问题描述

当我尝试将数据写入 Excel 工作表时，使用包含超过 64000 条记录的 Apache POI，其中使用了 SXSSF，我收到以下错误:

When I am trying to write data to an Excel sheet, using Apache POI which contains more than 64000 records, where SXSSF is used, I am getting the below error:

检测到拉链炸弹！该文件将超过最大值.压缩文件大小与扩展数据大小的比率.这可能表明该文件用于增加内存使用量，因此可能会带来安全风险.如果您需要处理超过此限制的文件，您可以通过 ZipSecureFile.setMinInflateRatio() 调整此限制.计数器:820224，顺式计数器:8192，比率:0.009987515605493134Limits:MIN_INFLATE_RATIO:0.01

我通过添加 ZipSecureFile.setMinInflateRatio(0.009) 找到了一个解决方案，但为什么会发生这种情况，我需要为上述错误提供什么限制?我应该在哪里添加解决方案?

I found a solution stating by adding ZipSecureFile.setMinInflateRatio(0.009), but why is it happening and what is the limit I need to provide for the above error? And where should I add the solution?

解决方案参考:如何确定检索 Excel 文件样式表时抛出的 Zip Bomb 错误是否合法?

Reference for the solution: How can I determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate?

是否有其他解决方案?

推荐答案

Zip 炸弹"是一个用于攻击向量的术语，其中一个小的 zip 文件扩展为一个非常大的未压缩文件，从而可能导致诸如耗尽内存或磁盘空间.

"Zip bomb" is a term used for an attack vector where a small zip file expands to a very large uncompressed file and thus can cause issues like exhausting memory or disk space.

通常创建此类 zip 的目的是对从外部来源接收 zip 文件的系统造成拒绝服务攻击.

Usually such zips are created with the intent of causing a denial of service attack on systems that receive zip files from external sources.

由于 .xlsx 文件实际上是包含 XML 文件的压缩文件，因此有可能在 POI 中导致此类 zip 炸弹漏洞.

As .xlsx files are actually zipped files which contain XML files, there is a chance of causing such a zip bomb vulnerability in POI.

为了防止这种情况发生，Apache POI 内置并默认启用了一些保护措施.因此，如果您创建一个包含不寻常内容的文件，例如许多具有相同内容的行/列，您可能会遇到这些保护措施并收到如上所示的异常.

In order to prevent this from happening, Apache POI has some safeguards built in and enabled by default. So if you create a file with unusual content, e.g. many rows/columns with the same content, you can run into these safeguards and receive the exception as shown above.

如果您完全控制处理文件的创建，您可以调整错误消息中给出的设置以避免异常.

If you fully control the creation of the processed files, you can adjust the setting given in the error message to avoid the exception.

参见 https://bz.apache.org/bugzilla/show_bug.cgi?id=58499 相关问题和 编写大格式 Excel (.xlsx) 时出现 ZIp-bomb 异常 和 如何确定检索 Excel 文件样式表时抛出的 Zip Bomb 错误是否合法? 类似讨论.

See https://bz.apache.org/bugzilla/show_bug.cgi?id=58499 for the related issue and ZIp-bomb exception while writing a large formatted Excel (.xlsx) and How to determine if a Zip Bomb error thrown when retrieving an Excel files Styles Table is legitimate? for similar discussions.

这篇关于使用 Apache POI - 检测到 Zip Bomb的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！