Package eu.europa.esig.dss.asic.common

Class SecureContainerHandler

java.lang.Object
eu.europa.esig.dss.asic.common.SecureContainerHandler
All Implemented Interfaces:
ZipContainerHandler
public class SecureContainerHandler extends Object implements ZipContainerHandler
The default implementation of ZipContainerHandler, providing utilities to prevent a denial of service attacks, such as zip-bombing

  • Field Details

  • Constructor Details

    • SecureContainerHandler

      public SecureContainerHandler()
      Default constructor instantiating handler with default configuration

  • Method Details

    • setThreshold

      public void setThreshold(long threshold)
      Sets the maximum allowed threshold after exceeding each the security checks are enforced Default : 1000000 (1 MB)
      Parameters:
      threshold - in bytes

    • setMaxCompressionRatio

      public void setMaxCompressionRatio(long maxCompressionRatio)
      Sets the maximum allowed compression ratio If the container compression ratio exceeds the value, an exception is being thrown Default : 100
      Parameters:
      maxCompressionRatio - the maximum compression ratio

    • setMaxAllowedFilesAmount

      public void setMaxAllowedFilesAmount(int maxAllowedFilesAmount)
      Sets the maximum allowed amount of files inside a container Default : 1000
      Parameters:
      maxAllowedFilesAmount - the maximum number of allowed files

    • setMaxMalformedFiles

      public void setMaxMalformedFiles(int maxMalformedFiles)
      Sets the maximum allowed amount of malformed files Default : 100
      Parameters:
      maxMalformedFiles - the maximum number of malformed files

    • setExtractComments

      public void setExtractComments(boolean extractComments)
      Sets whether comments of ZIP entries shall be extracted. Enabling of the feature can be useful when editing an existing archive, in order to preserve the existing data (i.e. comments). When enabled, slightly decreases the performance (about 10% for extractContainerContent(zipArchive) method). Reason : All ZIP entries from a ZIP archive are extracted using java.util.zip.ZipInputStream, that is not able to extract comments for entries. In order to extract comments, the archive shall be read again using java.util.zip.ZipFile. For more information about limitations please see <a href="https://stackoverflow.com/a/70848140">the link</a>. Default : false (not extracted)
      Parameters:
      extractComments - whether comments shall be extracted

    • setResourcesHandlerBuilder

      public void setResourcesHandlerBuilder(DSSResourcesHandlerBuilder resourcesHandlerBuilder)
      Sets DSSResourcesFactoryBuilder to be used for a DSSResourcesHandler creation in internal methods. DSSResourcesHandler defines a way to operate with OutputStreams and create DSSDocuments. Default : eu.europa.esig.dss.signature.resources.InMemoryResourcesHandler. Works with data in memory.
      Parameters:
      resourcesHandlerBuilder - DSSResourcesHandlerBuilder

    • extractContainerContent

      public List<DSSDocument> extractContainerContent(DSSDocument zipArchive)
      Description copied from interface: ZipContainerHandler
      Extracts a list of DSSDocument from the given ZIP-archive
      Specified by:
      extractContainerContent in interface ZipContainerHandler
      Parameters:
      zipArchive - DSSDocument
      Returns:
      a list of DSSDocuments

    • extractEntryNames

      public List<String> extractEntryNames(DSSDocument zipArchive)
      Description copied from interface: ZipContainerHandler
      Returns a list of ZIP archive entry names
      Specified by:
      extractEntryNames in interface ZipContainerHandler
      Parameters:
      zipArchive - DSSDocument
      Returns:
      a list of String entry names

    • createZipArchive

      public DSSDocument createZipArchive(List<DSSDocument> containerEntries, Date creationTime, String zipComment)
      Description copied from interface: ZipContainerHandler
      Creates a ZIP-Archive with the given containerEntries
      Specified by:
      createZipArchive in interface ZipContainerHandler
      Parameters:
      containerEntries - a list of DSSDocuments to embed into the new container instance
      creationTime - (Optional) Date defined time of an archive creation, will be set for all embedded files. If null, the local current time will be used
      zipComment - (Optional) String defined a zipComment
      Returns:
      DSSDocument ZIP-Archive

    • instantiateResourcesHandler

      protected DSSResourcesHandler instantiateResourcesHandler() throws IOException
      This method instantiates a new DSSResourcesFactory
      Returns:
      DSSResourcesHandler
      Throws:
      IOException - if an error occurs on DSSResourcesHandler instantiation

    • buildZip

      protected void buildZip(List<DSSDocument> containerEntries, Date creationTime, String zipComment, ZipOutputStream zos) throws IOException
      This method stores all containerEntries in a given order to a ZipOutputStream with the given parameters
      Parameters:
      containerEntries - a list of DSSDocuments to store
      creationTime - Date ZIP archive creation time
      zipComment - String zip comment (optional)
      zos - ZipOutputStream to consume the ZIP entries
      Throws:
      IOException - in case an error occurs on ZipOutputStream update

    • getZipEntry

      protected ZipEntry getZipEntry(DSSDocument entry, Date creationTime)
      Creates a new ZipEntry for the given DSSDocument at creationTime
      Parameters:
      entry - DSSDocument to be placed within a ZIP container
      creationTime - Date the creation time of ZIP container
      Returns:
      ZipEntry

    • secureCopy

      protected void secureCopy(InputStream is, OutputStream os, long allowedSize) throws IOException
      Reads and copies InputStream in a secure way to OutputStream. Detects "ZipBombing" (large files inside a zip container) depending on the provided container size
      Parameters:
      is - InputStream of file
      os - OutputStream where save file to.
      allowedSize - defines an allowed size of the ZIP container entries, if -1 skips the validation
      Throws:
      IOException - if an exception occurs

    • secureSkip

      protected void secureSkip(InputStream is, long allowedSize) throws IOException
      This method allows skipping securely InputStream without caching the content
      Parameters:
      is - InputStream to skip
      allowedSize - the maximum allowed size of the extracted content
      Throws:
      IOException - if an exception occurs