Intermittent Invalid zip file with compression ratio >99% (possible zip bomb) #12369
Description
I'm getting the following error from time to time:
https://github.com/composer/composer/blob/main/src/Composer/Downloader/ZipDownloader.php#L232
As we can see here, it relies on random checks which would explain why its intermittent and not easily reproducible.
I want to share specifically this part of the output error logs:
#19 4.676 - Installing vlucas/phpdotenv (v5.6.1): Extracting archive
#19 4.701 0/108 [>---------------------------] 0%
#19 4.852 50/108 [============>---------------] 46%
#19 4.974 80/108 [====================>-------] 74%
#19 5.075 100/108 [=========================>--] 92%
#19 5.121 108/108 [============================] 100%
#19 5.464 In ZipDownloader.php line 232:
#19 5.464
#19 5.464 Invalid zip file with compression ratio >99% (possible zip bomb)
#19 5.464
#19 5.464
#19 5.464 install [--prefer-source] [--prefer-dist] [--prefer-install PREFER-INSTALL] [--dry-run] [--download-only] [--dev] [--no-suggest] [--no-dev]
[--no-autoloader] [--no-progress] [--no-install] [--audit] [--audit-format AUDIT-FORMAT]
[-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative]
[--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX]
[--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform -reqs] [--] [<packages>...]
#19 5.464
#19 ERROR: process "/bin/sh -c composer install --optimize-autoloader --no-interaction --no-dev --no-scripts" did not complete successfully: exit code
: 1
------
> [dependencies 7/7] RUN composer install --optimize-autoloader --no-interaction --no-dev --no-scripts:
4.285 - Installing aws/aws-sdk-php (3.337.3): Extracting archive
4.647 - Installing league/flysystem-aws-s3-v3 (3.29.0): Extracting archive
5.464 In ZipDownloader.php line 232:
5.464
5.464 Invalid zip file with compression ratio >99% (possible zip bomb)
5.464
5.464
5.464 install [--prefer-source] [--prefer-dist] [--prefer-install PREFER-INSTALL] [--dry-run]
[--download-only] [--dev] [--no-suggest] [--no-dev] [--no-autoloader] [--no-progress] [--no-install]
[--audit] [--audit-format AUDIT-FORMAT] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader]
[-a|--classmap-authoritative] [--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX]
[--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform-reqs] [--] [<packages>...]
5.464
------
Dockerfile:15
And the reason why I want to bring this up is because we know that aws/aws-sdk-php is a massive composer library with a huge footprint. I'm not sure if its related or not, but every time I see this error it is positioned in a way that AWS SDK package is close-by or very visible in the error logs. I wonder if depending on how the random files are picked it could think of AWS SDK as a zip bomb?