Protect against zip bombs; closes pterodactyl/panel#883

This commit is contained in:
Dane Everitt 2020-09-17 20:37:34 -07:00
parent 6b25ac3665
commit 6ba49df485
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
2 changed files with 8 additions and 3 deletions

View File

@ -29,6 +29,8 @@ import (
// Error returned when there is a bad path provided to one of the FS calls.
type PathResolutionError struct{}
var ErrNotEnoughDiskSpace = errors.New("not enough disk space is available to perform this operation")
// Returns the error response in a string form that can be more easily consumed.
func (pre PathResolutionError) Error() string {
return "invalid path resolution"

View File

@ -32,14 +32,17 @@ func (fs *Filesystem) SpaceAvailableForDecompression(dir string, file string) (b
dirSize, err := fs.DiskUsage(false)
var size int64
var max = fs.Server.DiskSpace() * 1000.0 * 1000.0
// Walk over the archive and figure out just how large the final output would be from unarchiving it.
archiver.Walk(source, func(f archiver.File) error {
atomic.AddInt64(&size, f.Size())
err = archiver.Walk(source, func(f archiver.File) error {
if atomic.AddInt64(&size, f.Size()) + dirSize > max {
return errors.WithStack(ErrNotEnoughDiskSpace)
}
return nil
})
return ((dirSize + size) / 1000.0 / 1000.0) <= fs.Server.DiskSpace(), errors.WithStack(err)
return err == nil, errors.WithStack(err)
}
// Decompress a file in a given directory by using the archiver tool to infer the file