Bug 65740 - java.lang.IllegalArgumentException, org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri--PackagingURIHelper.java-415 poi 5.1.0
Summary: java.lang.IllegalArgumentException, org.apache.poi.openxml4j.opc.PackagingURI...
Alias: None
Product: POI
Classification: Unclassified
Component: OPC (show other bugs)
Version: 5.0.x-dev
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2021-12-13 09:01 UTC by wenjiezander
Modified: 2021-12-16 14:59 UTC (History)
0 users

The poc file causes java.lang.IllegalArgumentException in org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri--PackagingURIHelper.java-415 poi-5.1.0 (9.24 KB, application/zip)
2021-12-13 10:27 UTC, wenjiezander

Note You need to log in before you can comment on or make changes to this bug.
Description wenjiezander 2021-12-13 09:01:06 UTC
# java.lang.IllegalArgumentException in `org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri::PackagingURIHelper.java:415` poi 5.1.0

This vulnerability is of java.lang.IllegalArgumentException, and can be triggered in latest version poi (5.1.0).
It is caused by passing an illegal or inappropriate argument into a method and can can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of metadata-extractor doesn't know they need to catch this kind of exception) ( CWE-248: Uncaught exception).
Likely, the root cause of this crash is in `org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri::PackagingURIHelper.java:415`.
See more detail from the following crash stack.

# Crash stack:
The crash thread's stack is as follows:


# Steps to reproduce:

1. Build the following java code with the corresponding poi library (version 5.1.0).

## Download poi_env_reproduce.zip from https://drive.google.com/file/d/1N4gUC0MF-SAN-Xz0van0_7TbNj4aUuFd/view?usp=sharing
unzip poi_env_reproduce.zip
cd poi_env_reproduce
bash build.sh

2. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. :

java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-46c0fab66256d7a06a4ad7e7501e4352a2e3a792

Any further discussion for this vulnerability including fix is welcomed!
Feel free to contact me at wenjiezander@gmail.com (https://github.com/ZanderHuang)
Comment 1 wenjiezander 2021-12-13 09:44:23 UTC
The poc file and report can be downloaded from https://drive.google.com/drive/folders/1RsDEtpjmv3adeLg0E0H4g4FicUKxdpgG?usp=sharing
Comment 2 wenjiezander 2021-12-13 10:27:13 UTC
Created attachment 38132 [details]
The poc file causes java.lang.IllegalArgumentException in org.apache.poi.openxml4j.opc.PackagingURIHelper.resolvePartUri--PackagingURIHelper.java-415 poi-5.1.0
Comment 3 PJ Fanning 2021-12-13 11:28:16 UTC
marking all these as need info - can you explain in plain English what you are testing? are you testing that POI can't handle garbage input? and what do you expect POI to do when it gets garbage input?
Comment 4 wenjiezander 2021-12-16 14:59:32 UTC
I have tested in 5.2.0-SNAPSHOT taken from https://ci-builds.apache.org/job/POI/job/POI-DSL-1.8/lastSuccessfulBuild/artifact/build/dist/

This bug is still reproducible.