From 6e3f8759fa344f827f83b5ce1f06290b0164cd46 Mon Sep 17 00:00:00 2001 From: Juho Nurminen Date: Fri, 19 Jan 2024 01:47:18 +0200 Subject: [PATCH] Merge pull request from GHSA-3qm5-5hmp-8c6w * Limit the size of the content type definition in OOXML * Improve naming in OOXML tests * Check OOXML error type in tests --- docx.go | 2 +- docx_test/docx_test.go | 16 ++++++++++++++++ .../testdata/decompression_size_limit.docx | Bin 0 -> 97410 bytes pptx_test/pptx_test.go | 15 +++++++++++++++ .../testdata/decompression_size_limit.pptx | Bin 0 -> 97410 bytes 5 files changed, 32 insertions(+), 1 deletion(-) create mode 100755 docx_test/testdata/decompression_size_limit.docx create mode 100755 pptx_test/testdata/decompression_size_limit.pptx diff --git a/docx.go b/docx.go index 9e96107..185e52d 100644 --- a/docx.go +++ b/docx.go @@ -119,7 +119,7 @@ func getContentTypeDefinition(zf *zip.File) (*contentTypeDefinition, error) { defer f.Close() x := &contentTypeDefinition{} - if err := xml.NewDecoder(f).Decode(x); err != nil { + if err := xml.NewDecoder(io.LimitReader(f, maxBytes)).Decode(x); err != nil { return nil, err } return x, nil diff --git a/docx_test/docx_test.go b/docx_test/docx_test.go index c95a7a7..3b1aa50 100644 --- a/docx_test/docx_test.go +++ b/docx_test/docx_test.go @@ -1,6 +1,7 @@ package docx_test import ( + "encoding/xml" "os" "strings" "testing" @@ -50,3 +51,18 @@ func TestConvertDocxWithUncommonValidStructure(t *testing.T) { t.Errorf("expected %v to contains %v", resp, want) } } + + +func TestConvertDocxDecompressionSizeLimit(t *testing.T) { + f, err := os.Open("./testdata/decompression_size_limit.docx") + if err != nil { + t.Fatalf("got error = %v, want nil", err) + } + _, _, err = docconv.ConvertDocx(f) + if _, ok := err.(*xml.SyntaxError); !ok { + t.Errorf("got error = %T, want *xml.SyntaxError", err) + } + if want := "EOF"; !strings.Contains(err.Error(), want) { + t.Errorf("got error = %v, want %v", err, want) + } +} diff --git a/docx_test/testdata/decompression_size_limit.docx b/docx_test/testdata/decompression_size_limit.docx new file mode 100755 index 0000000000000000000000000000000000000000..4ea761fc4e2d9f4f478177a4fdce405b82815467 GIT binary patch literal 97410 zcmeI*Pe_}09Khkk*yTl7P^wVSLcp7Y-X`6=yt7~rUcyLD#b#1+vZfh|RMw(__9*k% zt38GGPFu zLjQ0s=pC=Fi@hgqT)Wd;ZZwzc)zwyGY3|D1#oK2GpS&4{!?|y2pN(C=mD?EVPA{Ey zgYUoi`PZB0&wro$@ax9?$2+$^o_}Xy=BppR`?K%W&-Iu90RjXF5FkK+009C72oOk* zK=*8~olLVCEsR%d76AeT2oNAZfB*pk1PBlykamIjVyQol0qfoR=++a9009C72oNAZ zfB*pk1PBmFyTHIytDI~MIE{{jw1*G#5gR_@l;KkbFgY>5l6A~amfB*pk1PBlyK!5;&%nMAM?X{B@uo*3k zSG5rW1PBlyK!5-N0t5&UAV47X0`tXEe;fnWyY3m1PBlyK!5-N0t5&UAV47f z0s~X6a-fB*pk1PBlyK!5-N0t5)uj@pHM90SVH;Y=s}?Zbow2oNAZ zfB*pk1PBlyKp^u1`=zlU*%)xXJ2|b55FkK+009C72oNAZfB*pksTUYoISG>%a1iYb zWxk96AV7cs0RjXF5FkK+009CS5ZEph`{Ec7zI?V(Nqzb-AOQjd2oNAZfB*pk1PBly z@bL20!DM5=i?ziE8E79yBtU=w0RjXF5FkK+009D77nnHPYbPyWGg=t0Y9j;)5FkK+ z009C72oNAZfI#X6=8L8NI0meD>!Vv)FC*qBK!5-N0t5&UAV7cs0RkBi7?^66lZ^qV z(Q%Oa@?k&%1PBlyK!5-N0t5&UAV8pY)Gp-X7*LK5XF3^(A4ViVfB*pk1PBlyK!5-N z0$CT>FO3Ds#(?wP$!Tqb009C72oNAZfB*pk1PBmFy}-!INtm>NgJ@?c>tV$F1PBly zK!5-N0t5&UAV44s0^5b++qv+AOX1T;eQWu@-tU|=m%hC@_)Bu-KvD_Z5FkK+009C7 z2oQLk0{0$&`nFu zLjQ0s=pC=Fi@hgqT)Wd;ZZwzc)zwyGY3|D1#oK2GpS&4{!?|y2pN(C=mD?EVPA{Ey zgYUoi`PZB0&wro$@ax9?$2+$^o_}Xy=BppR`?K%W&-Iu90RjXF5FkK+009C72oOk* zK=*8~olLVCEsR%d76AeT2oNAZfB*pk1PBlykamIjVyQol0qfoR=++a9009C72oNAZ zfB*pk1PBmFyTHIytDI~MIE{{jw1*G#5gR_@l;KkbFgY>5l6A~amfB*pk1PBlyK!5;&%nMAM?X{B@uo*3k zSG5rW1PBlyK!5-N0t5&UAV47X0`tXEe;fnWyY3m1PBlyK!5-N0t5&UAV47f z0s~X6a-fB*pk1PBlyK!5-N0t5)uj@pHM90SVH;Y=s}?Zbow2oNAZ zfB*pk1PBlyKp^u1`=zlU*%)xXJ2|b55FkK+009C72oNAZfB*pksTUYoISG>%a1iYb zWxk96AV7cs0RjXF5FkK+009CS5ZEph`{Ec7zI?V(Nqzb-AOQjd2oNAZfB*pk1PBly z@bL20!DM5=i?ziE8E79yBtU=w0RjXF5FkK+009D77nnHPYbPyWGg=t0Y9j;)5FkK+ z009C72oNAZfI#X6=8L8NI0meD>!Vv)FC*qBK!5-N0t5&UAV7cs0RkBi7?^66lZ^qV z(Q%Oa@?k&%1PBlyK!5-N0t5&UAV8pY)Gp-X7*LK5XF3^(A4ViVfB*pk1PBlyK!5-N z0$CT>FO3Ds#(?wP$!Tqb009C72oNAZfB*pk1PBmFy}-!INtm>NgJ@?c>tV$F1PBly zK!5-N0t5&UAV44s0^5b++qv+AOX1T;eQWu@-tU|=m%hC@_)Bu-KvD_Z5FkK+009C7 z2oQLk0{0$&`n