adrianmejias / laravel-zipbomb
Enable zip bomb defense of your app
Requires
- php: ^7.0
- illuminate/http: ^5.1
Requires (Dev)
- orchestra/testbench: ^3.2
- phpunit/phpunit: 4.*
README
Enable zip bomb defense of your app
!!Experimental Code!!
Not for use in production environment.
Installation
You can install the package via composer:
$ composer require adrianmejias/laravel-zipbomb
Start by registering the package's the service provider:
// config/app.php (L5) 'providers' => [ // ... 'AdrianMejias\ZipBomb\ZipBombServiceProvider', ],
Next, publish the config file.
$ php artisan vendor:publish --provider="AdrianMejias\ZipBomb\ZipBombServiceProvider"
A file named 10G.gzip
should be generated in the storage/app/zipbomb
folder. If this file does not exist after installation. Use the following command at storage/app/zipbomb
$ dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip
The following config file will be published in config/zipbomb.php
/** * Laravel Zip Bomb Configuration. * * Check for nikto, sql map or "bad" subfolders which only exist on * WordPress. */ return [ /* * User-Agents to check against. */ 'agents' => [ 'nikto', 'sqlmap', ], /* * Paths to check against. */ 'paths' => [ 'wp-', 'wordpress', 'wp/*', ], /* * Path to the zip bomb file. */ 'zip_bomb_file' => storage_path('app/zipbomb/10G.gzip'), ];
Finally, register the middleware:
// app/Http/Kernel.php protected $middleware = [ // ... \AdrianMejias\ZipBomb\Middleware\ZipBomb::class, ];
This package also comes with a facade, which provides an easy way to call the the class for whatever reason.
// config/app.php 'aliases' => [ // ... 'ZipBomb' => AdrianMejias\ZipBomb\ZipBombFacade::class, ];
Changelog
Please see CHANGELOG for more information what has changed recently.
Testing
$ composer test
Contributing
Please see CONTRIBUTING for details. Due to nature of this package, there's a fair chance features won't be accepted to keep it light and opinionated.
Security
If you discover any security related issues, please email adrianmejias@gmail.com instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.