adrianmejias/laravel-zipbomb

Enable zip bomb defense of your app

Maintainers

Details

github.com/adrianmejias/laravel-zipbomb

Homepage

Source

Issues

Installs: 98

Dependents: 0

Suggesters: 0

Security: 0

Stars: 6

Watchers: 1

Forks: 1

Open Issues: 0

v1.0.14 2017-07-09 08:07 UTC

Requires

Requires (Dev)

MIT bfa76b524efa9c2ca11ea53cacd9cf1e78d362b3

laravelzipzipbombdefenseadrianmejiasbombdefend

This package is auto-updated.

Last update: 2022-06-06 18:46:58 UTC

README

Latest Version Software License Latest Version on Packagist Build Status StyleCI Total Downloads

Enable zip bomb defense of your app

!!Experimental Code!!

Not for use in production environment.

Installation

You can install the package via composer:

$ composer require adrianmejias/laravel-zipbomb

Start by registering the package's the service provider:

// config/app.php (L5)

'providers' => [
  // ...
  'AdrianMejias\ZipBomb\ZipBombServiceProvider',
],

Next, publish the config file.

$ php artisan vendor:publish --provider="AdrianMejias\ZipBomb\ZipBombServiceProvider"

A file named 10G.gzip should be generated in the storage/app/zipbomb folder. If this file does not exist after installation. Use the following command at storage/app/zipbomb

$ dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The following config file will be published in config/zipbomb.php

/**
 * Laravel Zip Bomb Configuration.
 *
 * Check for nikto, sql map or "bad" subfolders which only exist on
 * WordPress.
 */

return [

    /*
     * User-Agents to check against.
     */
    'agents' => [
        'nikto',
        'sqlmap',
    ],

    /*
     * Paths to check against.
     */
    'paths' => [
        'wp-',
        'wordpress',
        'wp/*',
    ],

    /*
     * Path to the zip bomb file.
     */
    'zip_bomb_file' => storage_path('app/zipbomb/10G.gzip'),

];

Finally, register the middleware:

// app/Http/Kernel.php

protected $middleware = [
    // ...
    \AdrianMejias\ZipBomb\Middleware\ZipBomb::class,
];

This package also comes with a facade, which provides an easy way to call the the class for whatever reason.

// config/app.php

'aliases' => [
    // ...
    'ZipBomb' => AdrianMejias\ZipBomb\ZipBombFacade::class,
];

Changelog

Please see CHANGELOG for more information what has changed recently.

Testing

$ composer test

Contributing

Please see CONTRIBUTING for details. Due to nature of this package, there's a fair chance features won't be accepted to keep it light and opinionated.

Security

If you discover any security related issues, please email adrianmejias@gmail.com instead of using the issue tracker.

Credits

License

The MIT License (MIT). Please see License File for more information.