本文介绍在使用Apache POI处理Excel文件时遇到的Zip炸弹问题及其解决方案。Zip炸弹是一种小文件解压后体积膨胀极大的现象,可能导致内存溢出或系统崩溃。文章详细解释了如何通过调整ZipSecureFile.setMinInflateRatio()来规避这一风险。
异常信息:
Caused by: com.alibaba.excel.exception.ExcelAnalysisException: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data.
This may indicate that the file is used to inflate memory usage and thus could pose a security risk.
You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit.
Uncompressed size: 741169, Raw/compressed size: 7411, ratio: 0.009999
Limits: MIN_INFLATE_RATIO: 0.010000, Entry: xl/drawings/drawing1.xml
at com.alibaba.excel.analysis.ExcelAnalyserImpl.<init>(ExcelAnalyserImpl.java:51)
at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:141)
at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:101)
at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:69)
at com.alibaba.excel.EasyExcelFactory.getReader(EasyExcelFactory.java:95)
at com.cy.tools.excel.EasyExcelHelper.readExcelByModelFromInputStream(EasyExcelHelper.java:294)
... 98 common frames omitted
Caused by: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data.
This may indicate that the file is used to inflate memory usage and thus could pose a security risk.
You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit.
Uncompressed size: 741169, Raw/compressed size: 7411, ratio: 0.009999
Limits: MIN_INFLATE_RATIO: 0.010000, Entry: xl/drawings/drawing1.xml
at org.apache.poi.openxml4j.util.ZipArchiveThresholdInputStream.checkThreshold(ZipArchiveThresholdInputStream.java:132)
at org.apache.poi.openxml4j.util.ZipArchiveThresholdInputStream.read(ZipArchiveThresholdInputStream.java:82)
at org.apache.poi.util.IOUtils.toByteArray(IOUtils.java:182)
at org.apache.poi.util.IOUtils.toByteArray(IOUtils.java:149)
at org.apache.poi.openxml4j.util.ZipArchiveFakeEntry.<init>(ZipArchiveFakeEntry.java:47)
at org.apache.poi.openxml4j.util.ZipInputStreamZipEntrySource.<init>(ZipInputStreamZipEntrySource.java:53)
at org.apache.poi.openxml4j.opc.ZipPackage.<init>(ZipPackage.java:106)
at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:307)
at com.alibaba.excel.analysis.v07.XlsxSaxAnalyser.readOpcPackage(XlsxSaxAnalyser.java:130)
at com.alibaba.excel.analysis.v07.XlsxSaxAnalyser.<init>(XlsxSaxAnalyser.java:58)
at com.alibaba.excel.analysis.ExcelAnalyserImpl.choiceExcelExecutor(ExcelAnalyserImpl.java:92)
at com.alibaba.excel.analysis.ExcelAnalyserImpl.<init>(ExcelAnalyserImpl.java:45)
... 103 common frames omitted
Using apache poi - Zip Bomb detected
Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Counter: 820224, cis.counter: 8192, ratio: 0.009987515605493134Limits: MIN_INFLATE_RATIO: 0.01
解决方法是在打开工作簿之前添加以下行:
|
ZipSecureFile.setMinInflateRatio(0); |
" Zip炸弹"是一个用于攻击向量的术语,其中一个小的zip文件会扩展为一个非常大的未压缩文件,因此会引起诸如耗尽内存或磁盘空间等问题。
通常,创建此类zip的目的是在从外部来源接收zip文件的系统上引起拒绝服务攻击。
由于.xlsx文件实际上是包含XML文件的压缩文件,因此有可能在POI中引起这种zip bomb漏洞。
为了防止这种情况的发生,Apache POI内置了一些防护措施,并且默认情况下启用了这些防护措施。因此,如果您创建的文件包含异常内容,例如如果许多行/列具有相同的内容,则可以使用这些保护措施并收到上述异常。
如果完全控制已处理文件的创建,则可以调整错误消息中给出的设置以避免异常。
请参阅https://bz.apache.org/bugzilla/show_bug.cgi?id=58499,以获取相关问题和ZIp-bomb异常,同时编写较大格式的Excel(.xlsx),以及如何确定何时出现Zip Bomb错误检索Excel文件样式表是否合法?进行类似的讨论。
扫一扫
1352
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
