xss...

fanningpj Mon, 01 Jul 2024 14:37:37 -0700

Author: fanningpj
Date: Mon Jul  1 21:36:31 2024
New Revision: 1918800

URL: http://svn.apache.org/viewvc?rev=1918800&view=rev
Log:
throw exception if xlsx contains duplicate file names


Added:
    
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/internal/InvalidZipException.java
   (with props)
    poi/trunk/test-data/spreadsheet/duplicate-file.xlsx   (with props)
Modified:
    
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/ZipPackage.java
    
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java
    
poi/trunk/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFWorkbook.java

Modified: 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/ZipPackage.java
URL: 
http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/ZipPackage.java?rev=1918800&r1=1918799&r2=1918800&view=diff
==============================================================================
--- 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/ZipPackage.java 
(original)
+++ 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/ZipPackage.java 
Mon Jul  1 21:36:31 2024
@@ -187,6 +187,8 @@ public final class ZipPackage extends OP
         try {
             final ZipFile zipFile = ZipHelper.openZipFile(file); // NOSONAR
             ze = new ZipFileZipEntrySource(zipFile);
+        } catch (InvalidZipException e) {
+            throw new InvalidOperationException("Can't open the specified 
file: '" + file + "'", e);
         } catch (IOException e) {
             // probably not happening with write access - not sure how to 
handle the default read-write access ...
             if (access == PackageAccess.WRITE) {

Added: 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/internal/InvalidZipException.java
URL: 
http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/internal/InvalidZipException.java?rev=1918800&view=auto
==============================================================================
--- 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/internal/InvalidZipException.java
 (added)
+++ 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/internal/InvalidZipException.java
 Mon Jul  1 21:36:31 2024
@@ -0,0 +1,14 @@
+package org.apache.poi.openxml4j.opc.internal;
+
+import java.io.IOException;
+
+/**
+ * Thrown if the zip file is invalid.
+ *
+ * @since 5.3.1
+ */
+public class InvalidZipException extends IOException {
+    public InvalidZipException(String message) {
+        super(message);
+    }
+}

Propchange: 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/internal/InvalidZipException.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java
URL: 
http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java?rev=1918800&r1=1918799&r2=1918800&view=diff
==============================================================================
--- 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java
 (original)
+++ 
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java
 Mon Jul  1 21:36:31 2024
@@ -19,11 +19,15 @@ package org.apache.poi.openxml4j.util;
 
 import java.io.File;
 import java.io.IOException;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
 import org.apache.commons.compress.archivers.zip.ZipFile;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.poi.openxml4j.opc.internal.InvalidZipException;
 import org.apache.poi.util.Internal;
 import org.apache.poi.util.Removal;
 
@@ -205,6 +209,7 @@ public class ZipSecureFile extends ZipFi
     public ZipSecureFile(File file) throws IOException {
         super(file);
         this.fileName = file.getAbsolutePath();
+        validateEntryNames();
     }
 
     /**
@@ -214,6 +219,7 @@ public class ZipSecureFile extends ZipFi
     public ZipSecureFile(String name) throws IOException {
         super(name);
         this.fileName = new File(name).getAbsolutePath();
+        validateEntryNames();
     }
 
     /**
@@ -246,4 +252,16 @@ public class ZipSecureFile extends ZipFi
     public String getName() {
         return fileName;
     }
+
+    private void validateEntryNames() throws IOException {
+        Enumeration<ZipArchiveEntry> en = getEntries();
+        Set<String> filenames = new HashSet<>();
+        while (en.hasMoreElements()) {
+            String name = en.nextElement().getName();
+            if (filenames.contains(name)) {
+                throw new InvalidZipException("Input file contains more than 1 
entry with the name " + name);
+            }
+            filenames.add(name);
+        }
+    }
 }

Modified: 
poi/trunk/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFWorkbook.java
URL: 
http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFWorkbook.java?rev=1918800&r1=1918799&r2=1918800&view=diff
==============================================================================
--- 
poi/trunk/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFWorkbook.java
 (original)
+++ 
poi/trunk/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFWorkbook.java
 Mon Jul  1 21:36:31 2024
@@ -27,6 +27,7 @@ import org.apache.poi.hssf.HSSFTestDataS
 import org.apache.poi.ooxml.POIXMLProperties;
 import org.apache.poi.ooxml.TrackingInputStream;
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
+import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
 import org.apache.poi.openxml4j.opc.ContentTypes;
 import org.apache.poi.openxml4j.opc.OPCPackage;
 import org.apache.poi.openxml4j.opc.PackageAccess;
@@ -1448,6 +1449,18 @@ public final class TestXSSFWorkbook exte
     }
 
     @Test
+    void testDuplicateFileReadAsFile() {
+        assertThrows(InvalidOperationException.class, () -> {
+            try (
+                    OPCPackage pkg = 
OPCPackage.open(getSampleFile("duplicate-file.xlsx"), PackageAccess.READ);
+                    XSSFWorkbook wb = new XSSFWorkbook(pkg)
+            ) {
+                // expect exception here
+            }
+        });
+    }
+
+    @Test
     void testWorkbookCloseClosesInputStream() throws Exception {
         try (TrackingInputStream stream = new TrackingInputStream(
                 HSSFTestDataSamples.openSampleFileStream("github-321.xlsx"))) {

Added: poi/trunk/test-data/spreadsheet/duplicate-file.xlsx
URL: 
http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/duplicate-file.xlsx?rev=1918800&view=auto
==============================================================================
Binary file - no diff available.

Propchange: poi/trunk/test-data/spreadsheet/duplicate-file.xlsx
------------------------------------------------------------------------------
--- svn:mime-type (added)
+++ svn:mime-type Mon Jul  1 21:36:31 2024
@@ -0,0 +1 @@
+application/vnd.openxmlformats-officedocument.spreadsheetml.sheet



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1918800 - in /poi/trunk: poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/ poi-ooxml/src/main/java/org/apache/poi/openxml4j/opc/internal/ poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ poi-ooxml/src/test/java/org/apache/poi/xss...

Reply via email to