commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominik Stadler <>
Subject [compress] How to implement zip-bomb protection with Java 10
Date Sat, 31 Mar 2018 08:26:52 GMT


Apache POI is opening zip-files on a regular basis because Microsoft Excel/Word/... files
are zip-files in their newer format. In order to prevent some types of denial-of-service-attacks,
we have added functionality when opening Zip-files to not read files which expand a lot and
thus could be used to overwhelm the main memory by providing small malicious file which explodes
when uncompressed into memory. We call this zip-bomb protection.

Up to Java 9 we could use some workaround via reflection to inject a counting-InputStream
into ZipFile/ZipEntry to detect an explosion in expanded data and this way prevent zip-bombs.

However in Java 10 this is not possible any more because the implementation of ZipFile was
changed in a way that prevents this (hard cast to ZipFile$ZipFileInputStream in ZipFile).

So we are looking for a different way to count the number of extracted bytes while extracting
to be able to stop as soon as the compression ratio reaches a certain limit. 

Could we do this with Commons Compress? I.e. wrap the InputStreams with some counting so that
we can stop during extracting. 

Or does anybody know of a way to do zip-bomb-detection differently without resorting to reflection?

Thanks... Dominik.
Apache POI PMC/Comitter

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message