apache poi-检测到Zip Bomb解决方案

导读:本篇文章讲解 apache poi-检测到Zip Bomb解决方案,希望对大家有帮助,欢迎收藏,转发!站点地址:www.bmabk.com

异常信息:

Caused by: com.alibaba.excel.exception.ExcelAnalysisException: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data.
This may indicate that the file is used to inflate memory usage and thus could pose a security risk.
You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit.
Uncompressed size: 741169, Raw/compressed size: 7411, ratio: 0.009999
Limits: MIN_INFLATE_RATIO: 0.010000, Entry: xl/drawings/drawing1.xml
        at com.alibaba.excel.analysis.ExcelAnalyserImpl.<init>(ExcelAnalyserImpl.java:51)
        at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:141)
        at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:101)
        at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:69)
        at com.alibaba.excel.EasyExcelFactory.getReader(EasyExcelFactory.java:95)
        at com.cy.tools.excel.EasyExcelHelper.readExcelByModelFromInputStream(EasyExcelHelper.java:294)
        ... 98 common frames omitted
Caused by: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data.
This may indicate that the file is used to inflate memory usage and thus could pose a security risk.
You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit.
Uncompressed size: 741169, Raw/compressed size: 7411, ratio: 0.009999
Limits: MIN_INFLATE_RATIO: 0.010000, Entry: xl/drawings/drawing1.xml
        at org.apache.poi.openxml4j.util.ZipArchiveThresholdInputStream.checkThreshold(ZipArchiveThresholdInputStream.java:132)
        at org.apache.poi.openxml4j.util.ZipArchiveThresholdInputStream.read(ZipArchiveThresholdInputStream.java:82)
        at org.apache.poi.util.IOUtils.toByteArray(IOUtils.java:182)
        at org.apache.poi.util.IOUtils.toByteArray(IOUtils.java:149)
        at org.apache.poi.openxml4j.util.ZipArchiveFakeEntry.<init>(ZipArchiveFakeEntry.java:47)
        at org.apache.poi.openxml4j.util.ZipInputStreamZipEntrySource.<init>(ZipInputStreamZipEntrySource.java:53)
        at org.apache.poi.openxml4j.opc.ZipPackage.<init>(ZipPackage.java:106)
        at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:307)
        at com.alibaba.excel.analysis.v07.XlsxSaxAnalyser.readOpcPackage(XlsxSaxAnalyser.java:130)
        at com.alibaba.excel.analysis.v07.XlsxSaxAnalyser.<init>(XlsxSaxAnalyser.java:58)
        at com.alibaba.excel.analysis.ExcelAnalyserImpl.choiceExcelExecutor(ExcelAnalyserImpl.java:92)
        at com.alibaba.excel.analysis.ExcelAnalyserImpl.<init>(ExcelAnalyserImpl.java:45)
        ... 103 common frames omitted

Using apache poi – Zip Bomb detected

Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Counter: 820224, cis.counter: 8192, ratio: 0.009987515605493134Limits: MIN_INFLATE_RATIO: 0.01

解决方法是在打开工作簿之前添加以下行:

ZipSecureFile.setMinInflateRatio(0);

 

” Zip炸弹”是一个用于攻击向量的术语,其中一个小的zip文件会扩展为一个非常大的未压缩文件,因此会引起诸如耗尽内存或磁盘空间等问题。

通常,创建此类zip的目的是在从外部来源接收zip文件的系统上引起拒绝服务攻击。

由于.xlsx文件实际上是包含XML文件的压缩文件,因此有可能在POI中引起这种zip bomb漏洞。

为了防止这种情况的发生,Apache POI内置了一些防护措施,并且默认情况下启用了这些防护措施。因此,如果您创建的文件包含异常内容,例如如果许多行/列具有相同的内容,则可以使用这些保护措施并收到上述异常。

如果完全控制已处理文件的创建,则可以调整错误消息中给出的设置以避免异常。

请参阅https://bz.apache.org/bugzilla/show_bug.cgi?id=58499,以获取相关问题和ZIp-bomb异常,同时编写较大格式的Excel(.xlsx),以及如何确定何时出现Zip Bomb错误检索Excel文件样式表是否合法?进行类似的讨论。

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/13952.html

(0)
小半的头像小半

相关推荐

极客之音——专业性很强的中文编程技术网站,欢迎收藏到浏览器,订阅我们!