Add check for decompression bomb vulnerabilities #1339
Description
Is your feature request related to a problem? Please describe.
Bandit currently does not detect potential decompression bomb vulnerabilities.
Describe the solution you'd like
Add a new check (for example, B114) that detects:
-
Direct dangerous calls:
gzip.decompress()zlib.decompress()bz2.decompress()lzma.decompress()- and other standard libs.
-
Reading from compressed files without size limit:
gzip.open()followed by.read()without size argument
Describe alternatives you've considered
gosec (Go security checker) has a similar rule (G110).
Additional context
- CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
- I'm happy to submit a PR if this feature is welcomed