use of com.venafi.vcert.sdk.connectors.ConnectorException.KeyStoreZipCompressionRatioExceeded in project vcert-java by Venafi.
the class CloudConnectorUtils method readZipEntry.
private static String readZipEntry(ZipEntry zipEntry, ZipInputStream zis, String certId) throws VCertException, IOException {
long totalSizeEntry = 0;
// It's expected that the compression ratio should't be more than 3
final int MAX_RATIO = 3;
StringBuilder s = new StringBuilder();
byte[] buffer = new byte[1024];
int nBytes = 0;
while ((nBytes = zis.read(buffer, 0, 1024)) >= 0) {
s.append(new String(buffer, 0, nBytes));
// ZIP Bomb Attack validation
// If the compression ratio of the current unzipped file is major that the expected
// max ratio
totalSizeEntry += nBytes;
long compressionRatio = totalSizeEntry / zipEntry.getCompressedSize();
if (compressionRatio > MAX_RATIO) {
// ratio between compressed and uncompressed data is highly suspicious, looks like a Zip Bomb Attack
throw new KeyStoreZipCompressionRatioExceeded(certId, zipEntry.getName(), MAX_RATIO);
}
}
return s.toString();
}
Aggregations