Merge pull request #4244 from dannysmyda/4340-zip-bomb-detection

4340 zip bomb detection

Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java

@@ -180,6 +180,15 @@ class SevenZipExtractor {
      * @return true if potential zip bomb, false otherwise
      */
     private boolean isZipBombArchiveItemCheck(AbstractFile archiveFile, ISevenZipInArchive inArchive, int inArchiveItemIndex, ConcurrentHashMap<Long, Archive> depthMap, String escapedFilePath) {
+        //If a file is corrupted as a result of reconstructing it from unallocated space, then
+        //7zip does a poor job estimating the original uncompressed file size. 
+        //As a result, many corrupted files have wonky compression ratios and could flood the UI
+        //with false zip bomb notifications. The decision was made to skip compression ratio checks 
+        //for unallocated zip files. Instead, we let the depth be an indicator of a zip bomb.
+        if(archiveFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) {
+            return false;
+        }
+        
         try {
             final Long archiveItemSize = (Long) inArchive.getProperty(
                     inArchiveItemIndex, PropID.SIZE);
@@ -540,7 +549,6 @@ class SevenZipExtractor {
                 inArchive = SevenZip.openInArchive(options, stream, password);
             }
             numItems = inArchive.getNumberOfItems();
-            logger.log(Level.INFO, "Count of items in archive: {0}: {1}", new Object[]{escapedArchiveFilePath, numItems}); //NON-NLS
             progress.start(numItems);
             progressStarted = true;