Menu
When I am trying to write data to an Excel sheet, using Apache POI which contains more than 64000 records, where SXSSF is used, I am getting the below error:
Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Counter: 820224, cis.counter: 8192, ratio: 0.009987515605493134Limits: MIN_INFLATE_RATIO: 0.01
I found a solution stating by adding ZipSecureFile.setMinInflateRatio(0.009), but why is it happening and what is the limit I need to provide for the above error? And where should I add the solution?
Reference for the solution: How can I determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate?
Is there another solution for this?
915
ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile. setMinInflateRatio() if you need to work with files which exceed this limit.
Bomb Prevention Its quite easy to prevent a zip bomb from exploding… All you need to do is check the file's original size before writing it to disk. Set a limit to the uncompressed file sizes, or a deviation between the compressed and uncompressed sizes.
The workaround is to add this line before you open the workbook:
ZipSecureFile.setMinInflateRatio(0);
"Zip bomb" is a term used for an attack vector where a small zip file expands to a very large uncompressed file and thus can cause issues like exhausting memory or disk space.
Usually such zips are created with the intent of causing a denial of service attack on systems that receive zip files from external sources.
As .xlsx files are actually zipped files which contain XML files, there is a chance of causing such a zip bomb vulnerability in POI.
In order to prevent this from happening, Apache POI has some safeguards built in and enabled by default. So if you create a file with unusual content, e.g. many rows/columns with the same content, you can run into these safeguards and receive the exception as shown above.
If you fully control the creation of the processed files, you can adjust the setting given in the error message to avoid the exception.
See https://bz.apache.org/bugzilla/show_bug.cgi?id=58499 for the related issue and ZIp-bomb exception while writing a large formatted Excel (.xlsx) and How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate? for similar discussions.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
