Enable zip bomb defense of your app
Not for use in production environment.
You can install the package via composer:
$ composer require adrianmejias/laravel-zipbomb
Start by registering the package's the service provider:
// config/app.php (L5)
'providers' => [
// ...
'AdrianMejias\ZipBomb\ZipBombServiceProvider',
],
Next, publish the config file.
$ php artisan vendor:publish --provider="AdrianMejias\ZipBomb\ZipBombServiceProvider"
A file named 10G.gzip
should be generated in the storage/app/zipbomb
folder. If this file does not exist after installation. Use the following command at storage/app/zipbomb
$ dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip
The following config file will be published in config/zipbomb.php
/**
* Laravel Zip Bomb Configuration.
*
* Check for nikto, sql map or "bad" subfolders which only exist on
* WordPress.
*/
return [
/*
* User-Agents to check against.
*/
'agents' => [
'nikto',
'sqlmap',
],
/*
* Paths to check against.
*/
'paths' => [
'wp-',
'wordpress',
'wp/*',
],
/*
* Path to the zip bomb file.
*/
'zip_bomb_file' => storage_path('app/zipbomb/10G.gzip'),
];
Finally, register the middleware:
// app/Http/Kernel.php
protected $middleware = [
// ...
\AdrianMejias\ZipBomb\Middleware\ZipBomb::class,
];
This package also comes with a facade, which provides an easy way to call the the class for whatever reason.
// config/app.php
'aliases' => [
// ...
'ZipBomb' => AdrianMejias\ZipBomb\ZipBombFacade::class,
];
Please see CHANGELOG for more information what has changed recently.
$ composer test
Please see CONTRIBUTING for details. Due to nature of this package, there's a fair chance features won't be accepted to keep it light and opinionated.
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
The MIT License (MIT). Please see License File for more information.