奇安信CodeSafe issues

Results 348 issues of


                                            奇安信CodeSafe

zip_slip

大家好，我是360代码卫士的工作人员，在我们的开源代码检测项目中，发现MRCMS项目中存在zip_slip的漏洞。 FileTools.java文件中提供了对zip文件进行解压的的api ![default](https://user-images.githubusercontent.com/39950310/46008944-b79cf100-c0f0-11e8-8847-61d751344def.png) ![default](https://user-images.githubusercontent.com/39950310/46008921-a81da800-c0f0-11e8-85cc-edf32754e812.png) 而项目的文件上传时仅用黑名单做了校验，禁止上传jsp文件 ![default](https://user-images.githubusercontent.com/39950310/46009333-c6d06e80-c0f1-11e8-94ad-7e0cf9b3b9f3.png) 恶意攻击者1.可以通过上传上传恶意的zip文件（zip条目中带有../），解压时以覆盖任意敏感文件2.通过上传含有恶意jsp文件的zip，解压后以达到上传一句话木马等目的由于解压zip文件的api在项目中并未用到，推测应该是方便用于二次开发。

There is a vulnerability in Apache Kudu 1.11.1,upgrade recommended

https://github.com/apache/incubator-seatunnel/blob/793933b6b863678d91c2d8146726b5c81c3a22a5/pom.xml#L173 CVE-2021-21295 CVE-2021-21409 Recommended upgrade version：1.16.0

stale

There is a vulnerability in numpy:1.15.4,upgrade recommended

https://github.com/microsoft/maro/blob/00d46964e0bb05b56a21caa220929fd60959f00f/maro/cli/maro_real_time_vis/back_end/vis_app/Pipfile.lock#L92-L124 CVE-2019-6446 CVE-2021-33430 CVE-2021-34141 CVE-2021-41495 CVE-2021-41496 Recommended upgrade version：1.21.5

There is a vulnerability in spotless-plugin-gradle 3.14.0 ,upgrade recommended

https://github.com/apache/iceberg/blob/997f571273509270904f4ce7490af0cbe9262190/build.gradle#L29-L36 https://github.com/apache/iceberg/blob/997f571273509270904f4ce7490af0cbe9262190/build.gradle#L32 CVE-2019-9843 Recommended upgrade version：3.20.0

stale

Unused Field

https://github.com/apache/iceberg/blob/454101c3573acb9cd94d6d9a306ed99a5a324ed9/data/src/main/java/org/apache/iceberg/data/orc/GenericOrcReaders.java#L54 This field is never used.

stale

There is a vulnerability in jsoup:1.12.1,upgrade recommended

https://github.com/Kotlin/kotlinx-browser/blob/fea1b1faa065f773d6f8e3b4449996e39aa0dda9/generator/build.gradle.kts#L15 CVE-2021-37714 CVE-2022-36033 Recommended upgrade version：1.15.3

Useless assignment found by static analyzer?

Hi all, This is Qihoo360 CodeSafe Team, we found a useless assignment in `libsvm`, see https://github.com/cjlin1/libsvm/blob/88a1881f03ca139beff93170d7e6f36477fabe54/svm.cpp#L2932. The return value of `strtok(line, ":")` assigned to `p`, and this value is never...

Another unreachable code issue.

Hi all, This is Qihoo360 CodeSafe Team, we found a unreachable code issue at https://github.com/miguelfreitas/twister-core/blob/53ffd95805ae3a3755a4fe97e2c85f173d221f47/libtorrent/src/utp_stream.cpp#L788 . `m_impl` is guaranteed to be `false` at line 788 because the null-check at the...

Unreachable code issue.

Hi all, This is 360 CodeSafe Team, we found two unreahcbale code issues at https://github.com/miguelfreitas/twister-core/blob/53ffd95805ae3a3755a4fe97e2c85f173d221f47/libtorrent/src/GeoIP.c#L772 and https://github.com/miguelfreitas/twister-core/blob/53ffd95805ae3a3755a4fe97e2c85f173d221f47/libtorrent/src/GeoIP.c#L779. Since I'm unfamiliar with `twister-core`, could you help me confirm these issues? Qihoo360...

Never used vraiable

src/ncsa.cpp 161 never used variable 'code'