github-advanced-security[bot] commented on code in PR #7940:
URL: https://github.com/apache/geode/pull/7940#discussion_r2490259837
##########
geode-management/src/main/java/org/apache/geode/management/internal/utils/JarFileUtils.java:
##########
@@ -49,6 +49,19 @@
* abc.jar or abc-1.0.0.jar, both should return abc
* @return the artifact id of the string
*/
+ // CodeQL Suppression: java/polynomial-redos
+ // JUSTIFICATION: The regex pattern is NOT actually polynomial, and input is
controlled.
Review Comment:
## Polynomial regular expression used on uncontrolled data
This [regular expression](1) that depends on a [user-provided value](2) may
run slow on strings starting with '-0' and with many repetitions of 'a'.
This [regular expression](1) that depends on a [user-provided value](3) may
run slow on strings starting with '-0' and with many repetitions of 'a'.
This [regular expression](1) that depends on a [user-provided value](4) may
run slow on strings starting with '-0' and with many repetitions of 'a'.
This [regular expression](1) that depends on a [user-provided value](5) may
run slow on strings starting with '-0' and with many repetitions of 'a'.
This [regular expression](1) that depends on a [user-provided value](6) may
run slow on strings starting with '-0' and with many repetitions of 'a'.
[Show more
details](https://github.com/apache/geode/security/code-scanning/97)
##########
geode-core/src/main/java/org/apache/geode/cache/query/internal/CompiledLike.java:
##########
@@ -430,6 +430,19 @@
throw new UnsupportedOperationException(
"Null values are not supported with LIKE predicate.");
}
+ // CodeQL Suppression: java/regex-injection
Review Comment:
## Regular expression injection
This regular expression is constructed from a [user-provided value](1).
This regular expression is constructed from a [user-provided value](2).
This regular expression is constructed from a [user-provided value](3).
This regular expression is constructed from a [user-provided value](4).
This regular expression is constructed from a [user-provided value](5).
This regular expression is constructed from a [user-provided value](6).
This regular expression is constructed from a [user-provided value](7).
This regular expression is constructed from a [user-provided value](8).
This regular expression is constructed from a [user-provided value](9).
[Show more
details](https://github.com/apache/geode/security/code-scanning/93)
##########
geode-core/src/main/java/org/apache/geode/management/internal/api/LocatorClusterManagementService.java:
##########
@@ -714,6 +714,22 @@
SimpleRemoteInputStream inputStream = null;
RemoteInputStream remoteInputStream = null;
try {
+ // CodeQL Suppression: java/path-injection
Review Comment:
## Uncontrolled data used in path expression
This path depends on a [user-provided value](1).
This path depends on a [user-provided value](2).
This path depends on a [user-provided value](3).
[Show more
details](https://github.com/apache/geode/security/code-scanning/107)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
