Fix Zip Bomb attack security hotspot

DEVSIX-7103

Author: AnhelinaM

commons/src/main/java/com/itextpdf/commons/logs/CommonsLogMessageConstant.java

@@ -67,6 +67,28 @@ public final class CommonsLogMessageConstant {
     public static final String LOCAL_FILE_COMPRESSION_FAILED = "Cannot archive files into zip. "
             + "Exception message: {0}.";
 
+    /**
+     * Message notifies that archive is suspicious to be a zip bomb due to large ratio between the compressed and
+     * uncompressed archive entry.
+     *
+     * <ul>
+     * <li>0th is a threshold ratio;
+     * </ul>
+     */
+    public static final String RATIO_IS_HIGHLY_SUSPICIOUS = "Ratio between compressed and uncompressed data is highly"
+            + " suspicious, looks like a Zip Bomb Attack. Threshold ratio is {0}.";
+
+    /**
+     * Message notifies that archive is suspicious to be a zip bomb because the number of file entries extracted from
+     * the archive is greater than a predefined threshold.
+     *
+     * <ul>
+     * <li>0th is a threshold number of file entries in the archive;
+     * </ul>
+     */
+    public static final String TOO_MUCH_ENTRIES_IN_ARCHIVE = "Too much entries in this archive, can lead to inodes "
+            + "exhaustion of the system, looks like a Zip Bomb Attack. Threshold number of file entries is {0}.";
+
     /**
      * Message notifies that some exception has been thrown during json deserialization from object.
      * List of params:
@@ -91,6 +113,16 @@ public final class CommonsLogMessageConstant {
     public static final String UNABLE_TO_SERIALIZE_OBJECT =
             "Unable to serialize object. Exception {0} was thrown with the message: {1}.";
 
+    /**
+     * Message notifies that archive is suspicious to be a zip bomb due to large total size of the uncompressed data.
+     *
+     * <ul>
+     * <li>0th is a threshold size;
+     * </ul>
+     */
+    public static final String UNCOMPRESSED_DATA_SIZE_IS_TOO_MUCH = "The uncompressed data size is too much for the"
+            + " application resource capacity, looks like a Zip Bomb Attack. Threshold size is {0}.";
+
     /**
      * Message notifies that unknown placeholder was ignored during parsing of the producer line
      * format. List of params:

commons/src/main/java/com/itextpdf/commons/utils/ZipFileReader.java

@@ -23,7 +23,9 @@ This file is part of the iText (R) project.
 package com.itextpdf.commons.utils;
 
 import com.itextpdf.commons.exceptions.CommonsExceptionMessageConstant;
+import com.itextpdf.commons.logs.CommonsLogMessageConstant;
 
+import java.io.BufferedInputStream;
 import java.io.Closeable;
 import java.io.IOException;
 import java.io.InputStream;
@@ -33,14 +35,21 @@ This file is part of the iText (R) project.
 import java.util.Set;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Allows reading entries from a zip file.
  */
 public class ZipFileReader implements Closeable {
+    private static final Logger LOGGER = LoggerFactory.getLogger(ZipFileReader.class);
 
     private final ZipFile zipFile;
 
+    private int thresholdSize = 1_000_000_000;
+    private int thresholdEntries = 10000;
+    private double thresholdRatio = 10;
+
     /**
      * Creates an instance for zip file reading.
      *
@@ -59,13 +68,49 @@ public ZipFileReader(String archivePath) throws IOException {
      * Get all file entries paths inside the reading zip file.
      *
      * @return the {@link Set} of all file entries paths
+     *
+     * @throws IOException if some I/O exception occurs
      */
-    public Set<String> getFileNames() {
+    public Set<String> getFileNames() throws IOException {
         final Set<String> fileNames = new HashSet<>();
 
         final Enumeration<? extends ZipEntry> entries = zipFile.entries();
+
+        int totalSizeArchive = 0;
+        int totalEntryArchive = 0;
         while (entries.hasMoreElements()) {
             ZipEntry entry = entries.nextElement();
+            boolean zipBombSuspicious = false;
+            try (InputStream in = new BufferedInputStream(zipFile.getInputStream(entry))) {
+                totalEntryArchive++;
+                int nBytes;
+                byte[] buffer = new byte[2048];
+                int totalSizeEntry = 0;
+                while ((nBytes = in.read(buffer)) > 0) {
+                    totalSizeEntry += nBytes;
+                    totalSizeArchive += nBytes;
+                    double compressionRatio = (double) totalSizeEntry / entry.getCompressedSize();
+                    if (compressionRatio > thresholdRatio) {
+                        zipBombSuspicious = true;
+                        break;
+                    }
+                }
+                if (zipBombSuspicious) {
+                    LOGGER.warn(MessageFormatUtil.format(CommonsLogMessageConstant.RATIO_IS_HIGHLY_SUSPICIOUS,
+                            thresholdRatio));
+                    break;
+                }
+                if (totalSizeArchive > thresholdSize) {
+                    LOGGER.warn(MessageFormatUtil.format(CommonsLogMessageConstant.UNCOMPRESSED_DATA_SIZE_IS_TOO_MUCH,
+                            thresholdSize));
+                    break;
+                }
+                if (totalEntryArchive > thresholdEntries) {
+                    LOGGER.warn(MessageFormatUtil.format(CommonsLogMessageConstant.TOO_MUCH_ENTRIES_IN_ARCHIVE,
+                            thresholdEntries));
+                    break;
+                }
+            }
             if (!entry.isDirectory()) {
                 fileNames.add(entry.getName());
             }
@@ -94,6 +139,34 @@ public InputStream readFromZip(String fileName) throws IOException {
         return zipFile.getInputStream(entry);
     }
 
+    /**
+     * Sets the maximum total uncompressed data size to prevent a Zip Bomb Attack. Default value is 1 GB (1000000000).
+     *
+     * @param thresholdSize the threshold for maximum total size of the uncompressed data
+     */
+    public void setThresholdSize(int thresholdSize) {
+        this.thresholdSize = thresholdSize;
+    }
+
+    /**
+     * Sets the maximum number of file entries in the archive to prevent a Zip Bomb Attack. Default value is 10000.
+     *
+     * @param thresholdEntries maximum number of file entries in the archive
+     */
+    public void setThresholdEntries(int thresholdEntries) {
+        this.thresholdEntries = thresholdEntries;
+    }
+
+    /**
+     * Sets the maximum ratio between compressed and uncompressed data to prevent a Zip Bomb Attack. In general
+     * the data compression ratio for most of the legit archives is 1 to 3. Default value is 10.
+     *
+     * @param thresholdRatio maximum ratio between compressed and uncompressed data
+     */
+    public void setThresholdRatio(double thresholdRatio) {
+        this.thresholdRatio = thresholdRatio;
+    }
+
     @Override
     public void close() throws IOException {
         zipFile.close();

commons/src/test/java/com/itextpdf/commons/utils/ZipFileReaderTest.java

@@ -23,13 +23,15 @@ This file is part of the iText (R) project.
 package com.itextpdf.commons.utils;
 
 import com.itextpdf.commons.exceptions.CommonsExceptionMessageConstant;
+import com.itextpdf.commons.logs.CommonsLogMessageConstant;
 import com.itextpdf.test.ExtendedITextTest;
+import com.itextpdf.test.annotations.LogMessage;
+import com.itextpdf.test.annotations.LogMessages;
 import com.itextpdf.test.annotations.type.UnitTest;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.nio.charset.StandardCharsets;
 import java.util.Set;
 import org.junit.Assert;
 import org.junit.Test;
@@ -80,6 +82,43 @@ public void getFileNamesFromZipTest() throws IOException {
         }
     }
 
+    @Test
+    @LogMessages(messages = @LogMessage(messageTemplate = CommonsLogMessageConstant.UNCOMPRESSED_DATA_SIZE_IS_TOO_MUCH))
+    public void getFileNamesFromZipBombBySettingThresholdSizeTest() throws IOException {
+        try (ZipFileReader fileReader = new ZipFileReader(SOURCE_FOLDER + "zipBombTest.zip")) {
+            fileReader.setThresholdRatio(1000);
+            fileReader.setThresholdSize(10000);
+            Set<String> nameSet = fileReader.getFileNames();
+
+            Assert.assertNotNull(nameSet);
+            Assert.assertEquals(0, nameSet.size());
+        }
+    }
+
+    @Test
+    @LogMessages(messages = @LogMessage(messageTemplate = CommonsLogMessageConstant.RATIO_IS_HIGHLY_SUSPICIOUS))
+    public void getFileNamesFromZipBombBySettingThresholdRatioTest() throws IOException {
+        try (ZipFileReader fileReader = new ZipFileReader(SOURCE_FOLDER + "zipBombTest.zip")) {
+            fileReader.setThresholdRatio(5);
+            Set<String> nameSet = fileReader.getFileNames();
+
+            Assert.assertNotNull(nameSet);
+            Assert.assertEquals(0, nameSet.size());
+        }
+    }
+
+    @Test
+    @LogMessages(messages = @LogMessage(messageTemplate = CommonsLogMessageConstant.TOO_MUCH_ENTRIES_IN_ARCHIVE))
+    public void getFileNamesFromZipBombBySettingThresholdEntriesTest() throws IOException {
+        try (ZipFileReader fileReader = new ZipFileReader(SOURCE_FOLDER + "archive.zip")) {
+            fileReader.setThresholdEntries(5);
+            Set<String> nameSet = fileReader.getFileNames();
+
+            Assert.assertNotNull(nameSet);
+            Assert.assertTrue(nameSet.size() <= 5);
+        }
+    }
+
     @Test
     public void readFromZipWithNullPathTest() throws IOException {
         try (ZipFileReader reader = new ZipFileReader(SOURCE_FOLDER + "archive.zip")) {