hutool原生ziputil.unzip解压压缩包的坑?
Zip bomb attack detected, invalid sizes: compressed 218, uncompressed 27932,
本地测试的好好的,换了个压缩包结果回不去了!
ZipUtil.unzip(new FileInputStream(zipFile), target, Charset.forName("GBK"));
-
测试报错Zip bomb zip炸弹
原因是压缩比例超过hutool默认的一百倍,就促发异常了,解决办法就是将原本ZipUtil.unzip的Api替换为JDK原生Api去解压文件。 -
替换代码如下
/** * 解压zip包 * @param zipFile zip文件 * @param descDir 解压父路径 * @throws IOException */ public static void unZipFiles(File zipFile, String descDir) throws IOException{ File destFile = new File(descDir); if (!destFile.exists()) { destFile.mkdirs(); } // 解决zip文件中有中文目录或者中文文件 ZipFile zip = new ZipFile(zipFile, Charset.forName("GBK")); for (Enumeration entries = zip.entries(); entries.hasMoreElements(); ) { ZipEntry entry = (ZipEntry) entries.nextElement(); @Cleanup InputStream in = zip.getInputStream(entry); String curEntryName = entry.getName(); // 判断文件名路径是否存在文件夹 int endIndex = curEntryName.lastIndexOf('/'); // 替换 String outPath = (descDir +"/"+ curEntryName).replaceAll("\\*", "/"); if (endIndex != -1) { File file = new File(outPath.substring(0, outPath.lastIndexOf("/"))); if (!file.exists()) { file.mkdirs(); } } // 判断文件全路径是否为文件夹,如果是上面已经上传,不需要解压 File outFile = new File(outPath); if (outFile.isDirectory()) { continue; } @Cleanup OutputStream out = new FileOutputStream(outPath); byte[] buf1 = new byte[1024]; int len; while ((len = in.read(buf1)) > 0) { out.write(buf1, 0, len); } in.close(); out.close(); } log.info("解压{}成功", zipFile.getName()); }
经过测试,ok,完美解决问题!