Open bfabio opened 8 months ago
https://github.com/italia/spid-saml-check/blob/414e2b72d7506f19fe0a956847a5e405becf9f34/spid-validator/server/api/metadata-sp.js#L219 unzips the file passed in by the user, I think a simple zip bomb would DoS the entire server.
Also unzip latest release was 9 years ago and looks unmaintained.
https://github.com/italia/spid-saml-check/blob/414e2b72d7506f19fe0a956847a5e405becf9f34/spid-validator/server/api/metadata-sp.js#L219 unzips the file passed in by the user, I think a simple zip bomb would DoS the entire server.
Also unzip latest release was 9 years ago and looks unmaintained.