Bug 65740 - java.lang.IllegalArgumentException, org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri--PackagingURIHelper.java-415 poi 5.1.0
Summary: java.lang.IllegalArgumentException, org.apache.poi.openxml4j.opc.PackagingURI...
Status: NEEDINFO
Alias: None
Product: POI
Classification: Unclassified
Component: OPC (show other bugs)
Version: 5.0.x-dev
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-13 09:01 UTC by wenjiezander
Modified: 2021-12-16 14:59 UTC (History)
0 users


Attachments
The poc file causes java.lang.IllegalArgumentException in org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri--PackagingURIHelper.java-415 poi-5.1.0 (9.24 KB, application/zip)
2021-12-13 10:27 UTC, wenjiezander 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wenjiezander 2021-12-13 09:01:06 UTC 
# java.lang.IllegalArgumentException in `org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri::PackagingURIHelper.java:415` poi 5.1.0

This vulnerability is of java.lang.IllegalArgumentException, and can be triggered in latest version poi (5.1.0).
It is caused by passing an illegal or inappropriate argument into a method and can can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of metadata-extractor doesn't know they need to catch this kind of exception) ( CWE-248: Uncaught exception).
Likely, the root cause of this crash is in `org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri::PackagingURIHelper.java:415`.
See more detail from the following crash stack.

# Crash stack:
The crash thread's stack is as follows:

```
org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri::PackagingURIHelper.java:415
org.apache.poi.openxml4j.opc.PackageRelationship.getTargetURI::PackageRelationship.java:194
org.apache.poi.ooxml.POIXMLDocumentPart.read::POIXMLDocumentPart.java:643
org.apache.poi.ooxml.POIXMLDocumentPart.read::POIXMLDocumentPart.java:678
org.apache.poi.ooxml.POIXMLDocument.load::POIXMLDocument.java:165
org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>::XSSFWorkbook.java:275
org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>::XSSFWorkbook.java:296
com.test.Entry.main::Entry.java:32
```


# Steps to reproduce:

1. Build the following java code with the corresponding poi library (version 5.1.0).

```
## Download poi_env_reproduce.zip from https://drive.google.com/file/d/1N4gUC0MF-SAN-Xz0van0_7TbNj4aUuFd/view?usp=sharing
unzip poi_env_reproduce.zip
cd poi_env_reproduce
bash build.sh
```

2. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. :

```bash
java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-46c0fab66256d7a06a4ad7e7501e4352a2e3a792
```

Any further discussion for this vulnerability including fix is welcomed!
Feel free to contact me at wenjiezander@gmail.com (https://github.com/ZanderHuang)
Comment 1 wenjiezander 2021-12-13 09:44:23 UTC 
The poc file and report can be downloaded from https://drive.google.com/drive/folders/1RsDEtpjmv3adeLg0E0H4g4FicUKxdpgG?usp=sharing
Comment 2 wenjiezander 2021-12-13 10:27:13 UTC 
Created attachment 38132 [details]
The poc file causes java.lang.IllegalArgumentException in org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri--PackagingURIHelper.java-415 poi-5.1.0
Comment 3 PJ Fanning 2021-12-13 11:28:16 UTC 
marking all these as need info - can you explain in plain English what you are testing? are you testing that POI can't handle garbage input? and what do you expect POI to do when it gets garbage input?
Comment 4 wenjiezander 2021-12-16 14:59:32 UTC 
I have tested in 5.2.0-SNAPSHOT taken from https://ci-builds.apache.org/job/POI/job/POI-DSL-1.8/lastSuccessfulBuild/artifact/build/dist/

This bug is still reproducible.