<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=350815) </details> <!--IssueSummary end--> See https://gitlab.com/gitlab-org/manage/import/backend/discussion/-/issues/9 for context. When we accept/process user-provided files during import / export, ensure that malicious files can not cause negative impacts. Similar to gitlab-com/gl-infra/production#6132. One example is Decompression Bombs. # Proposal - Identify where we accept files from users - Identify where we process already-uploaded files from users (e.g. when preparing an export and an MR has an attached file, or processing an archive that someone says is an import) - Identify if any existing measures which prevent malicious files from impacting the system (e.g. anti-virus, sandboxing) - Start a discussion on if and how we can improve our file handling protections against malicious files N.b. this issue itself currently is a data gathering & conversation starting exercise, vs. having code-changing outcomes. # References - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files + In particular, the [section on Zip Bombs](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files#zip-bombs)