diff options
| author | xuri <xuri.me@gmail.com> | 2021-08-15 00:06:40 +0800 |
|---|---|---|
| committer | xuri <xuri.me@gmail.com> | 2021-08-15 00:06:40 +0800 |
| commit | 48c16de8bf74df0fa94a30d29e2e7e3446d48433 (patch) | |
| tree | 329a2e4ab896982581bd348a1700d75aeb40a517 /lib.go | |
| parent | f6f14f507ee1adf4883cb1b12f27932a63afb286 (diff) | |
Improve security and simplify code
- Make variable name more semantic
- Reduce cyclomatic complexities for the formula calculate function
- Support specified unzip size limit on open file options, avoid zip bombs vulnerability attack
- Typo fix for documentation and error message
Diffstat (limited to 'lib.go')
| -rw-r--r-- | lib.go | 28 |
1 files changed, 17 insertions, 11 deletions
@@ -26,15 +26,22 @@ import ( // ReadZipReader can be used to read the spreadsheet in memory without touching the // filesystem. -func ReadZipReader(r *zip.Reader) (map[string][]byte, int, error) { - var err error - var docPart = map[string]string{ - "[content_types].xml": "[Content_Types].xml", - "xl/sharedstrings.xml": "xl/sharedStrings.xml", - } - fileList := make(map[string][]byte, len(r.File)) - worksheets := 0 +func ReadZipReader(r *zip.Reader, o *Options) (map[string][]byte, int, error) { + var ( + err error + docPart = map[string]string{ + "[content_types].xml": "[Content_Types].xml", + "xl/sharedstrings.xml": "xl/sharedStrings.xml", + } + fileList = make(map[string][]byte, len(r.File)) + worksheets int + unzipSize int64 + ) for _, v := range r.File { + unzipSize += v.FileInfo().Size() + if unzipSize > o.UnzipSizeLimit { + return fileList, worksheets, newUnzipSizeLimitError(o.UnzipSizeLimit) + } fileName := strings.Replace(v.Name, "\\", "/", -1) if partName, ok := docPart[strings.ToLower(fileName)]; ok { fileName = partName @@ -61,7 +68,7 @@ func (f *File) readXML(name string) []byte { } // saveFileList provides a function to update given file content in file list -// of XLSX. +// of spreadsheet. func (f *File) saveFileList(name string, content []byte) { f.Pkg.Store(name, append([]byte(XMLHeader), content...)) } @@ -75,8 +82,7 @@ func readFile(file *zip.File) ([]byte, error) { dat := make([]byte, 0, file.FileInfo().Size()) buff := bytes.NewBuffer(dat) _, _ = io.Copy(buff, rc) - rc.Close() - return buff.Bytes(), nil + return buff.Bytes(), rc.Close() } // SplitCellName splits cell name to column name and row number. |