Adds adjustable ZipSecureFile Inflation Ratio for AAS Environment (#938)

* Adds adjustable ZipSecureFile Inflation Ratio for AAS Environment

* Adapts ZipBomb Handling
- Adds Error Message

* Adds missing throw declerations

* Adapts Exception Handling

* Adapts Default from 1.0 to 0.1

Author: FriedJannik

basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/environmentloader/CompleteEnvironment.java

@@ -38,6 +38,7 @@
 import org.eclipse.digitaltwin.aas4j.v3.dataformat.json.JsonDeserializer;
 import org.eclipse.digitaltwin.aas4j.v3.dataformat.xml.XmlDeserializer;
 import org.eclipse.digitaltwin.aas4j.v3.model.Environment;
+import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException;
 
 /**
  * Represents an environment and its relatedFiles
@@ -92,11 +93,11 @@ public List<InMemoryFile> getRelatedFiles() {
 		return relatedFiles;
 	}
 
-	public static CompleteEnvironment fromFile(File file) throws DeserializationException, InvalidFormatException, IOException {
+	public static CompleteEnvironment fromFile(File file) throws DeserializationException, InvalidFormatException, IOException, ZipBombException {
 		return fromInputStream(new FileInputStream(file), EnvironmentType.getFromFilePath(file.getPath()));
 	}
 
-	public static CompleteEnvironment fromInputStream(InputStream inputStream, EnvironmentType envType) throws DeserializationException, InvalidFormatException, IOException {
+	public static CompleteEnvironment fromInputStream(InputStream inputStream, EnvironmentType envType) throws DeserializationException, InvalidFormatException, IOException, ZipBombException {
 		Environment environment = null;
 		List<InMemoryFile> relatedFiles = null;
 
@@ -109,9 +110,16 @@ public static CompleteEnvironment fromInputStream(InputStream inputStream, Envir
 			environment = deserializer.read(inputStream);
 		}
 		if(envType == EnvironmentType.AASX) {
-			AASXDeserializer deserializer = new AASXDeserializer(inputStream);
-			relatedFiles = deserializer.getRelatedFiles();
-			environment = deserializer.read();
+			try {
+				AASXDeserializer deserializer = new AASXDeserializer(inputStream);
+				relatedFiles = deserializer.getRelatedFiles();
+				environment = deserializer.read();
+			} catch (Exception e) {
+				if (e.getMessage().startsWith("Zip bomb")) {
+					throw new ZipBombException(e);
+				}
+				throw e;
+			}
 		}
 
 		return new CompleteEnvironment(environment, relatedFiles);

basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/AasEnvironmentPreconfigurationLoader.java

@@ -42,6 +42,7 @@
 import org.eclipse.digitaltwin.basyx.aasenvironment.environmentloader.CompleteEnvironment;
 import org.eclipse.digitaltwin.basyx.aasenvironment.environmentloader.CompleteEnvironment.EnvironmentType;
 import org.eclipse.digitaltwin.basyx.authorization.CommonAuthorizationProperties;
+import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -77,7 +78,7 @@ public boolean shouldLoadPreconfiguredEnvironment() {
 	}
 
 	public void loadPreconfiguredEnvironments(AasEnvironment aasEnvironment)
-			throws IOException, DeserializationException, InvalidFormatException {
+            throws IOException, DeserializationException, InvalidFormatException, ZipBombException {
 		List<File> files = scanForEnvironments(pathsToLoad);
 
 		if (files.isEmpty())

basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/PreconfigurationLoaderInitializer.java

@@ -30,6 +30,7 @@
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.eclipse.digitaltwin.aas4j.v3.dataformat.core.DeserializationException;
 import org.eclipse.digitaltwin.basyx.aasenvironment.AasEnvironment;
+import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@@ -60,7 +61,7 @@ public void afterPropertiesSet() throws Exception {
 		loadPreconfiguredEnvironment();
 	}
 
-	private void loadPreconfiguredEnvironment() throws IOException, InvalidFormatException, DeserializationException {
+	private void loadPreconfiguredEnvironment() throws IOException, InvalidFormatException, DeserializationException, ZipBombException {
 		if (!preconfigurationLoader.shouldLoadPreconfiguredEnvironment()) {
 			return;
 		}

basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/AasEnvironmentLoaderTest.java

@@ -36,6 +36,7 @@
 import org.eclipse.digitaltwin.basyx.conceptdescriptionrepository.backend.CrudConceptDescriptionRepositoryFactory;
 import org.eclipse.digitaltwin.basyx.conceptdescriptionrepository.backend.InMemoryConceptDescriptionBackend;
 import org.eclipse.digitaltwin.basyx.core.exceptions.CollidingIdentifierException;
+import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException;
 import org.eclipse.digitaltwin.basyx.core.filerepository.InMemoryFileRepository;
 import org.eclipse.digitaltwin.basyx.core.pagination.PaginationInfo;
 import org.eclipse.digitaltwin.basyx.submodelrepository.SubmodelRepository;
@@ -79,7 +80,7 @@ public void setUp() {
 		conceptDescriptionRepository = Mockito.spy(CrudConceptDescriptionRepositoryFactory.builder().backend(new InMemoryConceptDescriptionBackend()).create());
 	}
 
-	protected void loadRepositories(List<String> pathsToLoad) throws IOException, DeserializationException, InvalidFormatException {
+	protected void loadRepositories(List<String> pathsToLoad) throws IOException, DeserializationException, InvalidFormatException, ZipBombException {
 		DefaultAASEnvironment envLoader = new DefaultAASEnvironment(aasRepository, submodelRepository, conceptDescriptionRepository);
 
 		for (String path: pathsToLoad) {
@@ -89,7 +90,7 @@ protected void loadRepositories(List<String> pathsToLoad) throws IOException, De
 	}
 
 	@Test
-	public void testWithResourceFile_AllElementsAreDeployed() throws InvalidFormatException, IOException, DeserializationException {
+	public void testWithResourceFile_AllElementsAreDeployed() throws InvalidFormatException, IOException, DeserializationException, ZipBombException {
 		loadRepositories(List.of(TEST_ENVIRONMENT_JSON));
 
 		Assert.assertEquals(2, aasRepository.getAllAas(null, null, PaginationInfo.NO_LIMIT).getResult().size());
@@ -98,7 +99,7 @@ public void testWithResourceFile_AllElementsAreDeployed() throws InvalidFormatEx
 	}
 
 	@Test
-	public void testDeployedTwiceNoVersion_AllDeployedButNotOverriden() throws InvalidFormatException, IOException, DeserializationException {
+	public void testDeployedTwiceNoVersion_AllDeployedButNotOverriden() throws InvalidFormatException, IOException, DeserializationException, ZipBombException {
 		loadRepositories(List.of(TEST_ENVIRONMENT_JSON));
 		loadRepositories(List.of(TEST_ENVIRONMENT_JSON));
 
@@ -114,7 +115,7 @@ public void testDeployedTwiceNoVersion_AllDeployedButNotOverriden() throws Inval
 	}
 
 	@Test
-	public void testDeployedTwiceWithSameVersion_AllDeployedButNotOverriden() throws InvalidFormatException, IOException, DeserializationException {
+	public void testDeployedTwiceWithSameVersion_AllDeployedButNotOverriden() throws InvalidFormatException, IOException, DeserializationException, ZipBombException {
 		loadRepositories(List.of(TEST_ENVIRONMENT_VERSION_ON_SECOND_JSON));
 		loadRepositories(List.of(TEST_ENVIRONMENT_VERSION_ON_SECOND_JSON));
 
@@ -130,7 +131,7 @@ public void testDeployedTwiceWithSameVersion_AllDeployedButNotOverriden() throws
 	}
 
 	@Test
-	public void testDeployedTwiceNewRevision_ElementsAreOverriden() throws InvalidFormatException, IOException, DeserializationException {
+	public void testDeployedTwiceNewRevision_ElementsAreOverriden() throws InvalidFormatException, IOException, DeserializationException, ZipBombException {
 		loadRepositories(List.of(TEST_ENVIRONMENT_VERSION_ON_SECOND_JSON));
 		loadRepositories(List.of(TEST_ENVIRONMENT_VERSION_AND_REVISION_ON_SECOND_JSON));
 
@@ -159,7 +160,7 @@ public void testDuplicateShellIdsInEnvironments_ExceptionIsThrown() {
 	}
 
 	@Test
-	public void testWithResourceFile_NoExceptionsWhenReuploadAfterElementsAreRemoved() throws InvalidFormatException, IOException, DeserializationException {
+	public void testWithResourceFile_NoExceptionsWhenReuploadAfterElementsAreRemoved() throws InvalidFormatException, IOException, DeserializationException, ZipBombException {
 		AasEnvironment envLoader = new DefaultAASEnvironment(aasRepository, submodelRepository, conceptDescriptionRepository);
 
 		loadRepositoriesWithEnvironment(List.of(TEST_ENVIRONMENT_JSON), envLoader);
@@ -178,7 +179,7 @@ public void testWithResourceFile_NoExceptionsWhenReuploadAfterElementsAreRemoved
 	}
 
 	@Test
-	public void testWithResourceFile_ExceptionIsThrownWhenReuploadWithExistingElements() throws InvalidFormatException, IOException, DeserializationException {
+	public void testWithResourceFile_ExceptionIsThrownWhenReuploadWithExistingElements() throws InvalidFormatException, IOException, DeserializationException, ZipBombException {
 		AasEnvironment envLoader = new DefaultAASEnvironment(aasRepository, submodelRepository, conceptDescriptionRepository);
 
 		loadRepositoriesWithEnvironment(List.of(TEST_ENVIRONMENT_JSON), envLoader);
@@ -191,7 +192,7 @@ public void testWithResourceFile_ExceptionIsThrownWhenReuploadWithExistingElemen
 		Assert.assertThrows(expectedMsg, CollidingIdentifierException.class, () -> loadRepositoriesWithEnvironment(List.of(TEST_ENVIRONMENT_JSON), envLoader));
 	}
 
-	private void loadRepositoriesWithEnvironment(List<String> pathsToLoad, AasEnvironment aasEnvironment) throws IOException, DeserializationException, InvalidFormatException {
+	private void loadRepositoriesWithEnvironment(List<String> pathsToLoad, AasEnvironment aasEnvironment) throws IOException, DeserializationException, InvalidFormatException, ZipBombException {
 
 		for (String path: pathsToLoad) {
 			File file = rLoader.getResource(path).getFile();

basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/PreconfigurationLoaderTextualResourceTest.java

@@ -31,6 +31,7 @@
 import org.eclipse.digitaltwin.aas4j.v3.dataformat.core.DeserializationException;
 import org.eclipse.digitaltwin.basyx.aasenvironment.base.DefaultAASEnvironment;
 import org.eclipse.digitaltwin.basyx.aasenvironment.preconfiguration.AasEnvironmentPreconfigurationLoader;
+import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException;
 import org.eclipse.digitaltwin.basyx.core.pagination.PaginationInfo;
 import org.junit.Assert;
 import org.junit.Test;
@@ -45,13 +46,13 @@
 public class PreconfigurationLoaderTextualResourceTest extends AasEnvironmentLoaderTest {
 
 	@Override
-	protected void loadRepositories(List<String> pathsToLoad) throws IOException, InvalidFormatException, DeserializationException {
+	protected void loadRepositories(List<String> pathsToLoad) throws IOException, InvalidFormatException, DeserializationException, ZipBombException {
 		AasEnvironmentPreconfigurationLoader envLoader = new AasEnvironmentPreconfigurationLoader(rLoader, pathsToLoad);
 		envLoader.loadPreconfiguredEnvironments(new DefaultAASEnvironment(aasRepository, submodelRepository, conceptDescriptionRepository));
 	}
 
 	@Test
-	public void testWithEmptyResource_NoElementsAreDeployed() throws InvalidFormatException, IOException, DeserializationException {
+	public void testWithEmptyResource_NoElementsAreDeployed() throws InvalidFormatException, IOException, DeserializationException, ZipBombException {
 		loadRepositories(List.of());
 		Assert.assertTrue(aasRepository.getAllAas(null, null, PaginationInfo.NO_LIMIT).getResult().isEmpty());
 		Assert.assertTrue(submodelRepository.getAllSubmodels(PaginationInfo.NO_LIMIT).getResult().isEmpty());

basyx.aasenvironment/basyx.aasenvironment-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/feature/authorization/AuthorizedAASEnvironmentPreconfigurationLoader.java

@@ -35,6 +35,7 @@
 import org.eclipse.digitaltwin.basyx.client.internal.authorization.TokenManager;
 import org.eclipse.digitaltwin.basyx.client.internal.authorization.grant.AccessTokenProvider;
 import org.eclipse.digitaltwin.basyx.client.internal.authorization.grant.GrantType;
+import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -104,7 +105,7 @@ public AuthorizedAASEnvironmentPreconfigurationLoader(ResourceLoader resourceLoa
 
     @Override
     public void loadPreconfiguredEnvironments(AasEnvironment aasEnvironment)
-            throws IOException, InvalidFormatException, DeserializationException {
+            throws IOException, InvalidFormatException, DeserializationException, ZipBombException {
         if (isEnvironmentSet()) {
             setUpTokenProvider();
             configureSecurityContext();

basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AASEnvironmentHTTPApi.java

@@ -31,6 +31,7 @@
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
 import org.eclipse.digitaltwin.aas4j.v3.dataformat.core.DeserializationException;
 import org.eclipse.digitaltwin.aas4j.v3.model.Result;
+import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException;
 import org.springframework.core.io.Resource;
 import org.springframework.http.ResponseEntity;
 import org.springframework.validation.annotation.Validated;
@@ -83,5 +84,5 @@ ResponseEntity<Boolean> uploadEnvironment(
 			@Parameter(description = "An environment file (XML, JSON, AASX)") @Valid @RequestParam("file") MultipartFile envFile,
 			@Parameter(description = "Flag to indicate if already existing Ids should be ignored when reuploading an environment (default: false)", schema = @Schema(defaultValue = "false"))
 			@RequestParam(value = "ignore-duplicates", required = false, defaultValue = "false") boolean ignoreDuplicates
-	) throws IOException, InvalidFormatException, DeserializationException;
+	) throws IOException, InvalidFormatException, DeserializationException, ZipBombException;
 }

basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AasEnvironmentApiHTTPController.java

@@ -36,6 +36,7 @@
 import org.eclipse.digitaltwin.basyx.aasenvironment.environmentloader.CompleteEnvironment;
 import org.eclipse.digitaltwin.basyx.aasenvironment.environmentloader.CompleteEnvironment.EnvironmentType;
 import org.eclipse.digitaltwin.basyx.core.exceptions.ElementDoesNotExistException;
+import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException;
 import org.eclipse.digitaltwin.basyx.http.Base64UrlEncodedIdentifier;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.io.ByteArrayResource;
@@ -104,7 +105,7 @@ public ResponseEntity<Resource> generateSerializationByIds(
 	@Override
 	public ResponseEntity<Boolean> uploadEnvironment(
 			@RequestParam(value = "file") MultipartFile envFile,
-			@RequestParam(value = "ignore-duplicates", required = false, defaultValue = "false") boolean ignoreDuplicates) throws IOException, InvalidFormatException, DeserializationException {
+			@RequestParam(value = "ignore-duplicates", required = false, defaultValue = "false") boolean ignoreDuplicates) throws IOException, InvalidFormatException, DeserializationException, ZipBombException {
 		EnvironmentType envType = EnvironmentType.getFromMimeType(envFile.getContentType());
 
 		if (envType == null)

basyx.aasenvironment/basyx.aasenvironment.component/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/AasEnvironmentConfiguration.java

@@ -27,11 +27,13 @@
 
 import java.util.List;
 
+import org.apache.poi.openxml4j.util.ZipSecureFile;
 import org.eclipse.digitaltwin.basyx.aasenvironment.AasEnvironment;
 import org.eclipse.digitaltwin.basyx.aasenvironment.AasEnvironmentFactory;
 import org.eclipse.digitaltwin.basyx.aasenvironment.feature.AasEnvironmentFeature;
 import org.eclipse.digitaltwin.basyx.aasenvironment.feature.DecoratedAasEnvironmentFactory;
 import org.eclipse.digitaltwin.basyx.aasenvironment.preconfiguration.AasEnvironmentPreconfigurationLoader;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -48,7 +50,8 @@ public class AasEnvironmentConfiguration {
 
 	@Bean
 	@ConditionalOnMissingBean
-	public static AasEnvironment getAasEnvironment(AasEnvironmentFactory aasEnvironmentFactory, List<AasEnvironmentFeature> features) {
+	public static AasEnvironment getAasEnvironment(AasEnvironmentFactory aasEnvironmentFactory, List<AasEnvironmentFeature> features, @Value("${basyx.aasenvironment.minInflateRatio:0.1}") double minInflateRatio) {
+		ZipSecureFile.setMinInflateRatio(minInflateRatio);
 		return new DecoratedAasEnvironmentFactory(aasEnvironmentFactory, features).create();
 	}
 

basyx.aasenvironment/basyx.aasenvironment.component/src/main/resources/application.properties

@@ -20,6 +20,8 @@ basyx.backend = InMemory
 # basyx.cors.allowed-origins=http://localhost:3000, http://localhost:4000
 # basyx.cors.allowed-methods=GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
 
+# basyx.aasenvironment.minInflateRatio=0.00001
+
 ####################################################################################
 # Preconfiguring the Environment;
 ####################################################################################