
Summary
Plugin ZIP extraction in
PluginManager.cshas no size limits, compression ratio checks, or path traversal protection. This enables ZIP bomb attacks.Affected File
src/SharpSite.Web/PluginManager.cs(lines 244-294)Risks
../sequences not explicitly blockedRecommended Fix
Add max total extracted size (100MB), max single file size (50MB), compression ratio check (100:1), and path normalization with directory containment validation.
Estimated Effort
2-3 hours