java 使用 apache poi - 检测到 Zip Bomb
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/44897500/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using apache poi - Zip Bomb detected
提问by user3428736
When I am trying to write data to excel sheet using apache poi which contains more than 64000 records, where SXSSF is used and I am getting the below error,
当我尝试使用包含超过 64000 条记录的 apache poi 将数据写入 Excel 表时,其中使用了 SXSSF,并且出现以下错误,
Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Counter: 820224, cis.counter: 8192, ratio: 0.009987515605493134Limits: MIN_INFLATE_RATIO: 0.01
检测到拉链炸弹!该文件将超过最大值。压缩文件大小与扩展数据大小的比率。这可能表明该文件用于增加内存使用量,因此可能会带来安全风险。如果您需要处理超过此限制的文件,您可以通过 ZipSecureFile.setMinInflateRatio() 调整此限制。计数器:820224,顺式计数器:8192,比率:0.009987515605493134Limits:MIN_INFLATE_RATIO:0.01
I found a solution stating by adding ZipSecureFile.setMinInflateRatio(0.009) and I need to know why it is happening and what is the limit I need to provide for the above error ad where to add the solution, reference for the solution: (How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate?)
我找到了一个通过添加 ZipSecureFile.setMinInflateRatio(0.009) 来说明的解决方案,我需要知道它为什么会发生,以及我需要为上述错误广告提供的限制是什么,在哪里添加解决方案,解决方案的参考:(如何确定检索 Excel 文件样式表时抛出的 Zip Bomb 错误是否合法?)
Please let me know if there is any other solution for this
请让我知道是否有任何其他解决方案
回答by Tung Nguyen
The workaround is to add this line before you open the workbook:
解决方法是在打开工作簿之前添加此行:
ZipSecureFile.setMinInflateRatio(0);
回答by centic
"Zip bomb" is a term used for an attack vector where a small zip file expands to a very large uncompressed file and thus can cause issues like exhausting memory or disk space.
“Zip 炸弹”是一个用于攻击向量的术语,其中一个小的 zip 文件扩展为一个非常大的未压缩文件,从而可能导致耗尽内存或磁盘空间等问题。
Usually such zips are created with the intent of causing a denial of service attack on systems that receive zip files from external sources.
通常创建此类 zip 的目的是对从外部来源接收 zip 文件的系统造成拒绝服务攻击。
As .xlsx files are actually zipped files which contain XML files, there is a chance of causing such a zip bomb vulnerability in POI.
由于 .xlsx 文件实际上是包含 XML 文件的压缩文件,因此有可能在 POI 中导致此类 zip 炸弹漏洞。
In order to prevent this from happening, Apache POI has some safeguards built in and enabled by default. So if you create a file with unusual content, e.g. many rows/columns with the same content, you can run into these safeguards and receive the exception as shown above.
为了防止这种情况发生,Apache POI 内置并默认启用了一些保护措施。因此,如果您创建的文件具有不寻常的内容,例如具有相同内容的许多行/列,您可能会遇到这些保护措施并收到如上所示的异常。
If you fully control the creation of the processed files, you can adjust the setting given in the error message to avoid the exception.
如果您完全控制处理文件的创建,则可以调整错误消息中给出的设置以避免异常。
See https://bz.apache.org/bugzilla/show_bug.cgi?id=58499for the related issue and ZIp-bomb exception while writing a large formatted Excel (.xlsx)and How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate?for similar discussions.
请参阅https://bz.apache.org/bugzilla/show_bug.cgi?id=58499了解相关问题和编写大格式 Excel (.xlsx) 时的 ZIp-bomb 异常以及如何确定在以下情况下是否抛出 Zip Bomb 错误检索 Excel 文件样式表是否合法?对于类似的讨论。
回答by IgnacioHR
You can avoid zip bomb issues reading from an InputStream instead of reading from a File like this
您可以避免从 InputStream 读取的 zip 炸弹问题,而不是像这样从 File 读取
File fp = new File(excelFile);
FileInputStream fpis = new FileInputStream(fp);
try {
wb = WorkbookFactory.create(fpis);
} finally {
fpis.close();
}
But be aware that the documentation at WorkbookFactory.create(java.io.InputStream)says that "loading from an InputStream requires more memory than loading from a File"
但请注意,WorkbookFactory.create(java.io.InputStream)上的文档说“从 InputStream 加载比从文件加载需要更多内存”
