问题
Apache POI is opening zip-files on a regular basis because Microsoft Excel/Word/... files are zip-files in their newer format. In order to prevent some types of denial-of-service-attacks, it has functionality when opening Zip-files to not read files which expand a lot and thus could be used to overwhelm the main memory by providing a small malicious file which explodes when uncompressed into memory. Apache POI calls this zip-bomb-protection.
Up to Java 9 it could use some workaround via reflection to inject a counting-InputStream into ZipFile/ZipEntry to detect an explosion in expanded data and this way prevent zip-bombs.
However in Java 10 this is not possible any more because the implementation of ZipFile was changed in a way that prevents this (hard cast to ZipFile$ZipFileInputStream in ZipFile).
So we are looking for a different way to count the number of extracted bytes during extracting to be able to stop as soon as the compression ratio reaches a certain limit.
Is there a way to do zip-bomb-detection differently without resorting to reflection?
回答1:
I can't imagine why you needed a reflection/injection hack in the first place. You seem to pass not a filename but some instance like zipfile or zipinputstream.
If you have a file (or can save to a file first), then you can first check the zip file entries sizes (not even decompressing) before handing it to the vulnerable library. Even if you needed to pass a zipfie, you could extend the zipfile class to proxy calls.
If you have zip stream and really cannot temp-save to disk and must read as a zipinputstream somehow, then override methods of zipinputstream (getnextentry, read, etc).
回答2:
After some investigation we used zip-functionality from Apache commons-compress, which allows to perform this kind of check without having to resort to reflection, so we now can do these checks with any version of Java.
Look at https://github.com/apache/poi/tree/trunk/src/ooxml/java/org/apache/poi/openxml4j/util for the resulting implementation in Apache POI, especially ZipArchiveThresholdInputStream.
来源:https://stackoverflow.com/questions/49585900/how-to-detect-a-zip-bomb-with-java-10