How to determine if a Zip Bomb error thrown when r

2019-07-08 10:24发布

I've got a piece of code which is erroring when I attempt to get the Styles Table for an Excel file, using apache POIs XSSFReader. All I do, involving the file, is shown below:

XSSFReader reader = new XSSFReader(OPCPackage.open(excelFile.getPath(), PackageAccess.READ));
StylesTable table = reader.getStylesTable();

I get the following error:

Caused by: java.io.IOException: Zip bomb detected! The file would exceed certain limits which usually indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust these limits via setMinInflateRatio() and setMaxEntrySize() if you need to work with files which exceed these limits. Counter: 1644067, cis.counter: 16384, ratio: 0.009965530601855033Limits: MIN_INFLATE_RATIO: 0.01, MAX_ENTRY_SIZE: 4294967295

I'm not sure how to tell if this is a false positive (Opening the file in excel it seems fine), and if so how to appropriately deal with this?

1条回答
我命由我不由天
2楼-- · 2019-07-08 11:14

These checks are mainly intended for cases where you accept documents from untrusted peers, e.g. when users on your website can upload arbitrary documents for processing via your service.

In this case you want to avoid receiving documents which can blow up your server due to excessive memory usage.

Therefore Apache POI has default limits that the developers deemed "sane" to allow processing of almost all valid documents, but should block all maliciously formatted documents.

Whenever you know where the document originates and you trust the source to not produce malicious documents, you can safely set higher limits if necessary. In your case the size of the compressed data is much lower than the expanded data, which is deemed suspicious, thus by setting a lower minimum inflation ratio, e.g. ZipSecureFile.setMinInflateRatio(0.009), prior to loading the document you should be able to make it work for you.

查看更多
登录 后发表回答