Class ZipSecureFile

  • All Implemented Interfaces:
    java.io.Closeable, java.lang.AutoCloseable

    public class ZipSecureFile
    extends org.apache.commons.compress.archivers.zip.ZipFile
    This class wraps a ZipFile in order to check the entries for zip bombs while reading the archive.

    The alert limits can be globally defined via setMaxEntrySize(long) and setMinInflateRatio(double).

    • Constructor Summary

      Constructors 
      Constructor Description
      ZipSecureFile​(java.io.File file)  
      ZipSecureFile​(java.lang.String name)  
    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      ZipArchiveThresholdInputStream getInputStream​(org.apache.commons.compress.archivers.zip.ZipArchiveEntry entry)
      Returns an input stream for reading the contents of the specified zip file entry.
      static long getMaxEntrySize()
      Returns the current maximum allowed uncompressed file size.
      static long getMaxTextSize()
      Returns the current maximum allowed text size.
      static double getMinInflateRatio()
      Returns the current minimum compression rate that is used.
      java.lang.String getName()
      Returns the path name of the ZIP file.
      static void setMaxEntrySize​(long maxEntrySize)
      Sets the maximum file size of a single zip entry.
      static void setMaxTextSize​(long maxTextSize)
      Sets the maximum number of characters of text that are extracted before an exception is thrown during extracting text from documents.
      static void setMinInflateRatio​(double ratio)
      Sets the ratio between de- and inflated bytes to detect zipbomb.
      • Methods inherited from class org.apache.commons.compress.archivers.zip.ZipFile

        canReadEntryData, close, closeQuietly, copyRawEntries, finalize, getEncoding, getEntries, getEntries, getEntriesInPhysicalOrder, getEntriesInPhysicalOrder, getEntry, getRawInputStream, getUnixSymlink
      • Methods inherited from class java.lang.Object

        clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • ZipSecureFile

        public ZipSecureFile​(java.io.File file)
                      throws java.io.IOException
        Throws:
        java.io.IOException
      • ZipSecureFile

        public ZipSecureFile​(java.lang.String name)
                      throws java.io.IOException
        Throws:
        java.io.IOException
    • Method Detail

      • setMinInflateRatio

        public static void setMinInflateRatio​(double ratio)
        Sets the ratio between de- and inflated bytes to detect zipbomb. It defaults to 1% (= 0.01d), i.e. when the compression is better than 1% for any given read package part, the parsing will fail indicating a Zip-Bomb.
        Parameters:
        ratio - the ratio between de- and inflated bytes to detect zipbomb
      • getMinInflateRatio

        public static double getMinInflateRatio()
        Returns the current minimum compression rate that is used. See setMinInflateRatio() for details.
        Returns:
        The min accepted compression-ratio.
      • setMaxEntrySize

        public static void setMaxEntrySize​(long maxEntrySize)
        Sets the maximum file size of a single zip entry. It defaults to 4GB, i.e. the 32-bit zip format maximum. This can be used to limit memory consumption and protect against security vulnerabilities when documents are provided by users.
        Parameters:
        maxEntrySize - the max. file size of a single zip entry
      • getMaxEntrySize

        public static long getMaxEntrySize()
        Returns the current maximum allowed uncompressed file size. See setMaxEntrySize() for details.
        Returns:
        The max accepted uncompressed file size.
      • setMaxTextSize

        public static void setMaxTextSize​(long maxTextSize)
        Sets the maximum number of characters of text that are extracted before an exception is thrown during extracting text from documents. This can be used to limit memory consumption and protect against security vulnerabilities when documents are provided by users.
        Parameters:
        maxTextSize - the max. file size of a single zip entry
      • getMaxTextSize

        public static long getMaxTextSize()
        Returns the current maximum allowed text size. See setMaxTextSize() for details.
        Returns:
        The max accepted text size.
      • getInputStream

        public ZipArchiveThresholdInputStream getInputStream​(org.apache.commons.compress.archivers.zip.ZipArchiveEntry entry)
                                                      throws java.io.IOException
        Returns an input stream for reading the contents of the specified zip file entry.

        Closing this ZIP file will, in turn, close all input streams that have been returned by invocations of this method.

        Overrides:
        getInputStream in class org.apache.commons.compress.archivers.zip.ZipFile
        Parameters:
        entry - the zip file entry
        Returns:
        the input stream for reading the contents of the specified zip file entry.
        Throws:
        java.io.IOException - if an I/O error has occurred
        java.lang.IllegalStateException - if the zip file has been closed
      • getName

        public java.lang.String getName()
        Returns the path name of the ZIP file.
        Returns:
        the path name of the ZIP file