How to detect a zip-bomb with Java 10

Question

Apache POI is opening zip-files on a regular basis because Microsoft Excel/Word/... files are zip-files in their newer format. In order to prevent some types of denial-of-service-attacks, it has functionality when opening Zip-files to not read files which expand a lot and thus could be used to overwhelm the main memory by providing a small malicious file which explodes when uncompressed into memory. Apache POI calls this zip-bomb-protection.

Up to Java 9 it could use some workaround via reflection to inject a counting-InputStream into ZipFile/ZipEntry to detect an explosion in expanded data and this way prevent zip-bombs.

However in Java 10 this is not possible any more because the implementation of ZipFile was changed in a way that prevents this (hard cast to ZipFile$ZipFileInputStream in ZipFile).

So we are looking for a different way to count the number of extracted bytes during extracting to be able to stop as soon as the compression ratio reaches a certain limit.

Is there a way to do zip-bomb-detection differently without resorting to reflection?

Answer 1

After some investigation we used zip-functionality from Apache commons-compress, which allows to perform this kind of check without having to resort to reflection, so we now can do these checks with any version of Java.

Look at https://github.com/apache/poi/tree/trunk/src/ooxml/java/org/apache/poi/openxml4j/util for the resulting implementation in Apache POI, especially ZipArchiveThresholdInputStream.