Re: [PR] Sonar [incubator-baremaps]

Tue, 11 Jun 2024 15:13:21 -0700 


github-advanced-security[bot] commented on code in PR #870:
URL: 
https://github.com/apache/incubator-baremaps/pull/870#discussion_r1635537778


##########
baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java:
##########
@@ -165,20 +150,24 @@
     try (var bufferedInputStream = new 
BufferedInputStream(Files.newInputStream(source));
         var bzip2InputStream = new 
BZip2CompressorInputStream(bufferedInputStream);
         var tarInputStream = new TarArchiveInputStream(bzip2InputStream)) {
-      TarArchiveEntry entry;
-      while ((entry = (TarArchiveEntry) tarInputStream.getNextEntry()) != 
null) {
-        var path = target.resolve(entry.getName());
-        if (entry.isDirectory()) {
-          Files.createDirectories(path);
-        } else {
-          Files.createDirectories(path.getParent());
-          Files.write(path, new byte[] {},
-              StandardOpenOption.CREATE,
-              StandardOpenOption.TRUNCATE_EXISTING);
-          try (BufferedOutputStream outputStream =
-              new BufferedOutputStream(Files.newOutputStream(path))) {
-            tarInputStream.transferTo(outputStream);
-          }
+      decompressTar(target, tarInputStream);
+    }
+  }
+
+  private static void decompressTar(Path target, TarArchiveInputStream 
tarInputStream) throws IOException {
+    TarArchiveEntry entry;
+    while ((entry = tarInputStream.getNextEntry()) != null) {
+      var path = target.resolve(entry.getName());

Review Comment:
   ## Arbitrary file access during archive extraction ("Zip Slip")
   
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](1).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](2).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](3).
   Unsanitized archive entry, which may contain '..', is used in a [file system 
operation](4).
   
   [Show more 
details](https://github.com/apache/incubator-baremaps/security/code-scanning/1446)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to