github-advanced-security[bot] commented on code in PR #802:
URL:
https://github.com/apache/incubator-baremaps/pull/802#discussion_r1391283419
##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -94,13 +203,20 @@
}
}
- public static void decompressTarBz2(Path sourcePath, Path targetPath) throws
IOException {
- try (var bufferedInputStream = new
BufferedInputStream(Files.newInputStream(sourcePath));
+ /**
+ * Decompresses a tar.bz2 file.
+ *
+ * @param source the source file
+ * @param target the target file
+ * @throws IOException if an I/O error occurs
+ */
+ protected static void decompressTarBz2(Path source, Path target) throws
IOException {
+ try (var bufferedInputStream = new
BufferedInputStream(Files.newInputStream(source));
var bzip2InputStream = new
BZip2CompressorInputStream(bufferedInputStream);
var tarInputStream = new TarArchiveInputStream(bzip2InputStream)) {
TarArchiveEntry entry;
while ((entry = (TarArchiveEntry) tarInputStream.getNextEntry()) !=
null) {
- var path = targetPath.resolve(entry.getName());
+ var path = target.resolve(entry.getName());
Review Comment:
## Arbitrary file access during archive extraction ("Zip Slip")
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](1).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](2).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](3).
[Show more
details](https://github.com/apache/incubator-baremaps/security/code-scanning/837)
##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -57,26 +145,47 @@
}
}
- public static void decompressBzip2(Path sourcePath, Path targetPath) throws
IOException {
- try (var bufferedInputStream = new
BufferedInputStream(Files.newInputStream(sourcePath));
+ /**
+ * Decompresses a bzip2 file.
+ *
+ * @param source the source file
+ * @param target the target file
+ * @throws IOException if an I/O error occurs
+ */
+ protected static void decompressBzip2(Path source, Path target) throws
IOException {
+ try (var bufferedInputStream = new
BufferedInputStream(Files.newInputStream(source));
var bzip2InputStream = new
BZip2CompressorInputStream(bufferedInputStream)) {
- Files.copy(bzip2InputStream, targetPath,
StandardCopyOption.REPLACE_EXISTING);
+ Files.copy(bzip2InputStream, target,
StandardCopyOption.REPLACE_EXISTING);
}
}
- public static void decompressGzip(Path sourcePath, Path targetPath) throws
IOException {
- try (var zis = new GZIPInputStream(new
BufferedInputStream(Files.newInputStream(sourcePath)))) {
- Files.copy(zis, targetPath, StandardCopyOption.REPLACE_EXISTING);
+ /**
+ * Decompresses a gzip file.
+ *
+ * @param source the source file
+ * @param target the target file
+ * @throws IOException if an I/O error occurs
+ */
+ protected static void decompressGzip(Path source, Path target) throws
IOException {
+ try (var zis = new GZIPInputStream(new
BufferedInputStream(Files.newInputStream(source)))) {
+ Files.copy(zis, target, StandardCopyOption.REPLACE_EXISTING);
}
}
- public static void decompressTarGz(Path sourcePath, Path targetPath) throws
IOException {
- try (var bufferedInputStream = new
BufferedInputStream(Files.newInputStream(sourcePath));
+ /**
+ * Decompresses a tar.gz file.
+ *
+ * @param source the source file
+ * @param target the target file
+ * @throws IOException if an I/O error occurs
+ */
+ protected static void decompressTarGz(Path source, Path target) throws
IOException {
+ try (var bufferedInputStream = new
BufferedInputStream(Files.newInputStream(source));
var gzipInputStream = new GZIPInputStream(bufferedInputStream);
var tarInputStream = new TarArchiveInputStream(gzipInputStream)) {
TarArchiveEntry entry;
while ((entry = (TarArchiveEntry) tarInputStream.getNextEntry()) !=
null) {
- var path = targetPath.resolve(entry.getName());
+ var path = target.resolve(entry.getName());
Review Comment:
## Arbitrary file access during archive extraction ("Zip Slip")
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](1).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](2).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](3).
[Show more
details](https://github.com/apache/incubator-baremaps/security/code-scanning/836)
##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -118,12 +234,19 @@
}
}
- public static void decompressZip(Path sourcePath, Path targetPath) throws
IOException {
- try (var zipFile = new ZipFile(sourcePath.toFile())) {
+ /**
+ * Decompresses a zip file.
+ *
+ * @param source the source file
+ * @param target the target file
+ * @throws IOException if an I/O error occurs
+ */
+ protected static void decompressZip(Path source, Path target) throws
IOException {
+ try (var zipFile = new ZipFile(source.toFile())) {
var entries = zipFile.entries();
while (entries.hasMoreElements()) {
var entry = entries.nextElement();
- var path = targetPath.resolve(entry.getName());
+ var path = target.resolve(entry.getName());
Review Comment:
## Arbitrary file access during archive extraction ("Zip Slip")
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](1).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](2).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](3).
[Show more
details](https://github.com/apache/incubator-baremaps/security/code-scanning/838)
##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -57,26 +145,47 @@
}
}
- public static void decompressBzip2(Path sourcePath, Path targetPath) throws
IOException {
- try (var bufferedInputStream = new
BufferedInputStream(Files.newInputStream(sourcePath));
+ /**
+ * Decompresses a bzip2 file.
+ *
+ * @param source the source file
+ * @param target the target file
+ * @throws IOException if an I/O error occurs
+ */
+ protected static void decompressBzip2(Path source, Path target) throws
IOException {
+ try (var bufferedInputStream = new
BufferedInputStream(Files.newInputStream(source));
var bzip2InputStream = new
BZip2CompressorInputStream(bufferedInputStream)) {
- Files.copy(bzip2InputStream, targetPath,
StandardCopyOption.REPLACE_EXISTING);
+ Files.copy(bzip2InputStream, target,
StandardCopyOption.REPLACE_EXISTING);
}
}
- public static void decompressGzip(Path sourcePath, Path targetPath) throws
IOException {
- try (var zis = new GZIPInputStream(new
BufferedInputStream(Files.newInputStream(sourcePath)))) {
- Files.copy(zis, targetPath, StandardCopyOption.REPLACE_EXISTING);
+ /**
+ * Decompresses a gzip file.
+ *
+ * @param source the source file
+ * @param target the target file
+ * @throws IOException if an I/O error occurs
+ */
+ protected static void decompressGzip(Path source, Path target) throws
IOException {
+ try (var zis = new GZIPInputStream(new
BufferedInputStream(Files.newInputStream(source)))) {
Review Comment:
## Potential input resource leak
This BufferedInputStream is not always closed on method exit.
[Show more
details](https://github.com/apache/incubator-baremaps/security/code-scanning/839)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
