github-advanced-security[bot] commented on code in PR #7958:
URL: https://github.com/apache/nifi/pull/7958#discussion_r1376902545
##########
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-nar-utils/src/main/java/org/apache/nifi/nar/NarUnpacker.java:
##########
@@ -670,6 +659,16 @@
}
}
+ private static File getJarEntryFile(final File workingDirectory, final
JarEntry jarEntry) {
+ final Path workingDirectoryPath = workingDirectory.toPath();
+ final String jarEntryName =
jarEntry.getName().replace(BUNDLED_DEPENDENCIES_PREFIX,
BUNDLED_DEPENDENCIES_DIRECTORY);
Review Comment:
## Arbitrary file access during archive extraction ("Zip Slip")
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](1).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](2).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](3).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](4).
[Show more details](https://github.com/apache/nifi/security/code-scanning/57)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
