From 53a08cf3078c1feda1966c7f28747ad6a4e1d665 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Sun, 24 Jul 2022 23:51:04 +0100
Subject: [PATCH] chore: Basic protection against zip bombs

---
 server/utils/zip.ts | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/server/utils/zip.ts b/server/utils/zip.ts
index 1aa710d42..67ba2c49e 100644
--- a/server/utils/zip.ts
+++ b/server/utils/zip.ts
@@ -3,6 +3,7 @@ import path from "path";
 import JSZip, { JSZipObject } from "jszip";
 import { find } from "lodash";
 import tmp from "tmp";
+import { ValidationError } from "@server/errors";
 import Logger from "@server/logging/Logger";
 import Attachment from "@server/models/Attachment";
 import Collection from "@server/models/Collection";
@@ -193,8 +194,19 @@ export type FileTreeNode = {
  * @param paths An array of paths to files in the zip
  * @returns
  */
-export function zipAsFileTree(zip: JSZip) {
-  const paths = Object.keys(zip.files).map((filePath) => `/${filePath}`);
+export function zipAsFileTree(
+  zip: JSZip,
+  /** The maximum number of files to unzip */
+  maxFiles = 10000
+) {
+  let fileCount = 0;
+  const paths = Object.keys(zip.files).map((filePath) => {
+    if (++fileCount > maxFiles) {
+      throw ValidationError("Too many files in zip");
+    }
+
+    return `/${filePath}`;
+  });
   const tree: FileTreeNode[] = [];
 
   paths.forEach(function (filePath) {