fix: improve upload ZIP file validation (#25658)

2026-04-19 16:14:52 +00:00 · 2023-10-17 18:28:09 +01:00
parent cb963585ad
commit f473d13d0d
4 changed files with 83 additions and 0 deletions
--- a/superset/utils/core.py
+++ b/superset/utils/core.py
@@ -1917,6 +1917,25 @@ def create_zip(files: dict[str, Any]) -> BytesIO:
    return buf


+def check_is_safe_zip(zip_file: ZipFile) -> None:
+    """
+    Checks whether a ZIP file is safe, raises SupersetException if not.
+
+    :param zip_file:
+    :return:
+    """
+    uncompress_size = 0
+    compress_size = 0
+    for zip_file_element in zip_file.infolist():
+        if zip_file_element.file_size > current_app.config["ZIPPED_FILE_MAX_SIZE"]:
+            raise SupersetException("Found file with size above allowed threshold")
+        uncompress_size += zip_file_element.file_size
+        compress_size += zip_file_element.compress_size
+    compress_ratio = uncompress_size / compress_size
+    if compress_ratio > current_app.config["ZIP_FILE_MAX_COMPRESS_RATIO"]:
+        raise SupersetException("Zip compress ratio above allowed threshold")
+
+
 def remove_extra_adhoc_filters(form_data: dict[str, Any]) -> None:
    """
    Remove filters from slice data that originate from a filter box or native filter