奇安信CodeSafe

icon indicating a website link http://www.codesafe.cn/

Results 348 issues of 奇安信CodeSafe

Wrong usage of defer

The defer statement must be placed after the error check. Otherwise `file` may be nil. https://github.com/baidu/baiducloud-sdk-go/blob/5b6f2726970bd9ab9cdc40c9ad9e63238abd5b0b/bos/client.go#L895-L900

zip_slip

Util.java中的copyToFile()解压文件时,未校验zip条目名,当条目名中带有../时(可能时攻击者恶意构造的),可能会覆盖其他铭感文件 ![图片](https://user-images.githubusercontent.com/39950310/58950414-5110bc80-87c1-11e9-9f94-08ee11854fd3.png)

There is a vulnerability in ant 1.9.4,upgrade recommended

https://github.com/baidu/ipipe-agent/blob/f163cddfba6bbd42d63dba4ef49c3374dfb9fc79/agent-core/pom.xml#L109-L113 CVE-2020-1945 Recommended upgrade version: 1.9.15

There is a vulnerability in logback 1.0.13,upgrade recommended

https://github.com/baidu/ipipe-agent/blob/f163cddfba6bbd42d63dba4ef49c3374dfb9fc79/agent-core/pom.xml#L35-L39 CVE-2017-5929 Recommended upgrade version:1.1.11

There is a vulnerability in commons-collections 3.2.1,upgrade recommended

https://github.com/baidu/ipipe-agent/blob/f163cddfba6bbd42d63dba4ef49c3374dfb9fc79/agent-core/pom.xml#L47-L51 CVE-2017-15708 CVE-2015-7501 CVE-2015-6420 Recommended upgrade version:3.2.2

There is a vulnerability in spring-boot 1.5.14.RELEASE ,upgrade recommended

https://github.com/baidu/Jprotobuf-rpc-socket/blob/3dc47f55c2fd2e59ac99b14702d3fe563629b7d7/jprotobuf-rpc-spring-starter/pom.xml#L18 CVE-2020-5421 Recommended upgrade version:2.1.17.RELEASE

There is a vulnerability in netty 4.0.56.Final ,upgrade recommended

https://github.com/baidu/Jprotobuf-rpc-socket/blob/3dc47f55c2fd2e59ac99b14702d3fe563629b7d7/pom.xml#L33 CVE-2019-20445 CVE-2019-20444 CVE-2019-16869 CVE-2021-21409 CVE-2021-21290 CVE-2021-21295 Recommended upgrade version:4.1.61.Final

Double-Checked Locking

https://github.com/baidu/Jprotobuf-rpc-socket/blob/bab1e2ffc796cd8d31667474b3cdb96bbd24749d/jprotobuf-rpc-core-spring/src/main/java/com/baidu/jprotobuf/pbrpc/spring/annotation/CommonAnnotationBeanPostProcessor.java#L250-L261 Double-Checked Locking is widely cited and used as an efficient method for implementing lazy initialization in a multithreaded environment. Unfortunately, it will not work reliably in a platform independent...

byte数组转String时未指定编码

https://github.com/baidu/Jprotobuf-rpc-socket/blob/ccedb032819f1dbed0dd7bfe6364841a2f5fad88/jprotobuf-rpc-core-test/src/main/java/com/baidu/jprotobuf/pbrpc/EchoClientAttachmentHandler.java#L50 将字节数组的数据转换为String时如果未指定编码,可能会导致数据丢失。

There is a vulnerability in kubernetes v1.8.15,upgrade recommended

https://github.com/baidu/paddle-on-k8s-operator/blob/e139c8da8da710e11f54188f792420300fa8819b/go.mod#L57 CVE-2018-1002105 CVE-2019-9946 CVE-2020-8558 CVE-2019-9946 Recommended upgrade version:v1.20.0-alpha.3