From 473cd4f7efaef2a530329898e79e5cbfe2820468 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Mon, 7 Apr 2025 08:27:38 +0200
Subject: [PATCH] Check max ZIP uncompressed size

---
 packages/tests/fixtures/zip-bomb.zip          | Bin 0 -> 42374 bytes
 .../tests/src/api/check-params/user-import.ts |   3 ++-
 server/core/helpers/unzip.ts                  |  25 +++++++++++++++++-
 .../lib/user-import-export/user-importer.ts   |  12 +++++++--
 4 files changed, 36 insertions(+), 4 deletions(-)
 create mode 100644 packages/tests/fixtures/zip-bomb.zip

diff --git a/packages/tests/fixtures/zip-bomb.zip b/packages/tests/fixtures/zip-bomb.zip
new file mode 100644
index 0000000000000000000000000000000000000000..b4d00682f287342d9afab1d70c03075d9a48eed1
GIT binary patch
literal 42374
zcmeI*>35B17Y6WiM2ZqqVitAUYE2~(391z*A|WJ^Nd{96shX!!%1fODZwwVm+D56K
z)?85~rKZ+VltyZ%R9h!ngruZ3)%fmvdG58>yZ8PRp7?Ud`hCdSAFgXH&dSxNmsdqU
zi^Wpe^697^-VajZujamOu?)<Jwp!tD11!&3E<Wk=e`acnzFo$H2{lZhU{boYm=+DD
zsbSg)X3F_<y<32>8YW0EUFHUOd4nk)^7Q9vFPMtMV>)>zSuEchCRi}dk3T%W2h1wN
zgb1ci*2;c)U}hVpgJ3d_=B7*nGt@901!D`dUycJ4X_!ueSv00B<P|W@4PzI~3wQ1n
zR{>MSFkymOb723`KPOr&*9JemPdCB*(IBpy8%&{L!UeNse!-*_U^W`2yI``@?*zO9
z<~_qi2xfboq2Wnj#uz42FpIp3(gMN68m5O}j;5{e>;opiFg*oxZOo-NO5U<qY8fU<
zFgxFEz5D=}za3BS(@QY9_k$L=z??KpZ^7(tv-#WUU<wQqEtuiQ`)8+u$u&%jV0>on
zJs%9_ZNtP0=E9e)2iF3VY?wZR`S@|2_sS+%EFBFKCzzL;jfgl5rh#GN1+#XpcgSim
z_tT%=CqXb5(?j<-!Te&FM8WKIT?iWhX18II1e5*Ms_#32Sz(yIf*CPBdO;m9GYpd~
znB%R={maK&EQ1V_BAD9unhz=h)73Dkg2~&MTD%^N%`j<}rk3AH)@?m~=c8F*tY9jr
zJPZ)f<|n>01_AO6GEks^s;%tV`Bgw}joJyQe%oCobpW|E3KGz)tsSb}9A~jOHEJ)Q
zzYiv!DFo!uC|E#~CX7s31IVsXh=3wKZZ^~j$fi*T0aY7ZeOP}$R*gCeXxY`KIUN9b
z1{!zjB%t|oBK>Ova%*H4(51FnpO=k=J82Xqps-<0dmIAf)To<)wmb69eh$c?QMiCw
zO^zQm1CU*#?gHAqx!d+sKsJpc1oVCSgJ$gkSv86jP=$LbpVt878DQM0hk$CQcBpY}
z4BSbho&t*LQ|HSAfLt0y3CLbGY{#d7oEr5KP=ld|rc49m(5Sb7)^2{B+!v5tqi6w@
z9rO7r5Rgry7y<cR-&tM_kX55t0ev#N*H2eQ!=3sYcj_ac-><wKwhxe7qc{P%-}m}q
z1t6D3@d9dgrg+^HKu(Pk1oS9x+VBKG4vi88RKfdba2r5&jgkaZcT%>k3Lu+CeFd~P
zE8)T)qu@>&B@5`ok6xeh9UxCX<4!38^6h<P{W3sqjZy`a*lFRJNq}4$Nts!9`?{1q
zfSd*jlrr;_J=oR?kV7LWGaIgL=zIo{T_Y(oXFPfJCC^B>lSWczwrl%A>TW<*jik&x
z?>}_rhk!h3Pwx~cW#+^+UvHfN$gPo-nScIt#wQw(OCu>Wht9uwx;Y@HMp9-L7MD-)
z0_4z0%FG$X|MC581l&m@DKkTD4O;I2WYb8>%x7PJv1lnEt4300ZpbN%8w<#jYTQZ6
z%+<r{7DoYcYb0gnw*Nl=pcx>SMp9;$9uBx*0p!$3%FNw6_on|c9PXr%l$qa*Pingj
zkX<7wGqW;_r!59#(@4t9Ltifq9tFs%k(8O6LN*0Q0`jC7cak!*YQ;I>&jWI6BxUCO
zm~$5%4TC#rBxPppm-~158IV&WDKp>yV1DLSKn{(h%=~Lg_D2f=*)@_fGs70NWH=z3
zMp9;;xKm|pI3TM=Qf4mM-Z=0%K%QjdPEuwzJLO(-|4q1)Mp9-TC_P{KG$5BoQfB)7
zFssXEKu(RM%#1la<cs-$92!ZP+0<v!hM|D$8cCVCG-7bF9gs~UDKl>de)Vf(Kvn~_
zlQMInWlW8`L*Y(+pWdmRl$jf54{v<}kXs`uGdI<+|C<lUrID1GyPNzwD;tngBPlc6
zd^93*2q1?>Qf3aC9#EkRAiG9VW^VL3u&Dtcn?_P*hBV&T=hho=Cyk`ce5=v$w4;DL
zNyeR|%-k?JztaXlZjGeOta))rh1q~y8cCV?Nv*=0>42OXNtyXf!87|i19E62WoFm+
zPXyKlWY<W_%m%X~^2;;eP8vy>xo2UWO-BG(HIgzjeZViv)&lY*8h4U1^TeZToihQs
zHIgzj&~NU!0f1Z@Ntt<mo8ym;fSejhnc4T1$#;DLIW&?o^GHdv&3_GnJ82|kW@3E)
zk;8y&8cCTsIOQPxn-JVdBPlaSH9B4ET|k}$<4#g$`oBE=S{fj?Mp9-zDL#5O7?4XN
zDKlT+`RL=CfSejhnfXDji@Dba!<{seGP7RAgB1?~vTGz|=AJr7n!5nmG?Fqi{Z8zI
z{{XUTBxUCCuAT$QfIRWWoutg1u=&jGc7WU(NtxN?#HSB@0J$`hGV^%hFU40Ka3=!=
zNtyX?o4+P~56GdBl$k*Vhg_ckvTGz|=GX2UY3~5CX(VN4*9vhf5&>B?k}|W?iTy9N
z1>}i)dZ!>MGw)CKsr)P;w?<NCmK79?{4*Wyq>-4JIW<r21?1F7%FIET@kc%e<j_dU
z%(J8SAATE<T_Y(o?@W4UUK}8sMp9;eGcNFGYd}_wq|8hjx3_C0K%PFvoutexjkRno
z9t3yNNXpEbD{C*_1IVS3l$ot|f1dpjAg4xBW;#|xm%IhYp^=oCB^@iYjR9oWNXpE~
zehV(Q0A$lh%FJWky+&08WYtK@%<_Wkn|>b%cZxOcBxUBQPhXDM3COLHl$qn=r<dmf
za%m)GX7q2XO2+|mY9wXmOLwnt>jlW6k(8O1dqw|w36NbQDKp<~{$QXLkWC{gGvgaA
zoqAya+({!TGvB=4v;B5Jo*3g!Qf7YltN+pW0l77jGP7_?T+7jbTpCH4xvk>5(>(w=
zHIgzj(6aXU3xFINNtxMXVbp-f{ozg;NtyYm)}b%Y0kUZ%WoEbGk&6ldSq;=)%FMzl
zxxI1#d7_`*slAk$Uz|9$d;}o3Mp9<hY*_zfcR((Uq|99O^_+uE0Xa32GV?%Q>$VU2
z!JRacGILMB;}K^7*)@_fGvVr~IbQ*?X(VN4zR!Rz3jkR)k}~tvtM@*96OgC3aVIG=
z$Mg%m76!<zk(8M&T8{qEACOBUDKmqQBpke#26xg(%FM0)!J#JsIW&?o^KRYT%bNh%
zHIg!O`N*TU<^r;5BxUCGTa|J%09iGXGV`J<Cn^+>r<ZXjDKqO|Z@jM|Ah$+RW`-|L
z-F-V1?xc~FnM;d{b{+%d)JV$Ay1v=tzX0UWNXpFbd>?)`2asJODKkfPToUF0WYb8>
zO#43nnXdt|Y9wXmx;J)&*8}8<GVUa0X3OL!@BN(uchX48%!I`0xkZ3n8cCVip=4p3
zb%2~2NtwB0OP9@AfE*f0nR(m$aKS)8c8#RWe6YUsVkba0jik(cE2P?FKR{NEq|7{!
zQ8M91GTf=BaVIG=GpB89`6D2=Mp9;Wdt6j=H6WKpQf7{5>7O$bkkdfHQf6MtznRq!
zkV7LWGiNW_btwdpT_Y(oulSu`TMLj)BPla~{VnTiX<xXLMp9-z96EZz4}d&9p57@~
z%FMF-h;g3*a%&`I=89nf%ccWzX(VOlnWBuvDS(_BNtu~<c}__XAcsa$W^Q|u8CD&T
zT_Y(o-SKBzl_bHPG?Fs2flrIV{eY|*NtwB!((zU+0eK>gJ4u;2pnXpMR6uTxq|DrY
ztMj2GKrW4>%)Ay;HY5O$QzI!ex1Y-ktqRDYk(8OsN_}r!PJ}yYBxUA|rPa&bfNUB`
znOQmS*xluTtQtv~xzKOR;K_hI5yqXQ%yb2Mt%(QZ)=0|Cc?qkEUIFCNNXpC=)k}V_
z49KaGl$niudTzLs0C&<z%FK~okyF0~WY<W_%pU^^R_6h-X(VN4>w!C>CIYf*BxUA5
zO)5Q%1?1^&+)2vJ*s%-dwFKnWNXpE@&>2g-0l74iGV@mJ%<_xza3_tV%#7QaR&N&|
zhej!7d!3an7R%m%GY@+8&!`Gd^UJ(|c>(hR<^{|Pm=`cFU|ztyfO!G)0_FwG3z!!$
zFJNB4ynuND^8)4t%nO(oFfU+Uz`THY0rLXp1<VVW7cehiUckJ7c>(hR<^{|Pm=`cF
zU|ztyfO!G)0_FwG3z!!$FJNB4ynuND^8)4t%nO(oFfU+Uz`THY0rLXp1<VVW7cehi
zUckJ7c>(hR<^{|Pm=`cFU|ztyfO!G)0_FwG3z!!$FJNB4ynwnudY@j_3Vs$pc*?7_
z|9_?c%ISbD@)zM5NIBiIMcxCR?I@?Sw#Z@0%o0R7UARTQ2%haJr(?Is3*Z?{Io-WQ
z{xdv7D5n#+$REP91LbrL7kN`FY?D$>hjEdI1MfsR-N;2g47i<gI+u%l0q`)&>2fae
z&A_`+PDgZ+p8_6EIo;Dmeh+we%IUN&^2QY`mI%t}$}aM*z#}QAgS*HxfcK!BZto(`
z2Hul$I>U>6Bk(B7=^`)kW59b+PRDtX-vZv7a=O!tyuO#k5=}Xs>_z?>@EFSJdN1;H
z;IWj`Az$RPfcK%CZu%l$2Rx2)I`5182=I8y>C!Lqo4^w&r=!2f{VG~4iImg*U*sKu
zCs9tPfRXnH-j{N^3XFUv@MOyAKrr%Ez*8uvTfxW=0Z*lz&IThd1)fGZT@XfI(_8Hc
zQ%}c)(FZHf+KKK8qfb+w)f1f<M*ptzte@!GF#1)>vx1_-!{`qy&l-wu5TpM~c~(($
zju^e~GvHZA(Pd)v9hGM#MMsL!4^W=96x}OEpQ${nDLP$@ey#GXr|60?`XkD-qN0Pw
z=*yL7O+~kj(bug6o>di{IY!@EdDc~Q@fdx&@~o`r_%Zs~%CokjJILraD9`GOP9mc}
zsyyo}x{i$gmh!By=uk5H2Jq|F16X6x&1CdllxLMi=abP7QJ!@cT~bD$tvo9&I;xC5
zUwPJAbYB_$3FTRB(Wzzhca>+oMOT;6H?9Jn6&D>~MsHW1H5c7tMn6<}R$X+K8U1|a
zS$ENeX7rntXXQo5n$e$Dp0yX<ZAO1zc~)O^!WsQ@&w^+DMc16shl3Af{Y8hJ(GORi
z^%vcEM!!&b)?ak)8U0q}S%1;xXY@ZS&-#mwK%;-8JnJvI2aW!D*i;B){Y9st(MKxJ
z`irhaqaUR_>n}POjefE6tiR}XH2Q7Iv;Lwp(&&Ftp7j@9ltyo<2A=g79hXMmOnKH{
zbY~iUl=7^<=;So|vC6alqU+P>mnzTtiw;qv-=RF~FS<#M{x{`Wf6;kr^j<#TS%1-`
zYV^&OXZ=M-tI<a*&-#n*SEHYxJnJtyWsUwr<yn8xRcrLSm1q6+J{h=1?@^xh7u~u>
z|4eo8tiR~&HTqV{v;LwB*y#Hx&-#mwVWXd<JnJvIi;aGn@~pq;L^k^GlxO`#*Rs+7
zp*-s^I-HHZN)7O=zvzZG`Zmh5{-Sf*=o6G@{Y96x(N6*2j`bHE*+#!YdDdTaZyWtS
z<yn7iBGcRGuPD#@i>`2^uT~R0>n}RUjXqF$)?aj+8+~8pS%1-)ZuHZXXZ=MNyU~BD
zJnJty-i`i%@~pq;jyL*i%Cr8WliuiS)B?}?i>`a4Z?8P-FFN#%K2>?vUv%>u{S4(<
zf6@7G^q(uw`im}sqd%lP>n}PAj=oHJ)?aiV9DVKD;8}mssc`filxO`#SHscwSDy73
z9S}$FRG#%0-4aK?MtRm>bXFXFq4KQ1=)ySqo658PqGRLe>-d6a{Y7`j(Z8xZ>n}P%
zj((8xtiR|QIr>@3v;LyP<mlHc&-#mQl%xMidDdTat{nY8%Cr8W%jM|n!+#*PWBo-(
z%+bHDJnJvIXO4cb@~pq;v^o0!D$n|huAHOa2tJ7Q7acrDe_VOiUv&E%{T=05f6*Cq
z^o{C(XZ=MN(b0ERp7j?UM@RpL@~pq;PCEK|%Cr8Wlj-QcRG#-2Sx-lQN_o~_bVwcj
zzsj@zqMPdIo74r*`isu1qwl6X>o2;rj((W(tiR~!I{NpNXZ=O@*U@iLp7j@<Vn=^g
zdDdTal^y*<<yn8xfp+w^df-`q(XDp$5z4dvqO<MjM=H<yi!QjMU!*+iFFNLq{%hq~
zf6-lc^yigl{Y59<(LYh1^%q@xNB?4d@T|Y+@H_gR%Cr8W8}R7ID9`$f&cUN!qCD#_
zx(tv08|7Jl(UExczbeoAi|)mvuh0NI>n}PTkN#!lS%1+LdGx)NXZ=M7<<XB<p7j^q
zmPh}A@~pq;%sl#C%Cr8Wi}UC&f^X0Ii;mBu_ihND^%vctN8eI;)?ajz9(}CxtiR|w
zJ^G2tv;Lw(_2~1IXZ=Mt>(PI!JnJtyUyuHh@~pq;l0Ev$jli@1qNDccUs0a*7u~l<
zAFn*?FFJLPezNkczv${c`sK>A{@Usv9C|VhhHi~Tdh~APS%2NFn|pZ^csui#m1q66
zeB{wvbHUq~ui6+q>#ymzD&=N?w=y4~JnOHEuAHb)@E&6+9)JEM<yn8#zutIXL-20q
zrz+3-D|~V4?%Sy_Da`yz<yn6%EiT%547`*1{mQfcs_UCQ{tNI9=1Y`k{q>#i!_Ve`
zw=-YeA3W=?Q5~0rIl$YP4^p1>mwliA%-6tMnNLxk_1C&Lc7)dh?=cqW@&415XZ_VO
z`N?~Kr@;N0|4ez-UkQoRbBn;cnEyd})?Xb;7PeUj-pPEa@~pphZ0WK&3%rB*T1~*S
z{<`gbxL_c7JM$sRv;KOpzVu=z@HXcADbM=rt&nPy{lHt9pQ$|SuLBt+6K*8K{f%XN
zy#H$DS$}0t+t%_&@NVXRRG#%$x5q^_SA%yke?xiJUn5%j=gb7}WZv&N_`n_OuS@wi
zv-*K|FyBde)?c$1?Ya~K-p>3$<yn7S@jJh^7I+);S<18i`t`T0tEGM6{>-map7qzm
zp`#c40N&H%>3BKbzesu3UuF3b<30oLX8v#GS%0k<7O-qOco*~anu2Hjb*3m|aSC`R
z^RFq-`YZ49oRT2$4(1)ov;NxlBr~i!csuiRlxO|rjz8O~Bnj@%{1?iz{%YXUqHsTW
zEAz*cXZ^LI((zU+!FwX<{ckJJ`fEV@ocyWa-OM+%foJ`-{Z{8gN#I?~hbqtd>sn0N
zkO1&b<};LM{k8pEUT9VD4(8`7&-!awsqc-;iEw}BH!08hYsS**<!<mc=1(fm`m1u@
zvAfH`TbaM7JnOH8ep?1l2JeZW_xFDuJnJu4px2ss@NVYAlxO`lFJV>DE8tzszo|Uy
zuNBoxey<GP$@~K4S${S1>AB%j0^FbZuasx~HPS0`>bKzS%%4%7_1BL91*`MG+n9f#
zJnOI419wDC1aD=&=?malfBn;>(!*Hrp6>Mi-IZtk6+3ppyq4hI%#To>^;co&j3wUS
zUCiew&-&|D>&)_t@o<0U3zTR56}L03-Y)PC=Fce){pAgx!?IZJ!=K%4ES7?|)p!2`
DBG6lk

literal 0
HcmV?d00001

diff --git a/packages/tests/src/api/check-params/user-import.ts b/packages/tests/src/api/check-params/user-import.ts
index 4abd9e0cf..545a3e46f 100644
--- a/packages/tests/src/api/check-params/user-import.ts
+++ b/packages/tests/src/api/check-params/user-import.ts
@@ -122,7 +122,8 @@ describe('Test user import API validators', function () {
         'export-without-videos.zip',
         'export-bad-structure.zip',
         'export-bad-structure.zip',
-        'export-crash.zip'
+        'export-crash.zip',
+        'zip-bomb.zip'
       ]
 
       const tokens: string[] = []
diff --git a/server/core/helpers/unzip.ts b/server/core/helpers/unzip.ts
index 00defd69a..5e04d9aaf 100644
--- a/server/core/helpers/unzip.ts
+++ b/server/core/helpers/unzip.ts
@@ -7,7 +7,14 @@ import { logger, loggerTagsFactory } from './logger.js'
 
 const lTags = loggerTagsFactory('unzip')
 
-export async function unzip (source: string, destination: string) {
+export async function unzip (options: {
+  source: string
+  destination: string
+  maxSize: number // in bytes
+  maxFiles: number
+}) {
+  const { source, destination } = options
+
   await ensureDir(destination)
 
   logger.info(`Unzip ${source} to ${destination}`, lTags())
@@ -18,9 +25,25 @@ export async function unzip (source: string, destination: string) {
 
       zipFile.on('error', err => rej(err))
 
+      let decompressedSize = 0
+      let entries = 0
+
       zipFile.readEntry()
 
       zipFile.on('entry', async entry => {
+        decompressedSize += entry.uncompressedSize
+        entries++
+
+        if (decompressedSize > options.maxSize) {
+          zipFile.close()
+          return rej(new Error(`Unzipped size exceeds ${options.maxSize} bytes`))
+        }
+
+        if (entries > options.maxFiles) {
+          zipFile.close()
+          return rej(new Error(`Unzipped files count exceeds ${options.maxFiles}`))
+        }
+
         const entryPath = join(destination, entry.fileName)
 
         try {
diff --git a/server/core/lib/user-import-export/user-importer.ts b/server/core/lib/user-import-export/user-importer.ts
index f48344c56..53f0a2055 100644
--- a/server/core/lib/user-import-export/user-importer.ts
+++ b/server/core/lib/user-import-export/user-importer.ts
@@ -1,5 +1,5 @@
 import { UserImportResultSummary, UserImportState } from '@peertube/peertube-models'
-import { getFilenameWithoutExt } from '@peertube/peertube-node-utils'
+import { getFilenameWithoutExt, getFileSize } from '@peertube/peertube-node-utils'
 import { saveInTransactionWithRetries } from '@server/helpers/database-utils.js'
 import { logger, loggerTagsFactory } from '@server/helpers/logger.js'
 import { unzip } from '@server/helpers/unzip.js'
@@ -20,6 +20,7 @@ import { UserVideoHistoryImporter } from './importers/user-video-history-importe
 import { VideoPlaylistsImporter } from './importers/video-playlists-importer.js'
 import { VideosImporter } from './importers/videos-importer.js'
 import { WatchedWordsListsImporter } from './importers/watched-words-lists-importer.js'
+import { parseBytes } from '@server/helpers/core-utils.js'
 
 const lTags = loggerTagsFactory('user-import')
 
@@ -51,7 +52,14 @@ export class UserImporter {
       const inputZip = getFSUserImportFilePath(importModel)
       this.extractedDirectory = join(dirname(inputZip), getFilenameWithoutExt(inputZip))
 
-      await unzip(inputZip, this.extractedDirectory)
+      await unzip({
+        source: inputZip,
+        destination: this.extractedDirectory,
+        // Videos that take a lot of space don't have a good compression ratio
+        // Keep a minimum of 1GB if the archive doesn't contain video files
+        maxSize: Math.max(await getFileSize(inputZip) * 2, parseBytes('1GB')),
+        maxFiles: 10000
+      })
 
       const user = await UserModel.loadByIdFull(importModel.userId)