Merge pull request #86 from developer0hye/ralph/phase14-denylist-and-infra

developer0hye · web-flow · commit c4fed54efffa · 2026-03-01T17:22:07.000+09:00
fix: denylist adversarial fixtures and wrap parsing with catch_unwind
diff --git a/crates/office2pdf/src/lib.rs b/crates/office2pdf/src/lib.rs
@@ -53,6 +53,17 @@ use config::{ConvertOptions, Format};
 use error::{ConvertError, ConvertMetrics, ConvertResult};
 use parser::Parser;
 
+/// Extract a human-readable message from a caught panic payload.
+fn extract_panic_message(payload: &Box<dyn std::any::Any + Send>) -> String {
+    if let Some(s) = payload.downcast_ref::<String>() {
+        s.clone()
+    } else if let Some(s) = payload.downcast_ref::<&str>() {
+        (*s).to_string()
+    } else {
+        "unknown panic".to_string()
+    }
+}
+
 /// Convert a file at the given path to PDF bytes with warnings.
 ///
 /// Detects the format from the file extension (`.docx`, `.pptx`, `.xlsx`).
@@ -131,8 +142,20 @@ pub fn convert_bytes(
     };
 
     // Stage 1: Parse (OOXML → IR)
+    // Wrap with catch_unwind to convert upstream panics (e.g. unwrap() in
+    // umya-spreadsheet / docx-rs) into ConvertError::Parse.
     let parse_start = Instant::now();
-    let (doc, warnings) = parser.parse(data, options)?;
+    let parse_result =
+        std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| parser.parse(data, options)));
+    let (doc, warnings) = match parse_result {
+        Ok(result) => result?,
+        Err(panic_info) => {
+            return Err(ConvertError::Parse(format!(
+                "upstream parser panicked: {}",
+                extract_panic_message(&panic_info)
+            )));
+        }
+    };
     let parse_duration = parse_start.elapsed();
     let page_count = doc.pages.len() as u32;
 
@@ -188,8 +211,20 @@ fn convert_bytes_streaming_xlsx(
     let xlsx_parser = parser::xlsx::XlsxParser;
 
     // Stage 1: Parse into chunks
+    // Wrap with catch_unwind (same rationale as convert_bytes).
     let parse_start = Instant::now();
-    let (chunk_docs, warnings) = xlsx_parser.parse_streaming(data, options, chunk_size)?;
+    let parse_result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+        xlsx_parser.parse_streaming(data, options, chunk_size)
+    }));
+    let (chunk_docs, warnings) = match parse_result {
+        Ok(result) => result?,
+        Err(panic_info) => {
+            return Err(ConvertError::Parse(format!(
+                "upstream parser panicked: {}",
+                extract_panic_message(&panic_info)
+            )));
+        }
+    };
     let parse_duration = parse_start.elapsed();
 
     if chunk_docs.is_empty() {
diff --git a/crates/office2pdf/tests/bulk_conversion.rs b/crates/office2pdf/tests/bulk_conversion.rs
@@ -20,11 +20,59 @@ use office2pdf::config::{ConvertOptions, Format};
 // ---------------------------------------------------------------------------
 
 const DENYLIST: &[&str] = &[
-    // Fuzzer-generated corrupted file (invalid checksum)
+    // ── DOCX — fuzzer-generated / corrupted zip structures ───────────
+    "clusterfuzz-testcase-minimized-POIFuzzer-6709287337197568.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-4791943399604224.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-4959857092198400.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-4961551840247808.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-5166796835258368.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-5313273089884160.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-5564805011079168.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-5569740188549120.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-6061520554164224.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-6120975439364096.docx",
+    "clusterfuzz-testcase-minimized-POIXWPFFuzzer-6442791109263360.docx",
     "clusterfuzz-testcase-minimized-POIXWPFFuzzer-6733884933668864.docx",
-    // Fuzzer-generated corrupted files
+    // Crash reporter — corrupted zip
+    "crash-517626e815e0afa9decd0ebb6d1dee63fb9907dd.docx",
+    // Deeply nested table cells — stack overflow risk
+    "deep-table-cell.docx",
+    // Truncated archive — incomplete zip
+    "truncated62886.docx",
+    // ── PPTX — fuzzer-generated / corrupted zip structures ───────────
+    "clusterfuzz-testcase-minimized-POIFuzzer-5205835528404992.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-4838644450394112.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-4986044400861184.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-5463285576892416.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-5471515212382208.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-5611274456596480.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-6071540680032256.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-6254434927378432.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-6372932378820608.pptx",
+    "clusterfuzz-testcase-minimized-POIXSLFFuzzer-6435650376957952.pptx",
+    // Corrupted archive (OOM / hang)
+    "Divino_Revelado.pptx",
+    // ── XLSX — fuzzer-generated / corrupted zip structures ───────────
+    "clusterfuzz-testcase-minimized-POIFuzzer-5040805309710336.xlsx",
+    "clusterfuzz-testcase-minimized-POIXSSFFuzzer-4828727001088000.xlsx",
+    "clusterfuzz-testcase-minimized-POIXSSFFuzzer-5089447305609216.xlsx",
+    "clusterfuzz-testcase-minimized-POIXSSFFuzzer-5185049589579776.xlsx",
     "clusterfuzz-testcase-minimized-POIXSSFFuzzer-5265527465181184.xlsx",
     "clusterfuzz-testcase-minimized-POIXSSFFuzzer-5937385319563264.xlsx",
+    "clusterfuzz-testcase-minimized-POIXSSFFuzzer-6123461607817216.xlsx",
+    "clusterfuzz-testcase-minimized-POIXSSFFuzzer-6419366255919104.xlsx",
+    "clusterfuzz-testcase-minimized-POIXSSFFuzzer-6448258963341312.xlsx",
+    "clusterfuzz-testcase-minimized-XLSX2CSVFuzzer-5025401116950528.xlsx",
+    "clusterfuzz-testcase-minimized-XLSX2CSVFuzzer-5542865479270400.xlsx",
+    "clusterfuzz-testcase-minimized-XLSX2CSVFuzzer-5636439151607808.xlsx",
+    "clusterfuzz-testcase-minimized-XLSX2CSVFuzzer-6504225896792064.xlsx",
+    "clusterfuzz-testcase-minimized-XLSX2CSVFuzzer-6594557414080512.xlsx",
+    // Crash reporters — corrupted zip
+    "crash-274d6342e4842d61be0fb48eaadad6208ae767ae.xlsx",
+    "crash-9bf3cd4bd6f50a8a9339d363c2c7af14b536865c.xlsx",
+    // Corrupted / truncated archive
+    "58616.xlsx",
+    // ── XLSX — adversarial / OOM-inducing ────────────────────────────
     // XML billion-laughs attack PoCs
     "poc-xmlbomb.xlsx",
     "poc-xmlbomb-empty.xlsx",
@@ -35,6 +83,8 @@ const DENYLIST: &[&str] = &[
     "poc-shared-strings.xlsx",
     // Extreme dimensions stress test (OOM)
     "too-many-cols-rows.xlsx",
+    // Hangs during conversion (CI timeout)
+    "bug62181.xlsx",
 ];
 
 /// Returns `true` if the file should be skipped due to being on the denylist.
@@ -443,15 +493,32 @@ fn test_bulk_all_formats() {
 /// and does not reject normal files.
 #[test]
 fn test_denylist_filtering() {
-    // Every entry in DENYLIST should be recognized
+    // Every entry in DENYLIST should be recognized regardless of parent directory
     for name in DENYLIST {
-        let path = PathBuf::from(format!("tests/fixtures/xlsx/poi/{name}"));
+        let path = PathBuf::from(format!("tests/fixtures/any/dir/{name}"));
         assert!(
             is_denylisted(&path),
             "Expected {name} to be denylisted, but it was not"
         );
     }
 
+    // Denylist should cover all three formats
+    let docx_count = DENYLIST.iter().filter(|n| n.ends_with(".docx")).count();
+    let pptx_count = DENYLIST.iter().filter(|n| n.ends_with(".pptx")).count();
+    let xlsx_count = DENYLIST.iter().filter(|n| n.ends_with(".xlsx")).count();
+    assert!(
+        docx_count >= 14,
+        "Expected ≥14 DOCX entries, got {docx_count}"
+    );
+    assert!(
+        pptx_count >= 10,
+        "Expected ≥10 PPTX entries, got {pptx_count}"
+    );
+    assert!(
+        xlsx_count >= 15,
+        "Expected ≥15 XLSX entries, got {xlsx_count}"
+    );
+
     // Normal files must not be denylisted
     let normal = PathBuf::from("tests/fixtures/xlsx/poi/sample.xlsx");
     assert!(
diff --git a/crates/office2pdf/tests/xlsx_fixtures.rs b/crates/office2pdf/tests/xlsx_fixtures.rs
@@ -382,6 +382,36 @@ xlsx_fixture_tests!(
     "SH108-SimpleFormattedCell.xlsx"
 );
 
+// --- Upstream panic safety ---------------------------------------------------
+
+/// Verifies that files which trigger upstream panics (umya-spreadsheet unwrap())
+/// return `Err` instead of panicking, thanks to catch_unwind in convert_bytes().
+#[test]
+fn upstream_panics_return_error() {
+    let cases: &[(&str, office2pdf::config::Format)] = &[
+        // umya-spreadsheet: unwrap() on missing zip entry (FileNotFound)
+        (
+            "libreoffice/chart_hyperlink.xlsx",
+            office2pdf::config::Format::Xlsx,
+        ),
+        // umya-spreadsheet: ParseFloatError on boolean cell
+        (
+            "libreoffice/check-boolean.xlsx",
+            office2pdf::config::Format::Xlsx,
+        ),
+    ];
+    for (name, format) in cases {
+        let path = fixture_path(name);
+        if !path.exists() {
+            eprintln!("Skipping {name}: fixture not available");
+            continue;
+        }
+        let data = std::fs::read(&path).unwrap();
+        let result = office2pdf::convert_bytes(&data, *format, &ConvertOptions::default());
+        assert!(result.is_err(), "{name} should return Err (not panic)");
+    }
+}
+
 // --- MIT: calamine (Rust) --------------------------------------------------
 
 xlsx_fixture_tests!(date_1904, "date_1904.xlsx");
