org.apache.poi.openxml4j.util
Class ZipSecureFile

java.lang.Object
  extended by java.util.zip.ZipFile
      extended by org.apache.poi.openxml4j.util.ZipSecureFile

public class ZipSecureFile
extends java.util.zip.ZipFile

This class wraps a ZipFile in order to check the entries for zip bombs while reading the archive. If a ZipInputStream is directly used, the wrapper can be applied via addThreshold(InputStream). The alert limits can be globally defined via setMaxEntrySize(long) and setMinInflateRatio(double).


Nested Class Summary
static class ZipSecureFile.ThresholdInputStream
           
 
Field Summary
static int CENATT
           
static int CENATX
           
static int CENCOM
           
static int CENCRC
           
static int CENDSK
           
static int CENEXT
           
static int CENFLG
           
static int CENHDR
           
static int CENHOW
           
static int CENLEN
           
static int CENNAM
           
static int CENOFF
           
static long CENSIG
           
static int CENSIZ
           
static int CENTIM
           
static int CENVEM
           
static int CENVER
           
static int ENDCOM
           
static int ENDHDR
           
static int ENDOFF
           
static long ENDSIG
           
static int ENDSIZ
           
static int ENDSUB
           
static int ENDTOT
           
static int EXTCRC
           
static int EXTHDR
           
static int EXTLEN
           
static long EXTSIG
           
static int EXTSIZ
           
static int LOCCRC
           
static int LOCEXT
           
static int LOCFLG
           
static int LOCHDR
           
static int LOCHOW
           
static int LOCLEN
           
static int LOCNAM
           
static long LOCSIG
           
static int LOCSIZ
           
static int LOCTIM
           
static int LOCVER
           
 
Fields inherited from class java.util.zip.ZipFile
OPEN_DELETE, OPEN_READ
 
Constructor Summary
ZipSecureFile(java.io.File file)
           
ZipSecureFile(java.io.File file, int mode)
           
ZipSecureFile(java.lang.String name)
           
 
Method Summary
static ZipSecureFile.ThresholdInputStream addThreshold(java.io.InputStream zipIS)
           
 java.io.InputStream getInputStream(java.util.zip.ZipEntry entry)
          Returns an input stream for reading the contents of the specified zip file entry.
static long getMaxEntrySize()
          Returns the current maximum allowed uncompressed file size.
static long getMaxTextSize()
          Returns the current maximum allowed text size.
static double getMinInflateRatio()
          Returns the current minimum compression rate that is used.
static void setMaxEntrySize(long maxEntrySize)
          Sets the maximum file size of a single zip entry.
static void setMaxTextSize(long maxTextSize)
          Sets the maximum number of characters of text that are extracted before an exception is thrown during extracting text from documents.
static void setMinInflateRatio(double ratio)
          Sets the ratio between de- and inflated bytes to detect zipbomb.
 
Methods inherited from class java.util.zip.ZipFile
close, entries, finalize, getEntry, getName, size
 
Methods inherited from class java.lang.Object
clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

LOCSIG

public static final long LOCSIG
See Also:
Constant Field Values

EXTSIG

public static final long EXTSIG
See Also:
Constant Field Values

CENSIG

public static final long CENSIG
See Also:
Constant Field Values

ENDSIG

public static final long ENDSIG
See Also:
Constant Field Values

LOCHDR

public static final int LOCHDR
See Also:
Constant Field Values

EXTHDR

public static final int EXTHDR
See Also:
Constant Field Values

CENHDR

public static final int CENHDR
See Also:
Constant Field Values

ENDHDR

public static final int ENDHDR
See Also:
Constant Field Values

LOCVER

public static final int LOCVER
See Also:
Constant Field Values

LOCFLG

public static final int LOCFLG
See Also:
Constant Field Values

LOCHOW

public static final int LOCHOW
See Also:
Constant Field Values

LOCTIM

public static final int LOCTIM
See Also:
Constant Field Values

LOCCRC

public static final int LOCCRC
See Also:
Constant Field Values

LOCSIZ

public static final int LOCSIZ
See Also:
Constant Field Values

LOCLEN

public static final int LOCLEN
See Also:
Constant Field Values

LOCNAM

public static final int LOCNAM
See Also:
Constant Field Values

LOCEXT

public static final int LOCEXT
See Also:
Constant Field Values

EXTCRC

public static final int EXTCRC
See Also:
Constant Field Values

EXTSIZ

public static final int EXTSIZ
See Also:
Constant Field Values

EXTLEN

public static final int EXTLEN
See Also:
Constant Field Values

CENVEM

public static final int CENVEM
See Also:
Constant Field Values

CENVER

public static final int CENVER
See Also:
Constant Field Values

CENFLG

public static final int CENFLG
See Also:
Constant Field Values

CENHOW

public static final int CENHOW
See Also:
Constant Field Values

CENTIM

public static final int CENTIM
See Also:
Constant Field Values

CENCRC

public static final int CENCRC
See Also:
Constant Field Values

CENSIZ

public static final int CENSIZ
See Also:
Constant Field Values

CENLEN

public static final int CENLEN
See Also:
Constant Field Values

CENNAM

public static final int CENNAM
See Also:
Constant Field Values

CENEXT

public static final int CENEXT
See Also:
Constant Field Values

CENCOM

public static final int CENCOM
See Also:
Constant Field Values

CENDSK

public static final int CENDSK
See Also:
Constant Field Values

CENATT

public static final int CENATT
See Also:
Constant Field Values

CENATX

public static final int CENATX
See Also:
Constant Field Values

CENOFF

public static final int CENOFF
See Also:
Constant Field Values

ENDSUB

public static final int ENDSUB
See Also:
Constant Field Values

ENDTOT

public static final int ENDTOT
See Also:
Constant Field Values

ENDSIZ

public static final int ENDSIZ
See Also:
Constant Field Values

ENDOFF

public static final int ENDOFF
See Also:
Constant Field Values

ENDCOM

public static final int ENDCOM
See Also:
Constant Field Values
Constructor Detail

ZipSecureFile

public ZipSecureFile(java.io.File file,
                     int mode)
              throws java.util.zip.ZipException,
                     java.io.IOException
Throws:
java.util.zip.ZipException
java.io.IOException

ZipSecureFile

public ZipSecureFile(java.io.File file)
              throws java.util.zip.ZipException,
                     java.io.IOException
Throws:
java.util.zip.ZipException
java.io.IOException

ZipSecureFile

public ZipSecureFile(java.lang.String name)
              throws java.util.zip.ZipException,
                     java.io.IOException
Throws:
java.util.zip.ZipException
java.io.IOException
Method Detail

setMinInflateRatio

public static void setMinInflateRatio(double ratio)
Sets the ratio between de- and inflated bytes to detect zipbomb. It defaults to 1% (= 0.01d), i.e. when the compression is better than 1% for any given read package part, the parsing will fail indicating a Zip-Bomb.

Parameters:
ratio - the ratio between de- and inflated bytes to detect zipbomb

getMinInflateRatio

public static double getMinInflateRatio()
Returns the current minimum compression rate that is used. See setMinInflateRatio() for details.

Returns:
The min accepted compression-ratio.

setMaxEntrySize

public static void setMaxEntrySize(long maxEntrySize)
Sets the maximum file size of a single zip entry. It defaults to 4GB, i.e. the 32-bit zip format maximum. This can be used to limit memory consumption and protect against security vulnerabilities when documents are provided by users.

Parameters:
maxEntrySize - the max. file size of a single zip entry

getMaxEntrySize

public static long getMaxEntrySize()
Returns the current maximum allowed uncompressed file size. See setMaxEntrySize() for details.

Returns:
The max accepted uncompressed file size.

setMaxTextSize

public static void setMaxTextSize(long maxTextSize)
Sets the maximum number of characters of text that are extracted before an exception is thrown during extracting text from documents. This can be used to limit memory consumption and protect against security vulnerabilities when documents are provided by users.

Parameters:
maxTextSize - the max. file size of a single zip entry

getMaxTextSize

public static long getMaxTextSize()
Returns the current maximum allowed text size. See setMaxTextSize() for details.

Returns:
The max accepted text size.

getInputStream

public java.io.InputStream getInputStream(java.util.zip.ZipEntry entry)
                                   throws java.io.IOException
Returns an input stream for reading the contents of the specified zip file entry.

Closing this ZIP file will, in turn, close all input streams that have been returned by invocations of this method.

Overrides:
getInputStream in class java.util.zip.ZipFile
Parameters:
entry - the zip file entry
Returns:
the input stream for reading the contents of the specified zip file entry.
Throws:
java.util.zip.ZipException - if a ZIP format error has occurred
java.io.IOException - if an I/O error has occurred
java.lang.IllegalStateException - if the zip file has been closed

addThreshold

public static ZipSecureFile.ThresholdInputStream addThreshold(java.io.InputStream zipIS)
                                                       throws java.io.IOException
Throws:
java.io.IOException