Skip to main content
BuyLog In
Office File API
Search in…
Docs > Security Considerations > Secure Zip Policy
All docs
V26.1
    • Office & PDF File API
    Demo Application
    Installation Guide
    What's New
    Integration Guide
    Security Considerations
    Secure Zip Policy
    FIPS Compliance
    AI-Powered Extensions
    Spreadsheet Document API
    Word Processing Document API
    PDF Document API (New)
    PDF Document API
    Presentation API
    Excel Export Library
    Zip Compression and Archive API
    Barcode Generation API
    Unit Conversion API
    Snap Report API
    API Reference
    Download CHM

    ZIP Security Policy

    • 5 minutes to read

    DevExpress products include a ZIP security policy (SecureZipPolicy) that uses resource limits, hard blocks, and encryption rules to protect your application from ZIP-related attacks such as path traversal (zip-slip), decompression bombs, and symlink-based file system access.

    Security Policy Overview

    The SecureZipPolicy class enforces three categories of restrictions:

    • Resource Limits — configurable thresholds for entry size, count, depth, and compression ratio. Violations throw ResourceLimitViolationException and can be suppressed through an event handler.
    • Trust Boundary — hard-block checks for path traversal, absolute paths, control characters, reserved device names, and symlinks. Violations throw TrustBoundaryViolationException and cannot be suppressed.
    • Encryption Policy — controls which encryption algorithms are allowed for read and write operations.

    Manage Resource Limits

    Use the SecureZipPolicy.GlobalOptions.Limits property to read current resource limit values that apply application-wide.

    The following table lists available resource limits:

    Property Description Default
    MaxEntryCount Maximum file count in the archive 32,768
    MaxDepth Maximum path nesting level for entry names 32
    MaxEntryBytes Maximum uncompressed size per entry. Entries larger than 2 GB are now written correctly in Zip64 format. 2 GB
    MaxTotalBytes Total uncompressed size across all entries 4 GB
    MaxCompressionRatio Maximum compression ratio per entry. Prevents significant resource consumption when decompressing an overly compressed file (decompression bomb). 100
    MaxTotalCompressionRatio Maximum aggregate compression ratio for the entire archive. Ensures total uncompressed size does not exceed a safe threshold compared to the compressed archive size. 25

    Configure Resource Limits Globally

    Call the following methods to modify resource limits at the application level:

    • SetSizeLimits(long? maxEntryBytes, long? maxTotalBytes) sets global limits on individual entry and total uncompressed sizes.
    • SetCountAndDepthLimits(int? maxEntryCount, int? maxDepth) sets global limits on the total entry count and directory depth/path nesting level.
    • SetCompressionLimits(double? maxCompressionRatio, double? maxTotalCompressionRatio) sets global compression ratio limits for the entire archive and individual entries.

    The following code snippet sets global size limits:

    SecureZipPolicy.SetSizeLimits(
    maxEntryBytes:  50L * 1024 * 1024,   // 50 MB per entry
    maxTotalBytes: 200L * 1024 * 1024);  // 200 MB total

    Configure Resource Limits Per Operation

    Use the fluent API available through SecureZipPolicy.ResourceLimits to apply limits to an individual operation:

    var limits = SecureZipPolicy.ResourceLimits
    .Size(maxEntryBytes: 100L * 1024 * 1024, maxTotalBytes: 500L * 1024 * 1024);
using(var zip = ZipArchive.Read(path, limits))
    zip.Extract(targetDirectory);

    Suppress Resource Limit Violations

    A ResourceLimitViolationException is thrown every time a limit is exceeded during a ZIP archive operation. To suppress the exception, set e.Throw = false in the SecureZipPolicy.ResourceLimitViolation event handler.

    The following code snippet suppresses resource limit violations:

    // ResourceLimitViolation — selectively suppress specific violation codes.
SecureZipPolicy.ResourceLimitViolation += (sender, e) => {
    Log.Warn($"ZIP limit violated: {e.ViolationCode} for entry '{e.EntryName}'");
    // Treat size violations as warnings and do not throw the exception.
    if(e.ViolationCode == ResourceLimitViolationCode.EntryBytesLimitExceeded)
        e.Throw = false; // Skip this entry and continue extraction
};

    Handle Trust Boundary Violations

    When a trust boundary violation is detected, the API throws TrustBoundaryViolationException and raises the SecureZipPolicy.TrustBoundaryViolation event. You can handle this event to log, monitor, or audit violations. Unlike ResourceLimitViolationException, TrustBoundaryViolationException cannot be suppressed.

    The following conditions trigger a trust boundary violation:

    Security Check Mitigation Result
    Path traversal in entry names (../, ..\) Normalize and validate entry paths to ensure they do not escape the target extraction directory. Blocked
    Absolute paths in entry names (C:\..., /etc/...) Reject entries with absolute paths that could write to sensitive locations on the file system. Blocked
    Control characters in entry names (U+0000–U+001F) Disallow control characters that could interfere with file system operations or command execution. Blocked
    Reserved device names (CON, NUL, PRN, AUX, COM, LPT) Prevent creation of entries with reserved device names that could cause conflicts or security issues. Blocked
    Encrypted entries (applies to DevExpress.Utils.Zip only) Enforce encryption policies to block entries encrypted with disallowed algorithms. Blocked based on policy
    Weak encryption algorithm (PkZip) Block entries encrypted with weak algorithms if the policy requires strong encryption. Blocked based on policy
    Symbolic links, hard links, and special-device entries (applies to DevExpress.Docs only) Prevent extraction of symlinks and special device entries that could lead to unauthorized file system access. Blocked
    Extraction path escaping the target root Ensure that the final extraction path for each entry is within the designated target directory to prevent unauthorized file system access. Blocked
    File overwrite (if AllowOverwrite is not set) Prevent overwriting existing files during extraction unless explicitly allowed by the AllowOverwrite option. Blocked based on option
    Invalid archive structure Validate the integrity and structure of the ZIP archive to prevent processing of malformed or maliciously crafted archives that could lead to security vulnerabilities. Blocked

    Encryption Policy

    Use the SecureZipPolicy.SetEncryptionPolicy(EncryptionPolicy policy) method to set the global encryption policy for ZIP operations.

    The following table describes the available encryption policies and their impact on read and write operations:

    Policy Write Default ZipCrypto Read Unknown (PKWARE) Read
    Default Aes256 Allowed (non-FIPS OS) / Blocked (FIPS OS) Allowed
    ReadLegacyOnly Aes256 Allowed Allowed
    AesRequired Aes256 WeakEncryptionBlocked Allowed
    FipsStrict Aes256 WeakEncryptionBlocked WeakEncryptionBlocked
    Unrestricted PkZip Allowed Allowed

    Best Practices

    • Set strict resource limits based on expected archive sizes and contents to mitigate zip-bomb risks.
    • Handle TrustBoundaryViolationException to log and monitor potential attacks.
    • Use a strong encryption policy (for example, AesRequired or FipsStrict) to prevent weak encryption vulnerabilities.
    • Regularly review and update security policies as new threats emerge and application requirements evolve.