rewrite-java-security
rewrite-java-security copied to clipboard
Issue discovered on `indexing-hadoop/src/main/java/org/apache/druid/indexer/JobHelper.java` with `Zip slip`
Problem
There isn't a vulnerability here, but one is being detected and reported here.
Expected behavior
If a vulnerability isn't being fixed, no code changes should be generated.
Example diff
From: indexing-hadoop/src/main/java/org/apache/druid/indexer/JobHelper.java
try (ZipInputStream in = new ZipInputStream(fileSystem.open(zip, 1 << 13))) {
for (ZipEntry entry = in.getNextEntry(); entry != null; entry = in.getNextEntry()) {
final String fileName = entry.getName();
- final String outputPath = new File(outDir, fileName).getAbsolutePath();
+ final File zipEntryFile = new File(outDir, fileName);
+ final String outputPath = zipEntryFile.getAbsolutePath();
CompressionUtils.validateZipOutputFile(zip.getName(), new File(outputPath), outDir);
- try (final OutputStream out = new BufferedOutputStream(new FileOutputStream(outputPath))) {
+ try (final OutputStream out = new BufferedOutputStream(new FileOutputStream(new File(outputPath)))) {
for (int len = in.read(buffer); len >= 0; len = in.read(buffer)) {
progressable.progress();
if (len == 0) {
Recipes in example diff:
-
org.openrewrite.java.security.ZipSlip
References:
- View original result
- Recipe ID:
org.openrewrite.java.security.ZipSlip
- Recipe Name:
Zip slip
- Repository:
apache/druid/master
- Created at Mon Nov 06 2023 10:11:08 GMT-0800 (Pacific Standard Time)