[Security] ZIP bomb vulnerability in plugin extraction no size limits

[csharpfritz]

Summary

Plugin ZIP extraction in PluginManager.cs has no size limits, compression ratio checks, or path traversal protection. This enables ZIP bomb attacks.

Affected File

src/SharpSite.Web/PluginManager.cs (lines 244-294)

Risks

• ZIP bomb: A 42KB zip can decompress to petabytes
• Disk exhaustion: No total or per-file size caps
• Path traversal: Only empty-name entries are filtered; ../ sequences not explicitly blocked

Recommended Fix

Add max total extracted size (100MB), max single file size (50MB), compression ratio check (100:1), and path normalization with directory containment validation.

Estimated Effort

2-3 hours

[csharpfritz]

Triage: Security

Routed to @river. ZIP bomb vulnerability in plugin extraction (no size limits, compression ratio checks, or path traversal guards).

Priority: 2 (critical security)
Effort: 2-3 hours
Fix: Add max total extracted size (100MB), per-file cap (50MB), compression ratio check (100:1), and path normalization.

[csharpfritz]

Fixed in commit f98f520. Added two-layer ZIP bomb protection: upload-time validation (50MB/file, 100MB total, 100:1 ratio) + extraction-time defense-in-depth with path traversal blocking. Part of PR #352.