github-advanced-security[bot] commented on code in PR #802:
URL: 
https://github.com/apache/incubator-baremaps/pull/802#discussion_r1391283419


##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -94,13 +203,20 @@
     }
   }
 
-  public static void decompressTarBz2(Path sourcePath, Path targetPath) throws 
IOException {
-    try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(sourcePath));
+  /**
+   * Decompresses a tar.bz2 file.
+   * 
+   * @param source the source file
+   * @param target the target file
+   * @throws IOException if an I/O error occurs
+   */
+  protected static void decompressTarBz2(Path source, Path target) throws 
IOException {
+    try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(source));
         var bzip2InputStream = new 
BZip2CompressorInputStream(bufferedInputStream);
         var tarInputStream = new TarArchiveInputStream(bzip2InputStream)) {
       TarArchiveEntry entry;
       while ((entry = (TarArchiveEntry) tarInputStream.getNextEntry()) != 
null) {
-        var path = targetPath.resolve(entry.getName());
+        var path = target.resolve(entry.getName());

Review Comment:
   ## Arbitrary file access during archive extraction ("Zip Slip")
   
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](1).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](2).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](3).
   
   [Show more 
details](https://github.com/apache/incubator-baremaps/security/code-scanning/837)



##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -57,26 +145,47 @@
     }
   }
 
-  public static void decompressBzip2(Path sourcePath, Path targetPath) throws 
IOException {
-    try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(sourcePath));
+  /**
+   * Decompresses a bzip2 file.
+   * 
+   * @param source the source file
+   * @param target the target file
+   * @throws IOException if an I/O error occurs
+   */
+  protected static void decompressBzip2(Path source, Path target) throws 
IOException {
+    try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(source));
         var bzip2InputStream = new 
BZip2CompressorInputStream(bufferedInputStream)) {
-      Files.copy(bzip2InputStream, targetPath, 
StandardCopyOption.REPLACE_EXISTING);
+      Files.copy(bzip2InputStream, target, 
StandardCopyOption.REPLACE_EXISTING);
     }
   }
 
-  public static void decompressGzip(Path sourcePath, Path targetPath) throws 
IOException {
-    try (var zis = new GZIPInputStream(new 
BufferedInputStream(Files.newInputStream(sourcePath)))) {
-      Files.copy(zis, targetPath, StandardCopyOption.REPLACE_EXISTING);
+  /**
+   * Decompresses a gzip file.
+   * 
+   * @param source the source file
+   * @param target the target file
+   * @throws IOException if an I/O error occurs
+   */
+  protected static void decompressGzip(Path source, Path target) throws 
IOException {
+    try (var zis = new GZIPInputStream(new 
BufferedInputStream(Files.newInputStream(source)))) {
+      Files.copy(zis, target, StandardCopyOption.REPLACE_EXISTING);
     }
   }
 
-  public static void decompressTarGz(Path sourcePath, Path targetPath) throws 
IOException {
-    try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(sourcePath));
+  /**
+   * Decompresses a tar.gz file.
+   * 
+   * @param source the source file
+   * @param target the target file
+   * @throws IOException if an I/O error occurs
+   */
+  protected static void decompressTarGz(Path source, Path target) throws 
IOException {
+    try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(source));
         var gzipInputStream = new GZIPInputStream(bufferedInputStream);
         var tarInputStream = new TarArchiveInputStream(gzipInputStream)) {
       TarArchiveEntry entry;
       while ((entry = (TarArchiveEntry) tarInputStream.getNextEntry()) != 
null) {
-        var path = targetPath.resolve(entry.getName());
+        var path = target.resolve(entry.getName());

Review Comment:
   ## Arbitrary file access during archive extraction ("Zip Slip")
   
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](1).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](2).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](3).
   
   [Show more 
details](https://github.com/apache/incubator-baremaps/security/code-scanning/836)



##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -118,12 +234,19 @@
     }
   }
 
-  public static void decompressZip(Path sourcePath, Path targetPath) throws 
IOException {
-    try (var zipFile = new ZipFile(sourcePath.toFile())) {
+  /**
+   * Decompresses a zip file.
+   * 
+   * @param source the source file
+   * @param target the target file
+   * @throws IOException if an I/O error occurs
+   */
+  protected static void decompressZip(Path source, Path target) throws 
IOException {
+    try (var zipFile = new ZipFile(source.toFile())) {
       var entries = zipFile.entries();
       while (entries.hasMoreElements()) {
         var entry = entries.nextElement();
-        var path = targetPath.resolve(entry.getName());
+        var path = target.resolve(entry.getName());

Review Comment:
   ## Arbitrary file access during archive extraction ("Zip Slip")
   
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](1).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](2).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](3).
   
   [Show more 
details](https://github.com/apache/incubator-baremaps/security/code-scanning/838)



##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -57,26 +145,47 @@
     }
   }
 
-  public static void decompressBzip2(Path sourcePath, Path targetPath) throws 
IOException {
-    try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(sourcePath));
+  /**
+   * Decompresses a bzip2 file.
+   * 
+   * @param source the source file
+   * @param target the target file
+   * @throws IOException if an I/O error occurs
+   */
+  protected static void decompressBzip2(Path source, Path target) throws 
IOException {
+    try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(source));
         var bzip2InputStream = new 
BZip2CompressorInputStream(bufferedInputStream)) {
-      Files.copy(bzip2InputStream, targetPath, 
StandardCopyOption.REPLACE_EXISTING);
+      Files.copy(bzip2InputStream, target, 
StandardCopyOption.REPLACE_EXISTING);
     }
   }
 
-  public static void decompressGzip(Path sourcePath, Path targetPath) throws 
IOException {
-    try (var zis = new GZIPInputStream(new 
BufferedInputStream(Files.newInputStream(sourcePath)))) {
-      Files.copy(zis, targetPath, StandardCopyOption.REPLACE_EXISTING);
+  /**
+   * Decompresses a gzip file.
+   * 
+   * @param source the source file
+   * @param target the target file
+   * @throws IOException if an I/O error occurs
+   */
+  protected static void decompressGzip(Path source, Path target) throws 
IOException {
+    try (var zis = new GZIPInputStream(new 
BufferedInputStream(Files.newInputStream(source)))) {

Review Comment:
   ## Potential input resource leak
   
   This BufferedInputStream is not always closed on method exit.
   
   [Show more 
details](https://github.com/apache/incubator-baremaps/security/code-scanning/839)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to