rotdrop
commented
1 year ago The actual bombing could perhaps be solved by
https://github.com/selective-php/archive-bomb-scanner
However, I suppose the quota thing is inherent to the current implementation of NextcloudExtract as it somehow circumvents the Nextcloud FS API:
- extraction is performed without check to the local file-system
- afterwards the extracted directory tree is just renamed (for external storage) or simply kept as is
- a rescan of the Nextcloud FS is triggered by some fake mkdir/rename techniques
I would suspect the one either would need to go through the public file-system API, using file->putContent() or would have to implement the quota-check in the app (e.g. by scanning the archive beforehand and refusing to extract if the quota is exceeded)
Hello,
I've noticed that the extract app doesn't respect the user quota set on Nextcloud. I uploaded a 4MB zip which contains a 4GB text file. The Extract app completely ignores my quota set on Nextcloud (2GB) and extracts the 4GB file without any issues.
The available space of my account still remains the same until I manually scan the files of my account (occ files:scan).
This bug is pretty serious and it can also be considered as a security risk.