CVE-2026-22870

描述

## Summary GuardDog's `safe_extract()` function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. ## Vulnerability Details **Affected Component:** `guarddog/utils/archives.py` - `safe_extract()` function **Vulnerability Type:** CWE-409 - Improper Handling of Highly Compressed Data (Zip Bomb) **Severity:** HIGH (CVSS ~8) **Attack Vector:** Network (malicious package uploaded to PyPI/npm) or local ### Root Cause The `safe_extract()` function handles TAR files securely using the `tarsafe` library, but ZIP file extraction has no size validation: ```python elif zipfile.is_zipfile(source_archive): with zipfile.ZipFile(source_archive, "r") as zip: for file in zip.namelist(): zip.extract(file, path=os.path.join(target_directory, file)) ``` **Missing protections:** - ❌ No decompressed size limit - ❌ No compression ratio validation - ❌ No file count limits - ❌ No total extracted size validation ## Impact ### Denial of Service Scenarios **1. CI/CD Pipeline Disruption** - Attacker publishes malicious package to PyPI - Developer adds package to requirements.txt - CI/CD runs GuardDog scan - Disk fills (GitHub Actions: standard 14GB limit) - All deployments blocked **2. Resource Exhaustion** - Local development environments - Security scanning infrastructure - Automated scanning systems - Docker containers with limited disk **3. Supply Chain Attack Amplification** - Single malicious package blocks security scanning - Prevents detection of other malicious packages - Forces manual intervention - Increases security team workload ## Recommended Fix Add size validation for ZIP files similar to what `tarsafe` provides for TAR files ### Configuration Options Make limits configurable via environment variables or config file ## Additional Improvements 1. **Add warning logs** when archives approach limits 2. **Provide clear error messages** for users 3. **Document limits** in user-facing documentation 4. **Add tests** for zip bomb detection 5. **Consider using a safe ZIP library** (similar to tarsafe) ## Credit Reported by: Charbel (dwbruijn)

受影響套件(1)

• PyPI/guarddogfrom 0, < 2.7.1

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-22870
• PATCHhttps://github.com/DataDog/guarddog
• WEBhttps://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
• WEBhttps://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v