Improve security and simplify code

- Make variable name more semantic
- Reduce cyclomatic complexities for the formula calculate function
- Support specified unzip size limit on open file options, avoid zip bombs vulnerability attack
- Typo fix for documentation and error message

Author: xuri

calc.go

@@ -6026,6 +6026,39 @@ func (fn *formulaFuncs) DATE(argsList *list.List) formulaArg {
 	return newStringFormulaArg(timeFromExcelTime(daysBetween(excelMinTime1900.Unix(), d)+1, false).String())
 }
 
+// calcDateDif is an implementation of the formula function DATEDIF,
+// calculation difference between two dates.
+func calcDateDif(unit string, diff float64, seq []int, startArg, endArg formulaArg) float64 {
+	ey, sy, em, sm, ed, sd := seq[0], seq[1], seq[2], seq[3], seq[4], seq[5]
+	switch unit {
+	case "d":
+		diff = endArg.Number - startArg.Number
+	case "md":
+		smMD := em
+		if ed < sd {
+			smMD--
+		}
+		diff = endArg.Number - daysBetween(excelMinTime1900.Unix(), makeDate(ey, time.Month(smMD), sd)) - 1
+	case "ym":
+		diff = float64(em - sm)
+		if ed < sd {
+			diff--
+		}
+		if diff < 0 {
+			diff += 12
+		}
+	case "yd":
+		syYD := sy
+		if em < sm || (em == sm && ed < sd) {
+			syYD++
+		}
+		s := daysBetween(excelMinTime1900.Unix(), makeDate(syYD, time.Month(em), ed))
+		e := daysBetween(excelMinTime1900.Unix(), makeDate(sy, time.Month(sm), sd))
+		diff = s - e
+	}
+	return diff
+}
+
 // DATEDIF function calculates the number of days, months, or years between
 // two dates. The syntax of the function is:
 //
@@ -6051,8 +6084,6 @@ func (fn *formulaFuncs) DATEDIF(argsList *list.List) formulaArg {
 	ey, emm, ed := endDate.Date()
 	sm, em, diff := int(smm), int(emm), 0.0
 	switch unit {
-	case "d":
-		return newNumberFormulaArg(endArg.Number - startArg.Number)
 	case "y":
 		diff = float64(ey - sy)
 		if em < sm || (em == sm && ed < sd) {
@@ -6069,28 +6100,8 @@ func (fn *formulaFuncs) DATEDIF(argsList *list.List) formulaArg {
 			mdiff += 12
 		}
 		diff = float64(ydiff*12 + mdiff)
-	case "md":
-		smMD := em
-		if ed < sd {
-			smMD--
-		}
-		diff = endArg.Number - daysBetween(excelMinTime1900.Unix(), makeDate(ey, time.Month(smMD), sd)) - 1
-	case "ym":
-		diff = float64(em - sm)
-		if ed < sd {
-			diff--
-		}
-		if diff < 0 {
-			diff += 12
-		}
-	case "yd":
-		syYD := sy
-		if em < sm || (em == sm && ed < sd) {
-			syYD++
-		}
-		s := daysBetween(excelMinTime1900.Unix(), makeDate(syYD, time.Month(em), ed))
-		e := daysBetween(excelMinTime1900.Unix(), makeDate(sy, time.Month(sm), sd))
-		diff = s - e
+	case "d", "md", "ym", "yd":
+		diff = calcDateDif(unit, diff, []int{ey, sy, em, sm, ed, sd}, startArg, endArg)
 	default:
 		return newErrorFormulaArg(formulaErrorVALUE, "DATEDIF has invalid unit")
 	}

comment_test.go

@@ -3,9 +3,11 @@
 // the LICENSE file.
 //
 // Package excelize providing a set of functions that allow you to write to
-// and read from XLSX files. Support reads and writes XLSX file generated by
-// Microsoft Excel™ 2007 and later. Support save file without losing original
-// charts of XLSX. This library needs Go version 1.15 or later.
+// and read from XLSX / XLSM / XLTM files. Supports reading and writing
+// spreadsheet documents generated by Microsoft Excel™ 2007 and later. Supports
+// complex components by high compatibility, and provided streaming API for
+// generating or reading data from a worksheet with huge amounts of data. This
+// library needs Go version 1.15 or later.
 
 package excelize
 

crypt.go

@@ -3,9 +3,11 @@
 // the LICENSE file.
 //
 // Package excelize providing a set of functions that allow you to write to
-// and read from XLSX files. Support reads and writes XLSX file generated by
-// Microsoft Excel™ 2007 and later. Support save file without losing original
-// charts of XLSX. This library needs Go version 1.15 or later.
+// and read from XLSX / XLSM / XLTM files. Supports reading and writing
+// spreadsheet documents generated by Microsoft Excel™ 2007 and later. Supports
+// complex components by high compatibility, and provided streaming API for
+// generating or reading data from a worksheet with huge amounts of data. This
+// library needs Go version 1.15 or later.
 
 package excelize
 
@@ -15,14 +17,14 @@ import (
 	"crypto/cipher"
 	"crypto/hmac"
 	"crypto/md5"
+	"crypto/rand"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
 	"encoding/base64"
 	"encoding/binary"
 	"encoding/xml"
 	"hash"
-	"math/rand"
 	"reflect"
 	"strings"
 

crypt_test.go

@@ -3,9 +3,11 @@
 // the LICENSE file.
 //
 // Package excelize providing a set of functions that allow you to write to
-// and read from XLSX files. Support reads and writes XLSX file generated by
-// Microsoft Excel™ 2007 and later. Support save file without losing original
-// charts of XLSX. This library needs Go version 1.15 or later.
+// and read from XLSX / XLSM / XLTM files. Supports reading and writing
+// spreadsheet documents generated by Microsoft Excel™ 2007 and later. Supports
+// complex components by high compatibility, and provided streaming API for
+// generating or reading data from a worksheet with huge amounts of data. This
+// library needs Go version 1.15 or later.
 
 package excelize
 

datavalidation_test.go

@@ -3,9 +3,11 @@
 // the LICENSE file.
 //
 // Package excelize providing a set of functions that allow you to write to
-// and read from XLSX files. Support reads and writes XLSX file generated by
-// Microsoft Excel™ 2007 and later. Support save file without losing original
-// charts of XLSX. This library needs Go version 1.15 or later.
+// and read from XLSX / XLSM / XLTM files. Supports reading and writing
+// spreadsheet documents generated by Microsoft Excel™ 2007 and later. Supports
+// complex components by high compatibility, and provided streaming API for
+// generating or reading data from a worksheet with huge amounts of data. This
+// library needs Go version 1.15 or later.
 
 package excelize
 

date_test.go

@@ -85,5 +85,5 @@ func TestExcelDateToTime(t *testing.T) {
 	}
 	// Check error case
 	_, err := ExcelDateToTime(-1, false)
-	assert.EqualError(t, err, "invalid date value -1.000000, negative values are not supported supported")
+	assert.EqualError(t, err, "invalid date value -1.000000, negative values are not supported")
 }

errors.go

@@ -16,26 +16,36 @@ import (
 	"fmt"
 )
 
+// newInvalidColumnNameError defined the error message on receiving the invalid column name.
 func newInvalidColumnNameError(col string) error {
 	return fmt.Errorf("invalid column name %q", col)
 }
 
+// newInvalidRowNumberError defined the error message on receiving the invalid row number.
 func newInvalidRowNumberError(row int) error {
 	return fmt.Errorf("invalid row number %d", row)
 }
 
+// newInvalidCellNameError defined the error message on receiving the invalid cell name.
 func newInvalidCellNameError(cell string) error {
 	return fmt.Errorf("invalid cell name %q", cell)
 }
 
+// newInvalidExcelDateError defined the error message on receiving the data with negative values.
 func newInvalidExcelDateError(dateValue float64) error {
-	return fmt.Errorf("invalid date value %f, negative values are not supported supported", dateValue)
+	return fmt.Errorf("invalid date value %f, negative values are not supported", dateValue)
 }
 
+// newUnsupportChartType defined the error message on receiving the chart type are unsupported.
 func newUnsupportChartType(chartType string) error {
 	return fmt.Errorf("unsupported chart type %s", chartType)
 }
 
+// newUnzipSizeLimitError defined the error message on unzip size exceeds the limit.
+func newUnzipSizeLimitError(unzipSizeLimit int64) error {
+	return fmt.Errorf("unzip size exceeds the %d bytes limit", unzipSizeLimit)
+}
+
 var (
 	// ErrStreamSetColWidth defined the error message on set column width in
 	// stream writing mode.

errors_test.go

@@ -21,5 +21,5 @@ func TestNewInvalidCellNameError(t *testing.T) {
 }
 
 func TestNewInvalidExcelDateError(t *testing.T) {
-	assert.EqualError(t, newInvalidExcelDateError(-1), "invalid date value -1.000000, negative values are not supported supported")
+	assert.EqualError(t, newInvalidExcelDateError(-1), "invalid date value -1.000000, negative values are not supported")
 }

excelize.go

@@ -21,6 +21,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
@@ -59,21 +60,27 @@ type charsetTranscoderFn func(charset string, input io.Reader) (rdr io.Reader, e
 
 // Options define the options for open spreadsheet.
 type Options struct {
-	Password string
+	Password       string
+	UnzipSizeLimit int64
 }
 
-// OpenFile take the name of an spreadsheet file and returns a populated spreadsheet file struct
-// for it. For example, open spreadsheet with password protection:
+// OpenFile take the name of an spreadsheet file and returns a populated
+// spreadsheet file struct for it. For example, open spreadsheet with
+// password protection:
 //
 //    f, err := excelize.OpenFile("Book1.xlsx", excelize.Options{Password: "password"})
 //    if err != nil {
 //        return
 //    }
 //
-// Note that the excelize just support decrypt and not support encrypt currently, the spreadsheet
-// saved by Save and SaveAs will be without password unprotected.
+// Note that the excelize just support decrypt and not support encrypt
+// currently, the spreadsheet saved by Save and SaveAs will be without
+// password unprotected.
+//
+// UnzipSizeLimit specified the unzip size limit in bytes on open the
+// spreadsheet, the default size limit is 16GB.
 func OpenFile(filename string, opt ...Options) (*File, error) {
-	file, err := os.Open(filename)
+	file, err := os.Open(filepath.Clean(filename))
 	if err != nil {
 		return nil, err
 	}
@@ -89,6 +96,7 @@ func OpenFile(filename string, opt ...Options) (*File, error) {
 // newFile is object builder
 func newFile() *File {
 	return &File{
+		options:          &Options{UnzipSizeLimit: UnzipSizeLimit},
 		xmlAttr:          make(map[string][]xml.Attr),
 		checked:          make(map[string]bool),
 		sheetMap:         make(map[string]string),
@@ -111,10 +119,13 @@ func OpenReader(r io.Reader, opt ...Options) (*File, error) {
 		return nil, err
 	}
 	f := newFile()
-	if bytes.Contains(b, oleIdentifier) && len(opt) > 0 {
-		for _, o := range opt {
-			f.options = &o
+	for i := range opt {
+		f.options = &opt[i]
+		if f.options.UnzipSizeLimit == 0 {
+			f.options.UnzipSizeLimit = UnzipSizeLimit
 		}
+	}
+	if bytes.Contains(b, oleIdentifier) {
 		b, err = Decrypt(b, f.options)
 		if err != nil {
 			return nil, fmt.Errorf("decrypted file failed")
@@ -124,8 +135,7 @@ func OpenReader(r io.Reader, opt ...Options) (*File, error) {
 	if err != nil {
 		return nil, err
 	}
-
-	file, sheetCount, err := ReadZipReader(zr)
+	file, sheetCount, err := ReadZipReader(zr, f.options)
 	if err != nil {
 		return nil, err
 	}
@@ -316,18 +326,18 @@ func (f *File) UpdateLinkedValue() error {
 	// recalculate formulas
 	wb.CalcPr = nil
 	for _, name := range f.GetSheetList() {
-		xlsx, err := f.workSheetReader(name)
+		ws, err := f.workSheetReader(name)
 		if err != nil {
 			if err.Error() == fmt.Sprintf("sheet %s is chart sheet", trimSheetName(name)) {
 				continue
 			}
 			return err
 		}
-		for indexR := range xlsx.SheetData.Row {
-			for indexC, col := range xlsx.SheetData.Row[indexR].C {
+		for indexR := range ws.SheetData.Row {
+			for indexC, col := range ws.SheetData.Row[indexR].C {
 				if col.F != nil && col.V != "" {
-					xlsx.SheetData.Row[indexR].C[indexC].V = ""
-					xlsx.SheetData.Row[indexR].C[indexC].T = ""
+					ws.SheetData.Row[indexR].C[indexC].V = ""
+					ws.SheetData.Row[indexR].C[indexC].T = ""
 				}
 			}
 		}
@@ -381,7 +391,7 @@ func (f *File) AddVBAProject(bin string) error {
 			Type:   SourceRelationshipVBAProject,
 		})
 	}
-	file, _ := ioutil.ReadFile(bin)
+	file, _ := ioutil.ReadFile(filepath.Clean(bin))
 	f.Pkg.Store("xl/vbaProject.bin", file)
 	return err
 }

excelize_test.go

@@ -184,13 +184,9 @@ func TestSaveFile(t *testing.T) {
 
 func TestSaveAsWrongPath(t *testing.T) {
 	f, err := OpenFile(filepath.Join("test", "Book1.xlsx"))
-	if assert.NoError(t, err) {
-		// Test write file to not exist directory.
-		err = f.SaveAs("")
-		if assert.Error(t, err) {
-			assert.True(t, os.IsNotExist(err), "Error: %v: Expected os.IsNotExists(err) == true", err)
-		}
-	}
+	assert.NoError(t, err)
+	// Test write file to not exist directory.
+	assert.EqualError(t, f.SaveAs(""), "open .: is a directory")
 }
 
 func TestCharsetTranscoder(t *testing.T) {
@@ -204,6 +200,10 @@ func TestOpenReader(t *testing.T) {
 	_, err = OpenReader(bytes.NewReader(oleIdentifier), Options{Password: "password"})
 	assert.EqualError(t, err, "decrypted file failed")
 
+	// Test open spreadsheet with unzip size limit.
+	_, err = OpenFile(filepath.Join("test", "Book1.xlsx"), Options{UnzipSizeLimit: 100})
+	assert.EqualError(t, err, newUnzipSizeLimitError(100).Error())
+
 	// Test open password protected spreadsheet created by Microsoft Office Excel 2010.
 	f, err := OpenFile(filepath.Join("test", "encryptSHA1.xlsx"), Options{Password: "password"})
 	assert.NoError(t, err)
@@ -1226,6 +1226,7 @@ func TestWorkSheetReader(t *testing.T) {
 	f.Pkg.Store("xl/worksheets/sheet1.xml", MacintoshCyrillicCharset)
 	_, err := f.workSheetReader("Sheet1")
 	assert.EqualError(t, err, "xml decode error: XML syntax error on line 1: invalid UTF-8")
+	assert.EqualError(t, f.UpdateLinkedValue(), "xml decode error: XML syntax error on line 1: invalid UTF-8")
 
 	// Test on no checked worksheet.
 	f = NewFile()