ZJONSSON
commented
7 years ago Interesting question - node-upzip (and unzipper.parse()) stream the source file from start to finish so it is hard to see how recursive loops could be formed. @dawjan did you perform any test yet?
ghost
Directory travel issue https://github.com/ptoomey3/evilarc https://labs.neohapsis.com/2009/04/21/directory-traversal-in-archives/
Zip bomb https://www.reddit.com/r/todayilearned/comments/10yniw/til_there_is_a_zip_bomb_called_42zip_that_is_only/
https://en.wikipedia.org/wiki/Zip_bomb
Is there any option to limit only for zip files not to use tar gz ... and archives files limit ? What happens when somebody create 5 million dirs and empty files ZIP file ?