Potential Security Vulnerability in Challenge ZIP Extraction #4928
Description
While exploring the codebase, I noticed that create_challenge_using_zip_file in
apps/challenges/views.py
uses standard zipfile.extractall() on user-uploaded ZIPs. This makes the system vulnerable to Zip Slip (path traversal) and Zip Bomb (disk exhaustion) attacks.
Suggested change:-
Implemented a centralized extract_zip_safely utility in apps/base/utils.py that validates both file paths and decompressed size before extraction. Refactoring the API to use this utility will significantly harden the challenge creation flow. I have a PR ready that implements this utility and integrates it into the primary challenge upload entry point.