But what makes the new effort unique is that it doesn't use recursion. The main implication here is that this new zip bomb will not be detected by current anti-virus software.
The reason zip bombs use recursion is because the DEFLATE algorithm used in ZIP parsers can’t achieve a compression ratio higher than 1032:1. If you want more compression than that, you have to recurse. Fifield discovered a way to bypass this limit. As he writes on his blog:More details at ExtremeTech<:a>
This article shows how to construct a non-recursive zip bomb whose compression ratio surpasses the DEFLATE limit of 1032. It works by overlapping files inside the zip container, in order to reference a “kernel” of highly compressed data in multiple files, without making multiple copies of it. The zip bomb’s output size grows quadratically in the input size; i.e., the compression ratio gets better as the bomb gets bigger. The construction depends on features of both zip and DEFLATE—it is not directly portable to other file formats or compression algorithms. It is compatible with most zip parsers, the exceptions being “streaming” parsers that parse in one pass without first consulting the zip file’s central directory.