Using apache poi - Zip Bomb detected

Question

When I am trying to write data to excel sheet using apache poi which contains more than 64000 records, where SXSSF is used and I am getting the below error,

Answer 1

The workaround is to add this line before you open the workbook:

ZipSecureFile.setMinInflateRatio(0);

Answer 2

You can avoid zip bomb issues reading from an InputStream instead of reading from a File like this

File fp = new File(excelFile);
FileInputStream fpis = new FileInputStream(fp);
try {
    wb = WorkbookFactory.create(fpis);
} finally {
    fpis.close();
}

But be aware that the documentation at WorkbookFactory.create(java.io.InputStream) says that "loading from an InputStream requires more memory than loading from a File"

Answer 3

"Zip bomb" is a term used for an attack vector where a small zip file expands to a very large uncompressed file and thus can cause issues like exhausting memory or disk space.

Usually such zips are created with the intent of causing a denial of service attack on systems that receive zip files from external sources.

As .xlsx files are actually zipped files which contain XML files, there is a chance of causing such a zip bomb vulnerability in POI.

In order to prevent this from happening, Apache POI has some safeguards built in and enabled by default. So if you create a file with unusual content, e.g. many rows/columns with the same content, you can run into these safeguards and receive the exception as shown above.

If you fully control the creation of the processed files, you can adjust the setting given in the error message to avoid the exception.

See https://bz.apache.org/bugzilla/show_bug.cgi?id=58499 for the related issue and ZIp-bomb exception while writing a large formatted Excel (.xlsx) and How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate? for similar discussions.