Bug 68336 - java.lang.NullPointerException in org.apache.poi.openxml4j
Summary: java.lang.NullPointerException in org.apache.poi.openxml4j
Status: RESOLVED INFORMATIONPROVIDED
Alias: None
Product: POI
Classification: Unclassified
Component: OPC (show other bugs)
Version: 5.2.3-FINAL
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-13 11:14 UTC by Xiaohan Zhang
Modified: 2023-12-13 11:51 UTC (History)
0 users


Attachments
Crash sample (372 bytes, application/zip)
2023-12-13 11:14 UTC, Xiaohan Zhang 		Details
POC xlsx file (372 bytes, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet)
2023-12-13 11:25 UTC, Xiaohan Zhang 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Xiaohan Zhang 2023-12-13 11:14:12 UTC 
Created attachment 39458 [details]
Crash sample

Recently we discovered a bug in poi (5.2.3).
Due to the lack of contextual knowledge in the poi library, we cannot thoroughly fix some bugs hence we look forward to any proposed plan from the developers in fixing these bugs.

# Crash Stack

Exception in thread "main" java.lang.NullPointerException
        at org.apache.poi.openxml4j.opc.PackagePartName.throwExceptionIfEmptyURI(PackagePartName.java:204)
        at org.apache.poi.openxml4j.opc.PackagePartName.throwExceptionIfInvalidPartUri(PackagePartName.java:173)
        at org.apache.poi.openxml4j.opc.PackagePartName.<init>(PackagePartName.java:82)
        at org.apache.poi.openxml4j.opc.PackagingURIHelper.createPartName(PackagingURIHelper.java:481)
        at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.parseContentTypesFile(ContentTypeManager.java:411)
        at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.<init>(ContentTypeManager.java:102)
        at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.<init>(ZipContentTypeManager.java:53)
        at org.apache.poi.openxml4j.opc.ZipPackage.getPartsImpl(ZipPackage.java:282)
        at org.apache.poi.openxml4j.opc.OPCPackage.getParts(OPCPackage.java:749)
        at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:322)
        at org.apache.poi.ooxml.util.PackageHelper.open(PackageHelper.java:59)
        at org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>(XSSFWorkbook.java:290)
        at org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>(XSSFWorkbook.java:286)
        at com.test.Entry.main(Entry.java:32)


# Test Program

package com.test;
import java.io.File;
import java.io.InputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.poi.hssf.usermodel.HSSFWorkbook;
import org.apache.poi.ss.usermodel.Cell;
import org.apache.poi.ss.usermodel.CellType;
import org.apache.poi.ss.usermodel.Row;
import org.apache.poi.ss.usermodel.Sheet;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.xssf.usermodel.XSSFWorkbook;

public class Entry {
        public static void main (String args[]) throws IOException {
                assert args.length == 1;
                System.out.println("Testing Harness with args[0]: " + args[0]);
                try {
                        FileInputStream fis = new FileInputStream(args[0]);
                        Workbook workbook = null;
                        workbook = new XSSFWorkbook(fis);
                        int numberOfSheets = workbook.getNumberOfSheets();
                        for(int i=0; i < numberOfSheets; i++){
                                Sheet sheet = workbook.getSheetAt(i);
                                Iterator<Row> rowIterator = sheet.iterator();
                                while (rowIterator.hasNext())
                        {
                                        String name = "";
                                        String shortCode = "";
                                        Row row = rowIterator.next();
                                        Iterator<Cell> cellIterator = row.cellIterator();
                            while (cellIterator.hasNext())
                            {
                                Cell cell = cellIterator.next();
                                if (cell.getCellType() == CellType.STRING){
                                name = cell.getStringCellValue().trim();
                                System.out.println("Random data::"+ name);
                                } else if (cell.getCellType() == CellType.NUMERIC){
                                System.out.println("Random data::"+cell.getNumericCellValue());
                                }
                            }
                        } 
                        fis.close();
                        }
                } catch (IOException e) {
                        e.printStackTrace();
                }
        }
}
Comment 1 PJ Fanning 2023-12-13 11:21:08 UTC 
What is that zip that you attached? It seems corrupted. Please provide an xlsx file that reproduces the issue - don't zip it - just attach the xlsx file.
Comment 2 Xiaohan Zhang 2023-12-13 11:25:44 UTC 
Created attachment 39461 [details]
POC xlsx file

Sorry for the inconvenient, the attached file we provided are indeed corrupted xlsx file. We use fuzzing to iteratively mutate some valid xlsx files to test the poi.
Comment 3 PJ Fanning 2023-12-13 11:41:56 UTC 
Please read https://poi.apache.org/security.html

POI is 20 years old. It would need a total rewrite to get it to to throw checked exceptions for every issue. This is not going to happen.

It is up to users to use POI in a safe way. You should strongly consider using a Sandboxed environment if you intend to use POI to read potentially malicious files.

If you want to provide patches to help harden the POI code - great.

If you are just going to dump artificially created corrupt files then I have no interest. You are not helping anyone.
Comment 4 PJ Fanning 2023-12-13 11:47:09 UTC 
This was probably fixed in POI 5.2.5 release. https://github.com/apache/poi/commit/733d3d10ead2619e6bf10a1f431fd659cf178f03

This includes a null check in PackagePartName.throwExceptionIfEmptyURI(PackagePartName.java:204)
Comment 5 Xiaohan Zhang 2023-12-13 11:51:35 UTC 
Thank you for your contribution, that's perfect!