Just a short update on this - I've provided a patch for POI to use commons compress  So now we can focus on how the zip bomb handling can be provided by commons compress, i.e. as you already have mentioned with "InputStream will be a FooInputStream", some kind of interface which the InputStream can be cast to, to request further compression ratio stats, is what I have in mind.
I think this pull mechanism is easier from user perspective than registering a progress handler or getting the meta data pushed by a callback. Andi.  https://bz.apache.org/bugzilla/show_bug.cgi?id=62187
Description: OpenPGP digital signature