Is your feature request related to a problem? Please describe.
Bandit currently does not detect potential decompression bomb vulnerabilities.
Describe the solution you'd like
Add a new check (for example, B114) that detects:
-
Direct dangerous calls:
gzip.decompress()zlib.decompress()bz2.decompress()lzma.decompress()- and other standard libs.
-
Reading from compressed files without size limit:
gzip.open() followed by .read() without size argument
Describe alternatives you've considered
gosec (Go security checker) has a similar rule (G110).
Additional context
Is your feature request related to a problem? Please describe.
Bandit currently does not detect potential decompression bomb vulnerabilities.
Describe the solution you'd like
Add a new check (for example, B114) that detects:
Direct dangerous calls:
gzip.decompress()zlib.decompress()bz2.decompress()lzma.decompress()Reading from compressed files without size limit:
gzip.open()followed by.read()without size argumentDescribe alternatives you've considered
gosec (Go security checker) has a similar rule (G110).
Additional context