[Bug 62187] New: Compiling with Java 10 fails with ClassCastException: org.apache.poi.openxml4j.util.ZipSecureFile$ThresholdInputStream cannot be cast to java.base/java.util.zip.ZipFile$ZipFileInputStream

Sat, 17 Mar 2018 14:03:58 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=62187

            Bug ID: 62187
           Summary: Compiling with Java 10 fails with ClassCastException:
                    org.apache.poi.openxml4j.util.ZipSecureFile$ThresholdI
                    nputStream cannot be cast to
                    java.base/java.util.zip.ZipFile$ZipFileInputStream
           Product: POI
           Version: 4.0-dev
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: POI Overall
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

When compiling Apache POI with current Java 10 pre-releases, there are tests
failing:

     [java] Caused by: java.lang.ClassCastException:
org.apache.poi.openxml4j.util.ZipSecureFile$ThresholdInputStream cannot be cast
to java.base/java.util.zip.ZipFile$ZipFileInputStream
     [java]     at
java.base/java.util.zip.ZipFile$ZipFileInflaterInputStream.available(ZipFile.java:478)
     [java]     at
org.apache.poi.openxml4j.util.ZipSecureFile$ThresholdInputStream.available(ZipSecureFile.java:317)
     [java]     at
org.apache.poi.openxml4j.opc.internal.marshallers.ZipPartMarshaller.marshall(ZipPartMarshaller.java:85)
     [java]     at
org.apache.poi.openxml4j.opc.ZipPackagePart.save(ZipPackagePart.java:124)
     [java]     at
org.apache.poi.openxml4j.opc.internal.marshallers.DefaultMarshaller.marshall(DefaultMarshaller.java:43)
     [java]     at
org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:585)
     [java]     ... 39 more
     [java] 36)
testAddPivotTableToWorkbookWithLoadedPivotTable(org.apache.poi.xssf.usermodel.TestXSSFWorkbook)
     [java] org.apache.poi.openxml4j.exceptions.OpenXML4JRuntimeException: Fail
to save: an error occurs while saving the package :
org.apache.poi.openxml4j.util.ZipSecureFile$ThresholdInputStream cannot be cast
to java.base/java.util.zip.ZipFile$ZipFileInputStream
     [java]     at
org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:597)
     [java]     at
org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1527)
     [java]     at
org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1510)
     [java]     at
org.apache.poi.openxml4j.opc.ZipPackage.closeImpl(ZipPackage.java:450)
     [java]     at
org.apache.poi.openxml4j.opc.OPCPackage.close(OPCPackage.java:470)
     [java]     at org.apache.poi.POIXMLDocument.close(POIXMLDocument.java:188)
     [java]     at
org.apache.poi.xssf.usermodel.XSSFWorkbook.close(XSSFWorkbook.java:591)
     [java]     at
org.apache.poi.xssf.usermodel.TestXSSFWorkbook.$closeResource(TestXSSFWorkbook.java:198)
     [java]     at
org.apache.poi.xssf.usermodel.TestXSSFWorkbook.testAddPivotTableToWorkbookWithLoadedPivotTable(TestXSSFWorkbook.java:804)
...
     [java]     at org.apache.poi.util.OOXMLLite.build(OOXMLLite.java:149)
     [java]     at org.apache.poi.util.OOXMLLite.main(OOXMLLite.java:94)
     [java] Caused by: java.lang.ClassCastException:
org.apache.poi.openxml4j.util.ZipSecureFile$ThresholdInputStream cannot be cast
to java.base/java.util.zip.ZipFile$ZipFileInputStream
     [java]     at
java.base/java.util.zip.ZipFile$ZipFileInflaterInputStream.available(ZipFile.java:478)
     [java]     at
org.apache.poi.openxml4j.util.ZipSecureFile$ThresholdInputStream.available(ZipSecureFile.java:317)
     [java]     at
org.apache.poi.openxml4j.opc.internal.marshallers.ZipPartMarshaller.marshall(ZipPartMarshaller.java:85)
     [java]     at
org.apache.poi.openxml4j.opc.ZipPackagePart.save(ZipPackagePart.java:124)
     [java]     at
org.apache.poi.openxml4j.opc.internal.marshallers.DefaultMarshaller.marshall(DefaultMarshaller.java:43)
     [java]     at
org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:585)
     [java]     ... 39 more

The tests fail when the ThresholdInputStream injects itself into the ZipFile
because JDK 10 now expects it's own classes to be in place, not ours, e.g. in
available(). Seems we need to do the Zip-Bomb detection differently in the
future, however I could not immediately see a way how this can be done here.

See http://hg.openjdk.java.net/jdk/jdk10/rev/85ea7e83af30#l5.66 for the actual
change. 

See https://builds.apache.org/view/P/view/POI/job/POI-DSL-1.10/ for current
build-results.

Summary of discussion on the mailing-list:
---------------------
pj.fanning via poi.apache.org:
I'm also wondering if maybe we could abandon the reflection approach and just
have ThresholdInputStream wrap the entry's InputStream and count the bytes
that are read, and blow up when the thresholds are breeched. We might lose
out on some cases but the code would be easier to maintain.

Andreas Beeker:
this would potentially only work for stream but not for file based access.
---------------------
We need to keep in mind that the ThresholdInputStream was introduced to
mitigate possible Zip-Bomb vulnerabilities when handling small zip-files which
require  huge amounts of memory when they are unpacked. This mitigation needs
to still be active with any new way of implementing this.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to