HTTP JVM: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data

anon-1960 · November 7, 2024, 11:04am

Hello,

Our environment is Domino 12.0.2F2 HF96 on windows (french) and Verse 3.2.2

we have this information at the server console.

do you have any information regarding this topic?

is it possible to increase the MIN_INFLATE_RATIO value or to know the limite value ?

-------------------------

05/11/2024 16:30:35 HTTP JVM: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data.
05/11/2024 16:30:35 HTTP JVM: This may indicate that the file is used to inflate memory usage and thus could pose a security risk.
05/11/2024 16:30:35 HTTP JVM: You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit.
05/11/2024 16:30:35 HTTP JVM: Uncompressed size: 106496, Raw/compressed size: 391, ratio: 0.003671
05/11/2024 16:30:35 HTTP JVM: Limits: MIN_INFLATE_RATIO: 0.010000, Entry: word/media/image1.emf
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.openxml4j.util.ZipArchiveThresholdInputStream.checkThreshold(ZipArchiveThresholdInputStream.java:132)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.openxml4j.util.ZipArchiveThresholdInputStream.read(ZipArchiveThresholdInputStream.java:82)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.util.IOUtils.toByteArray(IOUtils.java:152)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.util.IOUtils.toByteArray(IOUtils.java:121)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.openxml4j.util.ZipArchiveFakeEntry.<init>(ZipArchiveFakeEntry.java:47)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.openxml4j.util.ZipInputStreamZipEntrySource.<init>(ZipInputStreamZipEntrySource.java:53)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.openxml4j.opc.ZipPackage.<init>(ZipPackage.java:106)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:307)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.ooxml.util.PackageHelper.open(PackageHelper.java:37)
05/11/2024 16:30:35 HTTP JVM: at org.apache.poi.xwpf.usermodel.XWPFDocument.<init>(XWPFDocument.java:142)
05/11/2024 16:30:35 HTTP JVM: at com.hcl.notes.poi.doc.converter.TransmuteDocsToHtmTask.convertDocxToHTML(TransmuteDocumentToHtm.java:252)
05/11/2024 16:30:35 HTTP JVM: at com.hcl.notes.poi.doc.converter.TransmuteDocsToHtmTask.call(TransmuteDocumentToHtm.java:181)
05/11/2024 16:30:35 HTTP JVM: at com.hcl.notes.poi.doc.converter.TransmuteDocsToHtmTask.call(TransmuteDocumentToHtm.java:118)
05/11/2024 16:30:35 HTTP JVM: at java.util.concurrent.FutureTask.run(FutureTask.java:266)
05/11/2024 16:30:35 HTTP JVM: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
05/11/2024 16:30:35 HTTP JVM: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
05/11/2024 16:30:35 HTTP JVM: at java.lang.Thread.run(Thread.java:826)

shigemitsu.tanaka · November 8, 2024, 12:24am

Hello.

This exception is output by the Apache POI library and is not a problem on the Domino side.

"ZIP bomb" is an attack method that uses highly compressed files to crash the system.

If there is no problem with the file being processed but an exception is being output, use ZipSecureFile.setMinInflateRatio() to increase the acceptable compression ratio.

For example:

ZipSecureFile.setMinInflateRatio(0.001);

Regards,

Shigemitsu Tanaka.