hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

update tests for zip4j, add aditional flow steps for zip4j, remove BombTypeInputStream class since we don't need it anymore, add a predicate which was for testing porpose and was junk

Browse Source
This commit is contained in:
am0o0
2024-07-29 18:10:04 +02:00
parent c8749ff82e
commit 4dc1a10f71
2 changed files with 25 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java
View File

@@ -12,11 +12,11 @@ public class Zip4jHandler {
LocalFileHeader localFileHeader;
int readLen;
byte[] readBuffer = new byte[4096];
try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) { // $ hasTaintFlow="inputStream"
try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) {
while ((localFileHeader = zipInputStream.getNextEntry()) != null) {
File extractedFile = new File(localFileHeader.getFileName());
try (OutputStream outputStream = new FileOutputStream(extractedFile)) {
while ((readLen = zipInputStream.read(readBuffer)) != -1) {
while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"
outputStream.write(readBuffer, 0, readLen);
}
}
@@ -28,12 +28,12 @@ public class Zip4jHandler {
LocalFileHeader localFileHeader;
int readLen;
byte[] readBuffer = new byte[4096];
try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) { // $ hasTaintFlow="inputStream"
try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) {
while ((localFileHeader = zipInputStream.getNextEntry()) != null) {
File extractedFile = new File(localFileHeader.getFileName());
try (OutputStream outputStream = new FileOutputStream(extractedFile)) {
int totallRead = 0;
while ((readLen = zipInputStream.read(readBuffer)) != -1) {
while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"
totallRead += readLen;
if (totallRead > 1024 * 1024 * 4) {
System.out.println("potential Bomb");