# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 import tarfile from flask import Flask, request app = Flask(__name__) # {fact rule=zip-bomb-attack@v1.0 defects=1} @app.route('/someUrl') def zip_bomb_attack_noncompliant(): file = request.files['file'] filename = file.filename file.save(filename) tfile = tarfile.open(filename) # Noncompliant: Untrusted archive file extracted without any validation. tfile.extractall('./tmp/') tfile.close() # {/fact} # {fact rule=zip-bomb-attack@v1.0 defects=0} @app.route('/someUrl') def zip_bomb_attack_compliant(): file = request.files['file'] filename = file.filename file.save(filename) tfile = tarfile.open(filename) threshold_entries = 100 # some threshold value # Compliant: Untrusted archive file is validated before extraction. if len(tfile.getmembers()) < threshold_entries: tfile.extractall('./tmp/') tfile.close() # {/fact}