Test for another type of xml-bomb

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1790473 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Dominik Stadler 2017-04-06 21:50:03 +00:00
parent 0f193371ea
commit 77614b8c49
5 changed files with 62 additions and 54 deletions

View File

@ -282,6 +282,7 @@ public class TestAllFiles {
"poifs/unknown_properties.msg", // POIFS properties corrupted "poifs/unknown_properties.msg", // POIFS properties corrupted
"poifs/only-zero-byte-streams.ole2", // No actual contents "poifs/only-zero-byte-streams.ole2", // No actual contents
"spreadsheet/poc-xmlbomb.xlsx", // contains xml-entity-expansion "spreadsheet/poc-xmlbomb.xlsx", // contains xml-entity-expansion
"spreadsheet/poc-xmlbomb-empty.xlsx", // contains xml-entity-expansion
"spreadsheet/poc-shared-strings.xlsx", // contains shared-string-entity-expansion "spreadsheet/poc-shared-strings.xlsx", // contains shared-string-entity-expansion
"spreadsheet/60255_extra_drawingparts.xlsx", // Non-drawing drawing "spreadsheet/60255_extra_drawingparts.xlsx", // Non-drawing drawing

View File

@ -129,6 +129,7 @@ public class XSSFFileHandler extends SpreadsheetHandler {
EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/54764-2.xlsx"); EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/54764-2.xlsx");
EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/54764.xlsx"); EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/54764.xlsx");
EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/poc-xmlbomb.xlsx"); EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/poc-xmlbomb.xlsx");
EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/poc-xmlbomb-empty.xlsx");
// strict OOXML // strict OOXML
EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/57914.xlsx"); EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/57914.xlsx");
EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/SampleSS.strict.xlsx"); EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/SampleSS.strict.xlsx");

View File

@ -957,6 +957,7 @@ public class TestExtractorFactory {
"poifs/unknown_properties.msg", // POIFS properties corrupted "poifs/unknown_properties.msg", // POIFS properties corrupted
"poifs/only-zero-byte-streams.ole2", // No actual contents "poifs/only-zero-byte-streams.ole2", // No actual contents
"spreadsheet/poc-xmlbomb.xlsx", // contains xml-entity-expansion "spreadsheet/poc-xmlbomb.xlsx", // contains xml-entity-expansion
"spreadsheet/poc-xmlbomb-empty.xlsx", // contains xml-entity-expansion
"spreadsheet/poc-shared-strings.xlsx", // contains shared-string-entity-expansion "spreadsheet/poc-shared-strings.xlsx", // contains shared-string-entity-expansion
// old Excel files, which we only support simple text extraction of // old Excel files, which we only support simple text extraction of

View File

@ -17,21 +17,29 @@
package org.apache.poi.openxml4j.opc; package org.apache.poi.openxml4j.opc;
import static org.junit.Assert.assertEquals; import org.apache.poi.*;
import static org.junit.Assert.assertFalse; import org.apache.poi.extractor.ExtractorFactory;
import static org.junit.Assert.assertNotNull; import org.apache.poi.hssf.HSSFTestDataSamples;
import static org.junit.Assert.assertNull; import org.apache.poi.openxml4j.OpenXML4JTestDataSamples;
import static org.junit.Assert.assertTrue; import org.apache.poi.openxml4j.exceptions.*;
import static org.junit.Assert.fail; import org.apache.poi.openxml4j.opc.internal.ContentTypeManager;
import org.apache.poi.openxml4j.opc.internal.FileHelper;
import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
import org.apache.poi.openxml4j.opc.internal.ZipHelper;
import org.apache.poi.openxml4j.util.ZipSecureFile;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.ss.usermodel.WorkbookFactory;
import org.apache.poi.util.*;
import org.apache.poi.xssf.XSSFTestDataSamples;
import org.apache.xmlbeans.XmlException;
import org.junit.Ignore;
import org.junit.Test;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import java.io.ByteArrayInputStream; import java.io.*;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
@ -44,35 +52,7 @@ import java.util.zip.ZipEntry;
import java.util.zip.ZipFile; import java.util.zip.ZipFile;
import java.util.zip.ZipOutputStream; import java.util.zip.ZipOutputStream;
import org.apache.poi.EncryptedDocumentException; import static org.junit.Assert.*;
import org.apache.poi.POIDataSamples;
import org.apache.poi.POITestCase;
import org.apache.poi.POIXMLException;
import org.apache.poi.UnsupportedFileFormatException;
import org.apache.poi.openxml4j.OpenXML4JTestDataSamples;
import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
import org.apache.poi.openxml4j.exceptions.NotOfficeXmlFileException;
import org.apache.poi.openxml4j.exceptions.ODFNotOfficeXmlFileException;
import org.apache.poi.openxml4j.exceptions.OLE2NotOfficeXmlFileException;
import org.apache.poi.openxml4j.opc.internal.ContentTypeManager;
import org.apache.poi.openxml4j.opc.internal.FileHelper;
import org.apache.poi.openxml4j.opc.internal.PackagePropertiesPart;
import org.apache.poi.openxml4j.opc.internal.ZipHelper;
import org.apache.poi.openxml4j.util.ZipSecureFile;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.ss.usermodel.WorkbookFactory;
import org.apache.poi.util.DocumentHelper;
import org.apache.poi.util.IOUtils;
import org.apache.poi.util.POILogFactory;
import org.apache.poi.util.POILogger;
import org.apache.poi.util.TempFile;
import org.junit.Ignore;
import org.junit.Test;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
public final class TestPackage { public final class TestPackage {
private static final POILogger logger = POILogFactory.getLogger(TestPackage.class); private static final POILogger logger = POILogFactory.getLogger(TestPackage.class);
@ -103,10 +83,6 @@ public final class TestPackage {
/** /**
* Test that when we create a new Package, we give it * Test that when we create a new Package, we give it
* the correct default content types * the correct default content types
* @throws IllegalAccessException
* @throws NoSuchFieldException
* @throws IllegalArgumentException
* @throws SecurityException
*/ */
@Test @Test
public void createGetsContentTypes() public void createGetsContentTypes()
@ -195,7 +171,6 @@ public final class TestPackage {
* Tests that we can create a new package, add a core * Tests that we can create a new package, add a core
* document and another part, save and re-load and * document and another part, save and re-load and
* have everything setup as expected * have everything setup as expected
* @throws SAXException
*/ */
@Test @Test
public void createPackageWithCoreDocument() throws IOException, InvalidFormatException, URISyntaxException, SAXException { public void createPackageWithCoreDocument() throws IOException, InvalidFormatException, URISyntaxException, SAXException {
@ -410,7 +385,6 @@ public final class TestPackage {
/** /**
* TODO: fix and enable * TODO: fix and enable
* @throws URISyntaxException
*/ */
@Test @Test
@Ignore @Ignore
@ -837,8 +811,37 @@ public final class TestPackage {
} }
@Test @Test
public void zipBombCheckSizes() public void zipBombSampleFiles() throws IOException, OpenXML4JException, XmlException {
throws IOException, EncryptedDocumentException, InvalidFormatException { openZipBombFile("poc-shared-strings.xlsx");
openZipBombFile("poc-xmlbomb.xlsx");
openZipBombFile("poc-xmlbomb-empty.xlsx");
}
private void openZipBombFile(String file) throws IOException, OpenXML4JException, XmlException {
try {
Workbook wb = XSSFTestDataSamples.openSampleWorkbook(file);
wb.close();
POITextExtractor extractor = ExtractorFactory.createExtractor(HSSFTestDataSamples.getSampleFile("poc-shared-strings.xlsx"));
try {
assertNotNull(extractor);
extractor.getText();
} finally {
extractor.close();
}
fail("Should catch an exception because of a ZipBomb");
} catch (IllegalStateException e) {
if(!e.getMessage().contains("The text would exceed the max allowed overall size of extracted text.")) {
throw e;
}
} catch (POIXMLException e) {
checkForZipBombException(e);
}
}
@Test
public void zipBombCheckSizes() throws IOException, EncryptedDocumentException, InvalidFormatException {
File file = OpenXML4JTestDataSamples.getSampleFile("sample.xlsx"); File file = OpenXML4JTestDataSamples.getSampleFile("sample.xlsx");
try { try {
@ -897,13 +900,15 @@ public final class TestPackage {
if(e instanceof InvocationTargetException) { if(e instanceof InvocationTargetException) {
InvocationTargetException t = (InvocationTargetException)e; InvocationTargetException t = (InvocationTargetException)e;
IOException t2 = (IOException)t.getTargetException(); IOException t2 = (IOException)t.getTargetException();
if(t2.getMessage().startsWith("Zip bomb detected!")) { if(t2.getMessage().startsWith("Zip bomb detected!") ||
t2.getMessage().startsWith("The parser has encountered more than \"4,096\" entity expansions in this document;")) {
return; return;
} }
} }
String msg = e.getMessage(); String msg = e.getMessage();
if(msg != null && msg.startsWith("Zip bomb detected!")) { if(msg != null && (msg.startsWith("Zip bomb detected!") ||
msg.startsWith("The parser has encountered more than \"4,096\" entity expansions in this document;"))) {
return; return;
} }

Binary file not shown.