Enable zip bomb defense of your app

v1.0.14 2017-07-09 08:07 UTC

This package is auto-updated.

Last update: 2022-06-06 18:46:58 UTC


Latest Version Software License Latest Version on Packagist Build Status StyleCI Total Downloads

Enable zip bomb defense of your app

!!Experimental Code!!

Not for use in production environment.


You can install the package via composer:

$ composer require adrianmejias/laravel-zipbomb

Start by registering the package's the service provider:

// config/app.php (L5)

'providers' => [
  // ...

Next, publish the config file.

$ php artisan vendor:publish --provider="AdrianMejias\ZipBomb\ZipBombServiceProvider"

A file named 10G.gzip should be generated in the storage/app/zipbomb folder. If this file does not exist after installation. Use the following command at storage/app/zipbomb

$ dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The following config file will be published in config/zipbomb.php

 * Laravel Zip Bomb Configuration.
 * Check for nikto, sql map or "bad" subfolders which only exist on
 * WordPress.

return [

     * User-Agents to check against.
    'agents' => [

     * Paths to check against.
    'paths' => [

     * Path to the zip bomb file.
    'zip_bomb_file' => storage_path('app/zipbomb/10G.gzip'),


Finally, register the middleware:

// app/Http/Kernel.php

protected $middleware = [
    // ...

This package also comes with a facade, which provides an easy way to call the the class for whatever reason.

// config/app.php

'aliases' => [
    // ...
    'ZipBomb' => AdrianMejias\ZipBomb\ZipBombFacade::class,


Please see CHANGELOG for more information what has changed recently.


$ composer test


Please see CONTRIBUTING for details. Due to nature of this package, there's a fair chance features won't be accepted to keep it light and opinionated.


If you discover any security related issues, please email instead of using the issue tracker.



The MIT License (MIT). Please see License File for more information.