public class SecureContentHandler extends ContentHandlerDecorator
Currently this class simply compares the number of output characters to to the number of input bytes and keeps track of the XML nesting levels. An exception gets thrown if the output seems excessive compared to the input document. This is a strong indication of a zip bomb.
Constructor and Description |
---|
SecureContentHandler(ContentHandler handler,
TikaInputStream stream)
Decorates the given content handler with zip bomb prevention based
on the count of bytes read from the given counting input stream.
|
Modifier and Type | Method and Description |
---|---|
protected void |
advance(int length)
Records the given number of output characters (or more accurately
UTF-16 code units).
|
void |
characters(char[] ch,
int start,
int length) |
void |
endElement(String uri,
String localName,
String name) |
long |
getMaximumCompressionRatio()
Returns the maximum compression ratio.
|
int |
getMaximumDepth()
Returns the maximum XML element nesting level.
|
int |
getMaximumPackageEntryDepth()
Returns the maximum package entry nesting level.
|
long |
getOutputThreshold()
Returns the configured output threshold.
|
void |
ignorableWhitespace(char[] ch,
int start,
int length) |
void |
setMaximumCompressionRatio(long ratio)
Sets the ratio between output characters and input bytes.
|
void |
setMaximumDepth(int depth)
Sets the maximum XML element nesting level.
|
void |
setMaximumPackageEntryDepth(int depth)
Sets the maximum package entry nesting level.
|
void |
setOutputThreshold(long threshold)
Sets the threshold for output characters before the zip bomb prevention
is activated.
|
void |
startElement(String uri,
String localName,
String name,
Attributes atts) |
void |
throwIfCauseOf(SAXException e)
Converts the given
SAXException to a corresponding
TikaException if it's caused by this instance detecting
a zip bomb. |
endDocument, endPrefixMapping, handleException, processingInstruction, setContentHandler, setDocumentLocator, skippedEntity, startDocument, startPrefixMapping, toString
error, fatalError, notationDecl, resolveEntity, unparsedEntityDecl, warning
public SecureContentHandler(ContentHandler handler, TikaInputStream stream)
handler
- the content handler to be decoratedstream
- the input stream to be parsedpublic long getOutputThreshold()
public void setOutputThreshold(long threshold)
threshold
- new output thresholdpublic long getMaximumCompressionRatio()
public void setMaximumCompressionRatio(long ratio)
ratio
- new maximum compression ratiopublic int getMaximumDepth()
public void setMaximumDepth(int depth)
depth
- maximum XML element nesting levelpublic int getMaximumPackageEntryDepth()
public void setMaximumPackageEntryDepth(int depth)
depth
- maximum package entry nesting levelpublic void throwIfCauseOf(SAXException e) throws TikaException
SAXException
to a corresponding
TikaException
if it's caused by this instance detecting
a zip bomb.e
- SAX exceptionTikaException
- zip bomb exceptionprotected void advance(int length) throws SAXException
length
- number of new output characters producedSAXException
- if a zip bomb is detectedpublic void startElement(String uri, String localName, String name, Attributes atts) throws SAXException
startElement
in interface ContentHandler
startElement
in class ContentHandlerDecorator
SAXException
public void endElement(String uri, String localName, String name) throws SAXException
endElement
in interface ContentHandler
endElement
in class ContentHandlerDecorator
SAXException
public void characters(char[] ch, int start, int length) throws SAXException
characters
in interface ContentHandler
characters
in class ContentHandlerDecorator
SAXException
public void ignorableWhitespace(char[] ch, int start, int length) throws SAXException
ignorableWhitespace
in interface ContentHandler
ignorableWhitespace
in class ContentHandlerDecorator
SAXException
Copyright © 2007–2021 The Apache Software Foundation. All rights reserved.