lsm/hutool
1
0
Fork 0
mirror of https://gitee.com/dromara/hutool.git synced 2025-04-05 17:37:59 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

ZipReader增加setMaxSizeDiff方法,自定义或关闭ZipBomb

Browse Source
This commit is contained in:
Looly 2023-07-20 08:19:06 +08:00
parent f7a8c64f52
commit 47cba89085
2 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -2,7 +2,7 @@
# 🚀Changelog # 🚀Changelog
------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------
# 5.8.21(2023-07-19) # 5.8.21(2023-07-20)
### 🐣新特性 ### 🐣新特性
* 【core 】 list 为空时CollUtil.max等返回null而非异常pr#1027@Gitee * 【core 】 list 为空时CollUtil.max等返回null而非异常pr#1027@Gitee
@ -12,7 +12,8 @@
* 【core 】 RandomUtil增加可选是否包含边界的重载issue#3182@Github * 【core 】 RandomUtil增加可选是否包含边界的重载issue#3182@Github
* 【core 】 StrUtil增加truncateByByteLength方法pr#3176@Github * 【core 】 StrUtil增加truncateByByteLength方法pr#3176@Github
* 【core 】 身份证工具类isValidCard18、isValidCard15入参null直接返回nullpr#1034@Gitee * 【core 】 身份证工具类isValidCard18、isValidCard15入参null直接返回nullpr#1034@Gitee
* 【http 】 使用multiparty方式支持body参数issue#3158@Gitee * 【http 】 使用multiparty方式支持body参数issue#3158@Github
* 【core 】 ZipReader增加setMaxSizeDiff方法自定义或关闭ZipBombissue#3018@Github
### 🐞Bug修复 ### 🐞Bug修复
* 【core 】 修复MapUtil工具使用filter方法构造传入参数结果问题issue#3162@Github * 【core 】 修复MapUtil工具使用filter方法构造传入参数结果问题issue#3162@Github

25
hutool-core/src/main/java/cn/hutool/core/compress/ZipReader.java
View File

@ -28,10 +28,14 @@ import java.util.zip.ZipInputStream;
public class ZipReader implements Closeable { public class ZipReader implements Closeable {
// size of uncompressed zip entry shouldn't be bigger of compressed in MAX_SIZE_DIFF times // size of uncompressed zip entry shouldn't be bigger of compressed in MAX_SIZE_DIFF times
private static final int MAX_SIZE_DIFF = 100; private static final int DEFAULT_MAX_SIZE_DIFF = 100;
private ZipFile zipFile; private ZipFile zipFile;
private ZipInputStream in; private ZipInputStream in;
/**
* 检查ZipBomb文件差异倍数-1表示不检查ZipBomb
*/
private int maxSizeDiff = DEFAULT_MAX_SIZE_DIFF;
/** /**
* 创建ZipReader * 创建ZipReader
@ -93,6 +97,18 @@ public class ZipReader implements Closeable {
this.in = zin; this.in = zin;
} }
/**
* 设置检查ZipBomb文件差异倍数-1表示不检查ZipBomb
*
* @param maxSizeDiff 检查ZipBomb文件差异倍数-1表示不检查ZipBomb
* @return this
* @since 6.0.0
*/
public ZipReader setMaxSizeDiff(final int maxSizeDiff) {
this.maxSizeDiff = maxSizeDiff;
return this;
}
/** /**
* 获取指定路径的文件流<br> * 获取指定路径的文件流<br>
* 如果是文件模式则直接获取Entry对应的流如果是流模式则遍历entry后找到对应流返回 * 如果是文件模式则直接获取Entry对应的流如果是流模式则遍历entry后找到对应流返回
@ -235,7 +251,10 @@ public class ZipReader implements Closeable {
* @param entry {@link ZipEntry} * @param entry {@link ZipEntry}
* @return 检查后的{@link ZipEntry} * @return 检查后的{@link ZipEntry}
*/ */
private static ZipEntry checkZipBomb(ZipEntry entry) { private ZipEntry checkZipBomb(ZipEntry entry) {
if(maxSizeDiff < 0){
return entry;
}
if (null == entry) { if (null == entry) {
return null; return null;
} }
@ -243,7 +262,7 @@ public class ZipReader implements Closeable {
final long uncompressedSize = entry.getSize(); final long uncompressedSize = entry.getSize();
if (compressedSize < 0 || uncompressedSize < 0 || if (compressedSize < 0 || uncompressedSize < 0 ||
// 默认压缩比例是100倍一旦发现压缩率超过这个阈值被认为是Zip bomb // 默认压缩比例是100倍一旦发现压缩率超过这个阈值被认为是Zip bomb
compressedSize * MAX_SIZE_DIFF < uncompressedSize) { compressedSize * maxSizeDiff < uncompressedSize) {
throw new UtilException("Zip bomb attack detected, invalid sizes: compressed {}, uncompressed {}, name {}", throw new UtilException("Zip bomb attack detected, invalid sizes: compressed {}, uncompressed {}, name {}",
compressedSize, uncompressedSize, entry.getName()); compressedSize, uncompressedSize, entry.getName());
} }