Class ZipSecureFile

java.lang.Object
org.apache.commons.compress.archivers.zip.ZipFile
org.apache.poi.openxml4j.util.ZipSecureFile
All Implemented Interfaces:
Closeable, AutoCloseable

public class ZipSecureFile extends org.apache.commons.compress.archivers.zip.ZipFile
This class wraps a ZipFile in order to check the entries for zip bombs while reading the archive.

The alert limits can be globally defined via setMaxEntrySize(long) and setMinInflateRatio(double).

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.apache.commons.compress.archivers.zip.ZipFile

    org.apache.commons.compress.archivers.zip.ZipFile.Builder
  • Constructor Summary

    Constructors
    Constructor
    Description
     
     
  • Method Summary

    Modifier and Type
    Method
    Description
    getInputStream(org.apache.commons.compress.archivers.zip.ZipArchiveEntry entry)
    Returns an input stream for reading the contents of the specified zip file entry.
    static long
    Returns the current maximum allowed uncompressed file size.
    static long
    Returns the current maximum allowed text size.
    static double
    Returns the current minimum compression rate that is used.
    Returns the path name of the ZIP file.
    static void
    setMaxEntrySize(long maxEntrySize)
    Sets the maximum file size of a single zip entry.
    static void
    setMaxTextSize(long maxTextSize)
    Sets the maximum number of characters of text that are extracted before an exception is thrown during extracting text from documents.
    static void
    setMinInflateRatio(double ratio)
    Sets the ratio between de- and inflated bytes to detect zipbomb.

    Methods inherited from class org.apache.commons.compress.archivers.zip.ZipFile

    builder, canReadEntryData, close, closeQuietly, copyRawEntries, finalize, getContentBeforeFirstLocalFileHeader, getEncoding, getEntries, getEntries, getEntriesInPhysicalOrder, getEntriesInPhysicalOrder, getEntry, getFirstLocalFileHeaderOffset, getRawInputStream, getUnixSymlink

    Methods inherited from class java.lang.Object

    clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

  • Method Details

    • setMinInflateRatio

      public static void setMinInflateRatio(double ratio)
      Sets the ratio between de- and inflated bytes to detect zipbomb. It defaults to 1% (= 0.01d), i.e. when the compression is better than 1% for any given read package part, the parsing will fail indicating a Zip-Bomb.
      Parameters:
      ratio - the ratio between de- and inflated bytes to detect zipbomb
    • getMinInflateRatio

      public static double getMinInflateRatio()
      Returns the current minimum compression rate that is used. See setMinInflateRatio() for details.
      Returns:
      The min accepted compression-ratio.
    • setMaxEntrySize

      public static void setMaxEntrySize(long maxEntrySize)
      Sets the maximum file size of a single zip entry. It defaults to 4GB, i.e. the 32-bit zip format maximum. This can be used to limit memory consumption and protect against security vulnerabilities when documents are provided by users.
      Parameters:
      maxEntrySize - the max. file size of a single zip entry
    • getMaxEntrySize

      public static long getMaxEntrySize()
      Returns the current maximum allowed uncompressed file size. See setMaxEntrySize() for details.
      Returns:
      The max accepted uncompressed file size.
    • setMaxTextSize

      public static void setMaxTextSize(long maxTextSize)
      Sets the maximum number of characters of text that are extracted before an exception is thrown during extracting text from documents. This can be used to limit memory consumption and protect against security vulnerabilities when documents are provided by users.
      Parameters:
      maxTextSize - the max. file size of a single zip entry
    • getMaxTextSize

      public static long getMaxTextSize()
      Returns the current maximum allowed text size. See setMaxTextSize() for details.
      Returns:
      The max accepted text size.
    • getInputStream

      public ZipArchiveThresholdInputStream getInputStream(org.apache.commons.compress.archivers.zip.ZipArchiveEntry entry) throws IOException
      Returns an input stream for reading the contents of the specified zip file entry.

      Closing this ZIP file will, in turn, close all input streams that have been returned by invocations of this method.

      Overrides:
      getInputStream in class org.apache.commons.compress.archivers.zip.ZipFile
      Parameters:
      entry - the zip file entry
      Returns:
      the input stream for reading the contents of the specified zip file entry.
      Throws:
      IOException - if an I/O error has occurred
      IllegalStateException - if the zip file has been closed
    • getName

      public String getName()
      Returns the path name of the ZIP file.
      Returns:
      the path name of the ZIP file