Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to detect a zip-bomb with Java 10

Apache POI is opening zip-files on a regular basis because Microsoft Excel/Word/... files are zip-files in their newer format. In order to prevent some types of denial-of-service-attacks, it has functionality when opening Zip-files to not read files which expand a lot and thus could be used to overwhelm the main memory by providing a small malicious file which explodes when uncompressed into memory. Apache POI calls this zip-bomb-protection.

Up to Java 9 it could use some workaround via reflection to inject a counting-InputStream into ZipFile/ZipEntry to detect an explosion in expanded data and this way prevent zip-bombs.

However in Java 10 this is not possible any more because the implementation of ZipFile was changed in a way that prevents this (hard cast to ZipFile$ZipFileInputStream in ZipFile).

So we are looking for a different way to count the number of extracted bytes during extracting to be able to stop as soon as the compression ratio reaches a certain limit.

Is there a way to do zip-bomb-detection differently without resorting to reflection?

like image 462
centic Avatar asked Mar 31 '18 08:03

centic


1 Answers

After some investigation we used zip-functionality from Apache commons-compress, which allows to perform this kind of check without having to resort to reflection, so we now can do these checks with any version of Java.

Look at https://github.com/apache/poi/tree/trunk/src/ooxml/java/org/apache/poi/openxml4j/util for the resulting implementation in Apache POI, especially ZipArchiveThresholdInputStream.

like image 153
centic Avatar answered Oct 06 '22 00:10

centic