library laravel-zipbomb

adrianmejias/laravel-zipbomb

Enable zip bomb defense of your app

, _(*1)

Enable zip bomb defense of your app, _(*2)

!!Experimental Code!!

Not for use in production environment., _(*3)

Installation

You can install the package via composer:, _(*4)

``` bash $ composer require adrianmejias/laravel-zipbomb, <sub>(*5)</sub>

Start by registering the package's the service provider:

```php
// config/app.php (L5)

'providers' => [
  // ...
  'AdrianMejias\ZipBomb\ZipBombServiceProvider',
],

Next, publish the config file., <sub>(*6)</sub>

``` bash $ php artisan vendor:publish --provider="AdrianMejias\ZipBomb\ZipBombServiceProvider", <sub>(*7)</sub>

A file named `10G.gzip` should be generated in the `storage/app/zipbomb` folder. If this file does not exist after installation. Use the following command at `storage/app/zipbomb`

``` bash
$ dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The following config file will be published in config/zipbomb.php, <sub>(*8)</sub>

``` php /** * Laravel Zip Bomb Configuration. * * Check for nikto, sql map or "bad" subfolders which only exist on * WordPress. */, <sub>(*9)</sub>

return [, <sub>(*10)</sub>

/*
 * User-Agents to check against.
 */
'agents' => [
    'nikto',
    'sqlmap',
],

/*
 * Paths to check against.
 */
'paths' => [
    'wp-',
    'wordpress',
    'wp/*',
],

/*
 * Path to the zip bomb file.
 */
'zip_bomb_file' => storage_path('app/zipbomb/10G.gzip'),

];, <sub>(*11)</sub>

Finally, register the middleware:

``` php
// app/Http/Kernel.php

protected $middleware = [
    // ...
    \AdrianMejias\ZipBomb\Middleware\ZipBomb::class,
];

This package also comes with a facade, which provides an easy way to call the the class for whatever reason., <sub>(*12)</sub>

``` php // config/app.php, <sub>(*13)</sub>

'aliases' => [ // ... 'ZipBomb' => AdrianMejias\ZipBomb\ZipBombFacade::class, ];, <sub>(*14)</sub>

## Changelog

Please see [CHANGELOG](CHANGELOG.md) for more information what has changed recently.

## Testing

``` bash
$ composer test

Contributing

Please see CONTRIBUTING for details. Due to nature of this package, there's a fair chance features won't be accepted to keep it light and opinionated., <sub>(*15)</sub>

Security

If you discover any security related issues, please email adrianmejias@gmail.com instead of using the issue tracker., <sub>(*16)</sub>

Credits

• Site Point: How to Defend Your Website with Zip Bomb
• All Contributors

License

The MIT License (MIT). Please see License File for more information., <sub>(*17)</sub>