Archive / ZIP upload security

Archives deserve their own controls. The same route that safely accepts a JPEG can become a resource-exhaustion problem the moment it accepts ZIP.

Use archive-specific controls

• Limit entry count.
• Limit total uncompressed bytes.
• Limit nesting depth.
• Reject traversal-style paths.

Example scanner composition

import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';

const scanner = composeScanners(
  [
    ['zipGuard', createZipBombGuard()],
    ['heuristics', CommonHeuristicsScanner],
  ],
  { stopOn: 'suspicious' }
);

Continue

• CI/CD artifact scanning
• Pompelmi vs ClamAV for file uploads
• Preventing ZIP bombs