github-advanced-security[bot] commented on code in PR #415:
URL: https://github.com/apache/uima-uimaj/pull/415#discussion_r1846499708
##########
uimaj-core/src/main/java/org/apache/uima/pear/util/FileUtil.java:
##########
@@ -767,36 +766,38 @@
long totalBytes = 0;
byte[] block = new byte[4096];
- String prefix = normalizeToUnix(targetDir.getCanonicalPath());
+ var prefix = normalizeToUnix(targetDir.getCanonicalPath());
if (!prefix.endsWith(UNIX_SEPARATOR)) {
prefix = prefix + UNIX_SEPARATOR_CHAR;
}
- Enumeration<JarEntry> jarList = jarFile.entries();
+ var jarList = jarFile.entries();
while (jarList.hasMoreElements()) {
- JarEntry jarEntry = jarList.nextElement();
+ var jarEntry = jarList.nextElement();
// check that file is accepted
if (jarEntry.isDirectory()
|| (filter != null && !filter.accept(new
File(jarEntry.getName())))) {
continue;
}
// make sure the file directory exists
- File file = new File(targetDir, jarEntry.getName());
+ var entryName = jarEntry.getName();
Review Comment:
## Arbitrary file access during archive extraction ("Zip Slip")
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](1).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](2).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](3).
[Show more
details](https://github.com/apache/uima-uimaj/security/code-scanning/17)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@uima.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
