# java.lang.IllegalArgumentException in `org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri::PackagingURIHelper.java:415` poi 5.1.0 This vulnerability is of java.lang.IllegalArgumentException, and can be triggered in latest version poi (5.1.0). It is caused by passing an illegal or inappropriate argument into a method and can can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of metadata-extractor doesn't know they need to catch this kind of exception) ( CWE-248: Uncaught exception). Likely, the root cause of this crash is in `org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri::PackagingURIHelper.java:415`. See more detail from the following crash stack. # Crash stack: The crash thread's stack is as follows: ``` org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri::PackagingURIHelper.java:415 org.apache.poi.openxml4j.opc.PackageRelationship.getTargetURI::PackageRelationship.java:194 org.apache.poi.ooxml.POIXMLDocumentPart.read::POIXMLDocumentPart.java:643 org.apache.poi.ooxml.POIXMLDocumentPart.read::POIXMLDocumentPart.java:678 org.apache.poi.ooxml.POIXMLDocument.load::POIXMLDocument.java:165 org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>::XSSFWorkbook.java:275 org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>::XSSFWorkbook.java:296 com.test.Entry.main::Entry.java:32 ``` # Steps to reproduce: 1. Build the following java code with the corresponding poi library (version 5.1.0). ``` ## Download poi_env_reproduce.zip from https://drive.google.com/file/d/1N4gUC0MF-SAN-Xz0van0_7TbNj4aUuFd/view?usp=sharing unzip poi_env_reproduce.zip cd poi_env_reproduce bash build.sh ``` 2. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. : ```bash java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-46c0fab66256d7a06a4ad7e7501e4352a2e3a792 ``` Any further discussion for this vulnerability including fix is welcomed! Feel free to contact me at wenjiezander@gmail.com (https://github.com/ZanderHuang)
The poc file and report can be downloaded from https://drive.google.com/drive/folders/1RsDEtpjmv3adeLg0E0H4g4FicUKxdpgG?usp=sharing
Created attachment 38132 [details] The poc file causes java.lang.IllegalArgumentException in org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri--PackagingURIHelper.java-415 poi-5.1.0
marking all these as need info - can you explain in plain English what you are testing? are you testing that POI can't handle garbage input? and what do you expect POI to do when it gets garbage input?
I have tested in 5.2.0-SNAPSHOT taken from https://ci-builds.apache.org/job/POI/job/POI-DSL-1.8/lastSuccessfulBuild/artifact/build/dist/ This bug is still reproducible.