You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -32,7 +32,7 @@ Although zip bombs are eminently testable using penetration testing techniques,
|**12.3.2**| Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI). | ✓ | ✓ | ✓ | 73 |
|**12.3.3**| Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files via Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. | ✓ | ✓ | ✓ | 98 |
|**12.3.4**|[MOVED TO 12.5.3]|||||
|**12.3.5**|Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection.|✓ | ✓ | ✓ | 78|
|**12.3.5**|[DELETED, DUPLICATE OF 5.3.8]|||||
|**12.3.6**| Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs. || ✓ | ✓ | 829 |
|**12.3.7**|[ADDED] Verify that server-side file processing such as file decompression ignores user-provided path information to prevent vulnerabilities such as zip slip. | ✓ | ✓ | ✓ | 23 |
