Package org.apache.poi.openxml4j.util

Class ZipSecureFile

java.lang.Object
org.apache.commons.compress.archivers.zip.ZipFile
org.apache.poi.openxml4j.util.ZipSecureFile
All Implemented Interfaces:
Closeable, AutoCloseable
public class ZipSecureFile extends ZipFile
This class wraps a ZipFile in order to check the entries for zip bombs while reading the archive.

The alert limits can be globally defined via setMaxEntrySize(long) and setMinInflateRatio(double).

  • Constructor Details

  • Method Details

    • setMinInflateRatio

      public static void setMinInflateRatio(double ratio)
      Sets the ratio between de- and inflated bytes to detect zipbomb. It defaults to 1% (= 0.01d), i.e. when the compression is better than 1% for any given read package part, the parsing will fail indicating a Zip-Bomb.
      Parameters:
      ratio - the ratio between de- and inflated bytes to detect zipbomb

    • getMinInflateRatio

      public static double getMinInflateRatio()
      Returns the current minimum compression rate that is used. See setMinInflateRatio() for details.
      Returns:
      The min accepted compression-ratio.

    • setMaxEntrySize

      public static void setMaxEntrySize(long maxEntrySize)
      Sets the maximum file size of a single zip entry. It defaults to 4GB, i.e. the 32-bit zip format maximum. This can be used to limit memory consumption and protect against security vulnerabilities when documents are provided by users.
      Parameters:
      maxEntrySize - the max. file size of a single zip entry
      Throws:
      IllegalArgumentException - for negative maxEntrySize

    • getMaxEntrySize

      public static long getMaxEntrySize()
      Returns the current maximum allowed uncompressed file size. See setMaxEntrySize() for details.
      Returns:
      The max accepted uncompressed file size.

    • setMaxTextSize

      public static void setMaxTextSize(long maxTextSize)
      Sets the maximum number of characters of text that are extracted before an exception is thrown during extracting text from documents. This can be used to limit memory consumption and protect against security vulnerabilities when documents are provided by users.
      Parameters:
      maxTextSize - the max. file size of a single zip entry
      Throws:
      IllegalArgumentException - for negative maxTextSize

    • getMaxTextSize

      public static long getMaxTextSize()
      Returns the current maximum allowed text size.
      Returns:
      The max accepted text size.
      See Also:

    • getInputStream

      public ZipArchiveThresholdInputStream getInputStream(ZipArchiveEntry entry) throws IOException
      Returns an input stream for reading the contents of the specified zip file entry.

      Closing this ZIP file will, in turn, close all input streams that have been returned by invocations of this method.

      Overrides:
      getInputStream in class ZipFile
      Parameters:
      entry - the zip file entry
      Returns:
      the input stream for reading the contents of the specified zip file entry.
      Throws:
      IOException - if an I/O error has occurred
      IllegalStateException - if the zip file has been closed

    • getName

      public String getName()
      Returns the path name of the ZIP file.
      Returns:
      the path name of the ZIP file