apache poi-检测到Zip Bomb解决方案

异常信息:

Caused by: com.alibaba.excel.exception.ExcelAnalysisException: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data.
This may indicate that the file is used to inflate memory usage and thus could pose a security risk.
You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit.
Uncompressed size: 741169, Raw/compressed size: 7411, ratio: 0.009999
Limits: MIN_INFLATE_RATIO: 0.010000, Entry: xl/drawings/drawing1.xml
        at com.alibaba.excel.analysis.ExcelAnalyserImpl.<init>(ExcelAnalyserImpl.java:51)
        at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:141)
        at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:101)
        at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:69)
        at com.alibaba.excel.EasyExcelFactory.getReader(EasyExcelFactory.java:95)
        at com.cy.tools.excel.EasyExcelHelper.readExcelByModelFromInputStream(EasyExcelHelper.java:294)
        ... 98 common frames omitted
Caused by: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data.
This may indicate that the file is used to inflate memory usage and thus could pose a security risk.
You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit.
Uncompressed size: 741169, Raw/compressed size: 7411, ratio: 0.009999
Limits: MIN_INFLATE_RATIO: 0.010000, Entry: xl/drawings/drawing1.xml
        at org.apache.poi.openxml4j.util.ZipArchiveThresholdInputStream.checkThreshold(ZipArchiveThresholdInputStream.java:132)
        at org.apache.poi.openxml4j.util.ZipArchiveThresholdInputStream.read(ZipArchiveThresholdInputStream.java:82)
        at org.apache.poi.util.IOUtils.toByteArray(IOUtils.java:182)
        at org.apache.poi.util.IOUtils.toByteArray(IOUtils.java:149)
        at org.apache.poi.openxml4j.util.ZipArchiveFakeEntry.<init>(ZipArchiveFakeEntry.java:47)
        at org.apache.poi.openxml4j.util.ZipInputStreamZipEntrySource.<init>(ZipInputStreamZipEntrySource.java:53)
        at org.apache.poi.openxml4j.opc.ZipPackage.<init>(ZipPackage.java:106)
        at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:307)
        at com.alibaba.excel.analysis.v07.XlsxSaxAnalyser.readOpcPackage(XlsxSaxAnalyser.java:130)
        at com.alibaba.excel.analysis.v07.XlsxSaxAnalyser.<init>(XlsxSaxAnalyser.java:58)
        at com.alibaba.excel.analysis.ExcelAnalyserImpl.choiceExcelExecutor(ExcelAnalyserImpl.java:92)
        at com.alibaba.excel.analysis.ExcelAnalyserImpl.<init>(ExcelAnalyserImpl.java:45)
        ... 103 common frames omitted

Using apache poi - Zip Bomb detected

Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Counter: 820224, cis.counter: 8192, ratio: 0.009987515605493134Limits: MIN_INFLATE_RATIO: 0.01

解决方法是在打开工作簿之前添加以下行:

ZipSecureFile.setMinInflateRatio(0);

 

" Zip炸弹"是一个用于攻击向量的术语,其中一个小的zip文件会扩展为一个非常大的未压缩文件,因此会引起诸如耗尽内存或磁盘空间等问题。

通常,创建此类zip的目的是在从外部来源接收zip文件的系统上引起拒绝服务攻击。

由于.xlsx文件实际上是包含XML文件的压缩文件,因此有可能在POI中引起这种zip bomb漏洞。

为了防止这种情况的发生,Apache POI内置了一些防护措施,并且默认情况下启用了这些防护措施。因此,如果您创建的文件包含异常内容,例如如果许多行/列具有相同的内容,则可以使用这些保护措施并收到上述异常。

如果完全控制已处理文件的创建,则可以调整错误消息中给出的设置以避免异常。

请参阅https://bz.apache.org/bugzilla/show_bug.cgi?id=58499,以获取相关问题和ZIp-bomb异常,同时编写较大格式的Excel(.xlsx),以及如何确定何时出现Zip Bomb错误检索Excel文件样式表是否合法?进行类似的讨论。

相关推荐
©️2020 CSDN 皮肤主题: 点我我会动 设计师:白松林 返回首页