3x-ooxml-bigdecimal-dos#2840
Open
tballison wants to merge 2 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates OOXML custom property extraction to avoid the BigDecimal parsing DoS path by replacing POI/XMLBeans custom-property parsing with a bounded SAX-based parser, plus tests for decimal and text length caps.
Changes:
- Adds length caps for custom property text and decimal parsing.
- Parses
docProps/custom.xmldirectly from the OPC package via SAX. - Adds unit tests covering capped buffering, oversized decimal rejection, and large string truncation.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
MetadataExtractor.java |
Replaces XMLBeans custom property extraction with SAX-based extraction and capped decimal handling. |
MetadataExtractorTest.java |
Adds tests for buffer capping and oversized custom-property values. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| public void endElement(String uri, String localName, String qName) { | ||
| if (VT_NS.equals(uri) && currentValueType != null && | ||
| localName.equals(currentValueType) && currentPropertyName != null) { | ||
| String val = textBuffer.toString().trim(); |
Comment on lines
+304
to
+305
| case "bool": | ||
| customMetadata.set(propName, val); |
Comment on lines
+276
to
+278
| } else if (VT_NS.equals(uri) && currentPropertyName != null) { | ||
| currentValueType = localName; | ||
| textBuffer.setLength(0); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thanks for your contribution to Apache Tika! Your help is appreciated!
Before opening the pull request, please verify that
TIKA-XXXX)[TIKA-XXXX] Issue or pull request title)./mvnw clean testmainbranch. If there are conflicts, please try to rebase the pull request branch on top of a freshly pulledmainbranchtika-bom/pom.xml.We will be able to faster integrate your pull request if these conditions are met. If you have any questions how to fix your problem or about using Tika in general, please sign up for the Tika mailing list. Thanks!