allow option to limit acceptable size for style table input

legal/LICENSE

@@ -261,6 +261,10 @@ which was released under the Apache 2.0 license.
 Copyright (c) 2002-2023 EPFL
 Copyright (c) 2011-2023 Lightbend, Inc.
 
+LimitInputStream is based on code from the Guava project which was released under
+the Apache 2.0 license.
+Copyright (C) 2007 The Guava Authors
+
 The POI Source Release bundles the Gradle Wrapper. (https://docs.gradle.org/current/userguide/gradle_wrapper.html)
 This is released under the Apache License, v2.0.
 Copyright © 2015-2021 the original authors.

poi-ooxml/src/main/java/org/apache/poi/xssf/eventusermodel/ReadOnlySharedStringsTable.java

@@ -16,21 +16,25 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 ==================================================================== */
 package org.apache.poi.xssf.eventusermodel;
 
+import static org.apache.poi.xssf.model.SharedStringsTable.getInputStreamReadLimit;
 import static org.apache.poi.xssf.usermodel.XSSFRelation.NS_SPREADSHEETML;
 
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.PushbackInputStream;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.poi.openxml4j.opc.OPCPackage;
 import org.apache.poi.openxml4j.opc.PackagePart;
 import org.apache.poi.ss.usermodel.RichTextString;
+import org.apache.poi.util.LimitInputStream;
 import org.apache.poi.util.XMLHelper;
 import org.apache.poi.xssf.model.SharedStrings;
+import org.apache.poi.xssf.model.SharedStringsTable;
 import org.apache.poi.xssf.usermodel.XSSFRelation;
 import org.apache.poi.xssf.usermodel.XSSFRichTextString;
 import org.xml.sax.Attributes;
@@ -155,6 +159,13 @@ public ReadOnlySharedStringsTable(PackagePart part) throws IOException, SAXExcep
     public ReadOnlySharedStringsTable(PackagePart part, boolean includePhoneticRuns)
         throws IOException, SAXException {
         this.includePhoneticRuns = includePhoneticRuns;
+        if (getInputStreamReadLimit() >= 0 && part.getSize() > getInputStreamReadLimit()) {
+            throw new IOException(String.format(
+                    Locale.ROOT,
+                    "SharedStrings part size (%s) exceeds the read limit (%s)",
+                    part.getSize(),
+                    getInputStreamReadLimit()));
+        }
         try (InputStream stream = part.getInputStream()) {
             readFrom(stream);
         }
@@ -184,9 +195,12 @@ public ReadOnlySharedStringsTable(InputStream stream, boolean includePhoneticRun
      * @throws IOException if an error occurs while reading.
      * @throws SAXException if parsing the XML data fails.
      */
-    public void readFrom(InputStream is) throws IOException, SAXException {
+    public void readFrom(final InputStream is) throws IOException, SAXException {
+        final InputStream stream = getInputStreamReadLimit() >= 0
+                ? new LimitInputStream(is, getInputStreamReadLimit())
+                : is;
         // test if the file is empty, otherwise parse it
-        PushbackInputStream pis = new PushbackInputStream(is, 1);
+        final PushbackInputStream pis = new PushbackInputStream(stream, 1);
         int emptyTest = pis.read();
         if (emptyTest > -1) {
             pis.unread(emptyTest);

poi-ooxml/src/main/java/org/apache/poi/xssf/model/CalculationChain.java

@@ -17,13 +17,16 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 package org.apache.poi.xssf.model;
 
 import static org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS;
+import static org.apache.poi.xssf.model.SharedStringsTable.getInputStreamReadLimit;
 
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.util.Locale;
 
 import org.apache.poi.ooxml.POIXMLDocumentPart;
 import org.apache.poi.openxml4j.opc.PackagePart;
+import org.apache.poi.util.LimitInputStream;
 import org.apache.xmlbeans.XmlException;
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTCalcCell;
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTCalcChain;
@@ -34,6 +37,29 @@ Licensed to the Apache Software Foundation (ASF) under one or more
  * dependencies. The calculation chain object specifies the order in which the cells in a workbook were last calculated.
  */
 public class CalculationChain extends POIXMLDocumentPart {
+
+    private static long INPUT_STREAM_READ_LIMIT = -1; // negative means no limit
+
+    /**
+     * Sets the read limit for input streams used to read calculation chain data.
+     * Negative values mean no limit. The default is -1 (no limit).
+     * @param limit
+     * @since POI 5.4.2
+     */
+    public static void setInputStreamReadLimit(long limit) {
+        INPUT_STREAM_READ_LIMIT = limit;
+    }
+
+    /**
+     * Gets the read limit for input streams used to read styles.
+     * Negative values mean no limit. The default is -1 (no limit).
+     * @return the read limit
+     * @since POI 5.4.2
+     */
+    public static long getInputStreamReadLimit() {
+        return INPUT_STREAM_READ_LIMIT;
+    }
+
     private CTCalcChain chain;
 
     public CalculationChain() {
@@ -46,14 +72,24 @@ public CalculationChain() {
      */
     public CalculationChain(PackagePart part) throws IOException {
         super(part);
+        if (INPUT_STREAM_READ_LIMIT >= 0 && part.getSize() > INPUT_STREAM_READ_LIMIT) {
+            throw new IOException(String.format(
+                    Locale.ROOT,
+                    "Calculation Chain part size (%s) exceeds the read limit (%s)",
+                    part.getSize(),
+                    INPUT_STREAM_READ_LIMIT));
+        }
         try (InputStream stream = part.getInputStream()) {
             readFrom(stream);
         }
     }
 
-    public void readFrom(InputStream is) throws IOException {
+    public void readFrom(final InputStream is) throws IOException {
+        final InputStream stream = INPUT_STREAM_READ_LIMIT >= 0
+                ? new LimitInputStream(is, INPUT_STREAM_READ_LIMIT)
+                : is;
         try {
-            CalcChainDocument doc = CalcChainDocument.Factory.parse(is, DEFAULT_XML_OPTIONS);
+            CalcChainDocument doc = CalcChainDocument.Factory.parse(stream, DEFAULT_XML_OPTIONS);
             chain = doc.getCalcChain();
         } catch (XmlException e) {
             throw new IOException(e.getLocalizedMessage());

poi-ooxml/src/main/java/org/apache/poi/xssf/model/CommentsTable.java

@@ -23,6 +23,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.io.OutputStream;
 import java.util.HashMap;
 import java.util.Iterator;
+import java.util.Locale;
 import java.util.Map;
 
 import com.microsoft.schemas.vml.CTShape;
@@ -32,6 +33,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.ss.usermodel.Sheet;
 import org.apache.poi.ss.util.CellAddress;
 import org.apache.poi.util.Internal;
+import org.apache.poi.util.LimitInputStream;
 import org.apache.poi.util.Removal;
 import org.apache.poi.util.Units;
 import org.apache.poi.xssf.usermodel.OoxmlSheetExtensions;
@@ -50,6 +52,28 @@ public class CommentsTable extends POIXMLDocumentPart implements Comments {
     public static final String DEFAULT_AUTHOR = "";
     public static final int DEFAULT_AUTHOR_ID = 0;
 
+    private static long INPUT_STREAM_READ_LIMIT = -1; // negative means no limit
+
+    /**
+     * Sets the read limit for input streams used to read comments table.
+     * Negative values mean no limit. The default is -1 (no limit).
+     * @param limit
+     * @since POI 5.4.2
+     */
+    public static void setInputStreamReadLimit(long limit) {
+        INPUT_STREAM_READ_LIMIT = limit;
+    }
+
+    /**
+     * Gets the read limit for input streams used to read styles.
+     * Negative values mean no limit. The default is -1 (no limit).
+     * @return the read limit
+     * @since POI 5.4.2
+     */
+    public static long getInputStreamReadLimit() {
+        return INPUT_STREAM_READ_LIMIT;
+    }
+
     private Sheet sheet;
     private XSSFVMLDrawing vmlDrawing;
 
@@ -76,14 +100,24 @@ public CommentsTable() {
      */
     public CommentsTable(PackagePart part) throws IOException {
         super(part);
+        if (INPUT_STREAM_READ_LIMIT >= 0 && part.getSize() > INPUT_STREAM_READ_LIMIT) {
+            throw new IOException(String.format(
+                    Locale.ROOT,
+                    "Comments Table part size (%s) exceeds the read limit (%s)",
+                    part.getSize(),
+                    INPUT_STREAM_READ_LIMIT));
+        }
         try (InputStream stream = part.getInputStream()) {
             readFrom(stream);
         }
     }
 
-    public void readFrom(InputStream is) throws IOException {
+    public void readFrom(final InputStream is) throws IOException {
+        final InputStream stream = INPUT_STREAM_READ_LIMIT >= 0
+                ? new LimitInputStream(is, INPUT_STREAM_READ_LIMIT)
+                : is;
         try {
-            CommentsDocument doc = CommentsDocument.Factory.parse(is, DEFAULT_XML_OPTIONS);
+            CommentsDocument doc = CommentsDocument.Factory.parse(stream, DEFAULT_XML_OPTIONS);
             comments = doc.getComments();
         } catch (XmlException e) {
             throw new IOException(e.getLocalizedMessage());

poi-ooxml/src/main/java/org/apache/poi/xssf/model/ExternalLinksTable.java

@@ -23,6 +23,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.io.OutputStream;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 
 import org.apache.poi.ooxml.POIXMLDocumentPart;
 import org.apache.poi.openxml4j.opc.PackagePart;
@@ -31,6 +32,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import org.apache.poi.openxml4j.opc.TargetMode;
 import org.apache.poi.ss.usermodel.Name;
 import org.apache.poi.util.Internal;
+import org.apache.poi.util.LimitInputStream;
 import org.apache.poi.util.Removal;
 import org.apache.xmlbeans.XmlException;
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTExternalBook;
@@ -49,6 +51,29 @@ Licensed to the Apache Software Foundation (ASF) under one or more
  *  along with the most recently seen values for what they point to.
  */
 public class ExternalLinksTable extends POIXMLDocumentPart {
+
+    private static long INPUT_STREAM_READ_LIMIT = -1; // negative means no limit
+
+    /**
+     * Sets the read limit for input streams used to read external links table.
+     * Negative values mean no limit. The default is -1 (no limit).
+     * @param limit
+     * @since POI 5.4.2
+     */
+    public static void setInputStreamReadLimit(long limit) {
+        INPUT_STREAM_READ_LIMIT = limit;
+    }
+
+    /**
+     * Gets the read limit for input streams used to read styles.
+     * Negative values mean no limit. The default is -1 (no limit).
+     * @return the read limit
+     * @since POI 5.4.2
+     */
+    public static long getInputStreamReadLimit() {
+        return INPUT_STREAM_READ_LIMIT;
+    }
+
     private CTExternalLink link;
 
     public ExternalLinksTable() {
@@ -62,14 +87,24 @@ public ExternalLinksTable() {
      */
     public ExternalLinksTable(PackagePart part) throws IOException {
         super(part);
+        if (INPUT_STREAM_READ_LIMIT >= 0 && part.getSize() > INPUT_STREAM_READ_LIMIT) {
+            throw new IOException(String.format(
+                    Locale.ROOT,
+                    "External Links Table part size (%s) exceeds the read limit (%s)",
+                    part.getSize(),
+                    INPUT_STREAM_READ_LIMIT));
+        }
         try (InputStream stream = part.getInputStream()) {
             readFrom(stream);
         }
     }
 
-    public void readFrom(InputStream is) throws IOException {
+    public void readFrom(final InputStream is) throws IOException {
+        final InputStream stream = INPUT_STREAM_READ_LIMIT >= 0
+                ? new LimitInputStream(is, INPUT_STREAM_READ_LIMIT)
+                : is;
         try {
-            ExternalLinkDocument doc = ExternalLinkDocument.Factory.parse(is, DEFAULT_XML_OPTIONS);
+            ExternalLinkDocument doc = ExternalLinkDocument.Factory.parse(stream, DEFAULT_XML_OPTIONS);
             link = doc.getExternalLink();
         } catch (XmlException e) {
             throw new IOException(e.getLocalizedMessage());

poi-ooxml/src/main/java/org/apache/poi/xssf/model/SharedStringsTable.java

@@ -28,12 +28,14 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 
 import org.apache.poi.ooxml.POIXMLDocumentPart;
 import org.apache.poi.openxml4j.opc.PackagePart;
 import org.apache.poi.ss.usermodel.RichTextString;
 import org.apache.poi.util.Internal;
+import org.apache.poi.util.LimitInputStream;
 import org.apache.poi.xssf.usermodel.XSSFRichTextString;
 import org.apache.xmlbeans.XmlException;
 import org.apache.xmlbeans.XmlOptions;
@@ -64,6 +66,28 @@ Licensed to the Apache Software Foundation (ASF) under one or more
  */
 public class SharedStringsTable extends POIXMLDocumentPart implements SharedStrings, Closeable {
 
+    private static long INPUT_STREAM_READ_LIMIT = -1; // negative means no limit
+
+    /**
+     * Sets the read limit for input streams used to read shared strings.
+     * Negative values mean no limit. The default is -1 (no limit).
+     * @param limit
+     * @since POI 5.4.2
+     */
+    public static void setInputStreamReadLimit(long limit) {
+        INPUT_STREAM_READ_LIMIT = limit;
+    }
+
+    /**
+     * Gets the read limit for input streams used to read styles.
+     * Negative values mean no limit. The default is -1 (no limit).
+     * @return the read limit
+     * @since POI 5.4.2
+     */
+    public static long getInputStreamReadLimit() {
+        return INPUT_STREAM_READ_LIMIT;
+    }
+
     /**
      *  Array of individual string items in the Shared String table.
      */
@@ -108,6 +132,13 @@ public SharedStringsTable() {
      */
     public SharedStringsTable(PackagePart part) throws IOException {
         super(part);
+        if (INPUT_STREAM_READ_LIMIT >= 0 && part.getSize() > INPUT_STREAM_READ_LIMIT) {
+            throw new IOException(String.format(
+                    Locale.ROOT,
+                    "SharedStrings part size (%s) exceeds the read limit (%s)",
+                    part.getSize(),
+                    INPUT_STREAM_READ_LIMIT));
+        }
         try (InputStream stream = part.getInputStream()) {
             readFrom(stream);
         }
@@ -119,10 +150,12 @@ public SharedStringsTable(PackagePart part) throws IOException {
      * @param is The input stream containing the XML document.
      * @throws IOException if an error occurs while reading.
      */
-    public void readFrom(InputStream is) throws IOException {
+    public void readFrom(final InputStream is) throws IOException {
+        final InputStream stream = INPUT_STREAM_READ_LIMIT >= 0 ?
+                new LimitInputStream(is, INPUT_STREAM_READ_LIMIT) : is;
         try {
             int cnt = 0;
-            _sstDoc = SstDocument.Factory.parse(is, DEFAULT_XML_OPTIONS);
+            _sstDoc = SstDocument.Factory.parse(stream, DEFAULT_XML_OPTIONS);
             CTSst sst = _sstDoc.getSst();
             count = (int)sst.getCount();
             uniqueCount = (int)sst.getUniqueCount();