@Before public void setUp() { stream = TikaInputStream.get(new NullInputStream(MANY_BYTES)); handler = new SecureContentHandler(new DefaultHandler(), stream); }
@Test public void testNestedEntries() throws SAXException { AttributesImpl atts = new AttributesImpl(); atts.addAttribute("", "class", "class", "CDATA", "package-entry"); for (int i = 1; i < handler.getMaximumPackageEntryDepth(); i++) { handler.startElement("", "div", "div", atts); } try { handler.startElement("", "div", "div", atts); fail("Nested XML element limit exceeded"); } catch (SAXException e) { try { handler.throwIfCauseOf(e); throw e; } catch (TikaException expected) { } } }
@Override public void characters(char[] ch, int start, int length) throws SAXException { advance(length); super.characters(ch, start, length); }
@Test public void testNestedElements() throws SAXException { for (int i = 1; i < handler.getMaximumDepth(); i++) { handler.startElement("", "x", "x", new AttributesImpl()); } try { handler.startElement("", "x", "x", new AttributesImpl()); fail("Nested XML element limit exceeded"); } catch (SAXException e) { try { handler.throwIfCauseOf(e); throw e; } catch (TikaException expected) { } } }
new SecureContentHandler(handler, tis); sch.setMaximumCompressionRatio(maxCompressionRatio); sch.setOutputThreshold(maxUncompressionSize); } catch (final SAXException e) { sch.throwIfCauseOf(e); throw e;
handler != null ? new SecureContentHandler(handler, tis) : null; } catch (SAXException e) { sch.throwIfCauseOf(e); throw e;
/** * Records the given number of output characters (or more accurately * UTF-16 code units). Throws an exception if the recorded number of * characters highly exceeds the number of input bytes read. * * @param length number of new output characters produced * @throws SAXException if a zip bomb is detected */ private void advance(int length) throws SAXException { characterCount += length; long byteCount = getByteCount(); if (characterCount > threshold && characterCount > byteCount * ratio) { throw new SecureSAXException( "Suspected zip bomb: " + byteCount + " input bytes produced " + characterCount + " output characters"); } }
final SecureContentHandler sch = new SecureContentHandler( handler, tis); sch.setMaximumCompressionRatio(maxCompressionRatio); sch.setOutputThreshold(maxUncompressionSize); } catch (final SAXException e) { sch.throwIfCauseOf(e); throw e;
public void parse( InputStream stream, ContentHandler handler, Metadata metadata, ParseContext context) throws IOException, SAXException, TikaException { TemporaryResources tmp = new TemporaryResources(); try { TikaInputStream tis = TikaInputStream.get(stream, tmp); // Automatically detect the MIME type of the document MediaType type = detector.detect(tis, metadata); metadata.set(Metadata.CONTENT_TYPE, type.toString()); // TIKA-216: Zip bomb prevention SecureContentHandler sch = handler != null ? new SecureContentHandler(handler, tis) : null; try { // Parse the document super.parse(tis, sch, metadata, context); } catch (SAXException e) { // Convert zip bomb exceptions to TikaExceptions sch.throwIfCauseOf(e); throw e; } catch (final Error error) { throw new TikaErrorException("[TikaErrorException] " + error.toString() + "; message=" + error.getMessage() + "; stackTace=" + error.getStackTrace()); } } finally { tmp.dispose(); } }
/** * Records the given number of output characters (or more accurately * UTF-16 code units). Throws an exception if the recorded number of * characters highly exceeds the number of input bytes read. * * @param length number of new output characters produced * @throws SAXException if a zip bomb is detected */ private void advance(int length) throws SAXException { characterCount += length; long byteCount = getByteCount(); if (characterCount > threshold && characterCount > byteCount * ratio) { throw new SecureSAXException( "Suspected zip bomb: " + byteCount + " input bytes produced " + characterCount + " output characters"); } }
new SecureContentHandler(handler, tis); sch.setMaximumCompressionRatio(maxCompressionRatio); sch.setOutputThreshold(maxUncompressionSize); } catch (final SAXException e) { sch.throwIfCauseOf(e); throw e;
SecureContentHandler sch = new SecureContentHandler(handler, tis); try { compositeParser.parse(tis, sch, metadata, context); } catch (SAXException e) { sch.throwIfCauseOf(e); throw e;
@Override public void ignorableWhitespace(char[] ch, int start, int length) throws SAXException { advance(length); super.ignorableWhitespace(ch, start, length); }
/** * Records the given number of output characters (or more accurately * UTF-16 code units). Throws an exception if the recorded number of * characters highly exceeds the number of input bytes read. * * @param length number of new output characters produced * @throws SAXException if a zip bomb is detected */ private void advance(int length) throws SAXException { characterCount += length; long byteCount = getByteCount(); if (characterCount > threshold && characterCount > byteCount * ratio) { throw new SecureSAXException( "Suspected zip bomb: " + byteCount + " input bytes produced " + characterCount + " output characters"); } }
final SecureContentHandler sch = new SecureContentHandler(handler, tis); sch.setMaximumCompressionRatio(maxCompressionRatio); sch.setOutputThreshold(maxUncompressionSize); } catch (final SAXException e) { sch.throwIfCauseOf(e); throw e;
handler != null ? new SecureContentHandler(handler, tis) : null; } catch (SAXException e) { sch.throwIfCauseOf(e); throw e;
@Override public void characters(char[] ch, int start, int length) throws SAXException { advance(length); super.characters(ch, start, length); }
@Override public void characters(char[] ch, int start, int length) throws SAXException { advance(length); super.characters(ch, start, length); }
@Override public void ignorableWhitespace(char[] ch, int start, int length) throws SAXException { advance(length); super.ignorableWhitespace(ch, start, length); }
@Override public void ignorableWhitespace(char[] ch, int start, int length) throws SAXException { advance(length); super.ignorableWhitespace(ch, start, length); }