[Bug 62201] New: Zip Bomb ratio: Fail fast and/or round the ratio before comparison

Tue, 20 Mar 2018 14:52:22 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=62201

            Bug ID: 62201
           Summary: Zip Bomb ratio: Fail fast and/or round the ratio
                    before comparison
           Product: POI
           Version: unspecified
          Hardware: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: XSSF
          Assignee: dev@poi.apache.org
          Reporter: grape...@gmail.com
  Target Milestone: ---

Created attachment 35793
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35793&action=edit
Stack trace from zip bomb failure

I updated from Poi 3.9 to 3.16. My customers are now reporting issues with
inability to read Excel file due to the zip bomb fix. In all instances, our
software is able to open the file (new XSSFReader(OPCPackage.open(file))) and
read the sheets
(XSSFReader.getSheetsData.asInstanceOf[XSSFReader.SheetIterator]) without
receiving an exception. 

The "Zip Bomb" exception appears to occur when we attempt to call
XSSFReader.getStylesTable(). 

The ultimate error message: 
>java.io.IOException: Zip bomb detected! The file would exceed the max. ratio 
>of compressed file size to the size of the expanded data. This may indicate 
>that the file is used to inflate memory usage and thus could pose a security 
>risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you 
>need to work with files which exceed this limit. Counter: 3277797, 
>cis.counter: 32768, ratio: 0.009996958322922377 Limits: MIN_INFLATE_RATIO: 0.01

Options: 
1. Fail faster? 
It would be beneficial to fail with the Zip Bomb error when instantiating the
XSSFReader through a validation step rather than waiting until we try to access
some of the embedded data? This is certainly an unexpected issue since our
upgrade to 3.16.

2. Round the calculated compression ratio
In every customer-reported situation we've identified the following case:
ratio: 0.00999.... Limits: MIN_INFLATE_RATIO: 0.01 
Should we be rounding the calculated compression ratio (0.0099...) to 2 decimal
places? Would that reduce the security of this? 

Exception: attached

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Reply via email to