import org.apache.poi.POIXMLProperties.CustomProperties;
import org.apache.poi.POIXMLProperties.ExtendedProperties;
import org.apache.poi.openxml4j.opc.OPCPackage;
+import org.apache.poi.openxml4j.util.ZipSecureFile;
public abstract class POIXMLTextExtractor extends POITextExtractor {
/** The POIXMLDocument that's open */
}
super.close();
}
+
+ protected void checkMaxTextSize(StringBuffer text, String string) {
+ if(string == null) {
+ return;
+ }
+
+ int size = text.length() + string.length();
+ if(size > ZipSecureFile.getMaxTextSize()) {
+ throw new IllegalStateException("The text would exceed the max allowed overall size of extracted text. "
+ + "By default this is prevented as some documents may exhaust available memory and it may indicate that the file is used to inflate memory usage and thus could pose a security risk. "
+ + "You can adjust this limit via ZipSecureFile.setMaxTextSize() if you need to work with files which have a lot of text. "
+ + "Size: " + size + ", limit: MAX_TEXT_SIZE: " + ZipSecureFile.getMaxTextSize());
+ }
+ }
}
// don't alert for expanded sizes smaller than 100k\r
private static long GRACE_ENTRY_SIZE = 100*1024;\r
\r
+ // The default maximum size of extracted text \r
+ private static long MAX_TEXT_SIZE = 10*1024*1024;\r
+ \r
/**\r
* Sets the ratio between de- and inflated bytes to detect zipbomb.\r
* It defaults to 1% (= 0.01d), i.e. when the compression is better than\r
return MAX_ENTRY_SIZE;\r
}\r
\r
+ /**\r
+ * Sets the maximum number of characters of text that are\r
+ * extracted before an exception is thrown during extracting\r
+ * text from documents.\r
+ * \r
+ * This can be used to limit memory consumption and protect against \r
+ * security vulnerabilities when documents are provided by users.\r
+ *\r
+ * @param maxTextSize the max. file size of a single zip entry\r
+ */\r
+ public static void setMaxTextSize(long maxTextSize) {\r
+ if (maxTextSize < 0 || maxTextSize > 0xFFFFFFFFl) {\r
+ throw new IllegalArgumentException("Max text size is bounded [0-4GB].");\r
+ }\r
+ MAX_TEXT_SIZE = maxTextSize;\r
+ }\r
+\r
+ /**\r
+ * Returns the current maximum allowed text size.\r
+ * \r
+ * See setMaxTextSize() for details.\r
+ *\r
+ * @return The max accepted text size. \r
+ */\r
+ public static long getMaxTextSize() {\r
+ return MAX_TEXT_SIZE;\r
+ }\r
+\r
public ZipSecureFile(File file, int mode) throws IOException {\r
super(file, mode);\r
}\r
output.append('\t');
}
if (formattedValue != null) {
+ checkMaxTextSize(output, formattedValue);
output.append(formattedValue);
}
if (includeCellComments && comment != null) {
String commentText = comment.getString().getString().replace('\n', ' ');
output.append(formattedValue != null ? " Comment by " : "Comment by ");
+ checkMaxTextSize(output, commentText);
if (commentText.startsWith(comment.getAuthor() + ": ")) {
output.append(commentText);
} else {
* Append the cell contents we have collected.
*/
private void appendCellText(StringBuffer buffer) {
+ checkMaxTextSize(buffer, output.toString());
buffer.append(output);
}
// Is it a formula one?
if(cell.getCellType() == Cell.CELL_TYPE_FORMULA) {
if (formulasNotResults) {
- text.append(cell.getCellFormula());
+ String contents = cell.getCellFormula();
+ checkMaxTextSize(text, contents);
+ text.append(contents);
} else {
if (cell.getCachedFormulaResultType() == Cell.CELL_TYPE_STRING) {
handleStringCell(text, cell);
// Replace any newlines with spaces, otherwise it
// breaks the output
String commentText = comment.getString().getString().replace('\n', ' ');
+ checkMaxTextSize(text, commentText);
text.append(" Comment by ").append(comment.getAuthor()).append(": ").append(commentText);
}
}
private void handleStringCell(StringBuffer text, Cell cell) {
- text.append(cell.getRichStringCellValue().getString());
+ String contents = cell.getRichStringCellValue().getString();
+ checkMaxTextSize(text, contents);
+ text.append(contents);
}
+
private void handleNonStringCell(StringBuffer text, Cell cell, DataFormatter formatter) {
int type = cell.getCellType();
if (type == Cell.CELL_TYPE_FORMULA) {
CellStyle cs = cell.getCellStyle();
if (cs != null && cs.getDataFormatString() != null) {
- text.append(formatter.formatRawCellContents(
- cell.getNumericCellValue(), cs.getDataFormat(), cs.getDataFormatString()
- ));
+ String contents = formatter.formatRawCellContents(
+ cell.getNumericCellValue(), cs.getDataFormat(), cs.getDataFormatString());
+ checkMaxTextSize(text, contents);
+ text.append(contents);
return;
}
}
// No supported styling applies to this cell
- XSSFCell xcell = (XSSFCell)cell;
- text.append( xcell.getRawValue() );
+ String contents = ((XSSFCell)cell).getRawValue();
+ checkMaxTextSize(text, contents);
+ text.append( contents );
}
private String extractHeaderFooter(HeaderFooter hf) {
projects / poi.git / commitdiff