Created attachment 39458 [details] Crash sample Recently we discovered a bug in poi (5.2.3). Due to the lack of contextual knowledge in the poi library, we cannot thoroughly fix some bugs hence we look forward to any proposed plan from the developers in fixing these bugs. # Crash Stack Exception in thread "main" java.lang.NullPointerException at org.apache.poi.openxml4j.opc.PackagePartName.throwExceptionIfEmptyURI(PackagePartName.java:204) at org.apache.poi.openxml4j.opc.PackagePartName.throwExceptionIfInvalidPartUri(PackagePartName.java:173) at org.apache.poi.openxml4j.opc.PackagePartName.<init>(PackagePartName.java:82) at org.apache.poi.openxml4j.opc.PackagingURIHelper.createPartName(PackagingURIHelper.java:481) at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.parseContentTypesFile(ContentTypeManager.java:411) at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.<init>(ContentTypeManager.java:102) at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.<init>(ZipContentTypeManager.java:53) at org.apache.poi.openxml4j.opc.ZipPackage.getPartsImpl(ZipPackage.java:282) at org.apache.poi.openxml4j.opc.OPCPackage.getParts(OPCPackage.java:749) at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:322) at org.apache.poi.ooxml.util.PackageHelper.open(PackageHelper.java:59) at org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>(XSSFWorkbook.java:290) at org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>(XSSFWorkbook.java:286) at com.test.Entry.main(Entry.java:32) # Test Program package com.test; import java.io.File; import java.io.InputStream; import java.io.FileInputStream; import java.io.IOException; import java.util.ArrayList; import java.util.Iterator; import java.util.List; import org.apache.poi.hssf.usermodel.HSSFWorkbook; import org.apache.poi.ss.usermodel.Cell; import org.apache.poi.ss.usermodel.CellType; import org.apache.poi.ss.usermodel.Row; import org.apache.poi.ss.usermodel.Sheet; import org.apache.poi.ss.usermodel.Workbook; import org.apache.poi.xssf.usermodel.XSSFWorkbook; public class Entry { public static void main (String args[]) throws IOException { assert args.length == 1; System.out.println("Testing Harness with args[0]: " + args[0]); try { FileInputStream fis = new FileInputStream(args[0]); Workbook workbook = null; workbook = new XSSFWorkbook(fis); int numberOfSheets = workbook.getNumberOfSheets(); for(int i=0; i < numberOfSheets; i++){ Sheet sheet = workbook.getSheetAt(i); Iterator<Row> rowIterator = sheet.iterator(); while (rowIterator.hasNext()) { String name = ""; String shortCode = ""; Row row = rowIterator.next(); Iterator<Cell> cellIterator = row.cellIterator(); while (cellIterator.hasNext()) { Cell cell = cellIterator.next(); if (cell.getCellType() == CellType.STRING){ name = cell.getStringCellValue().trim(); System.out.println("Random data::"+ name); } else if (cell.getCellType() == CellType.NUMERIC){ System.out.println("Random data::"+cell.getNumericCellValue()); } } } fis.close(); } } catch (IOException e) { e.printStackTrace(); } } }
What is that zip that you attached? It seems corrupted. Please provide an xlsx file that reproduces the issue - don't zip it - just attach the xlsx file.
Created attachment 39461 [details] POC xlsx file Sorry for the inconvenient, the attached file we provided are indeed corrupted xlsx file. We use fuzzing to iteratively mutate some valid xlsx files to test the poi.
Please read https://poi.apache.org/security.html POI is 20 years old. It would need a total rewrite to get it to to throw checked exceptions for every issue. This is not going to happen. It is up to users to use POI in a safe way. You should strongly consider using a Sandboxed environment if you intend to use POI to read potentially malicious files. If you want to provide patches to help harden the POI code - great. If you are just going to dump artificially created corrupt files then I have no interest. You are not helping anyone.
This was probably fixed in POI 5.2.5 release. https://github.com/apache/poi/commit/733d3d10ead2619e6bf10a1f431fd659cf178f03 This includes a null check in PackagePartName.throwExceptionIfEmptyURI(PackagePartName.java:204)
Thank you for your contribution, that's perfect!