add comments for FPs

2026-04-23 07:45:17 +02:00 · 2024-07-30 13:24:46 +02:00
parent 4dc1a10f71
commit 9662950405
2 changed files with 4 additions and 4 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java
@@ -33,7 +33,7 @@ public class Zip4jHandler {
                File extractedFile = new File(localFileHeader.getFileName());
                try (OutputStream outputStream = new FileOutputStream(extractedFile)) {
                    int totallRead = 0;
-                    while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"
+                    while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"  "this test gives a FP"
                        totallRead += readLen;
                        if (totallRead > 1024 * 1024 * 4) {
                            System.out.println("potential Bomb");
--- a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java
@@ -38,7 +38,7 @@ public class ZipHandler {
                }
                FileOutputStream fos = new FileOutputStream("/tmp/tmptmp");
                BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
+                while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis" "this test gives a FP"
                    dest.write(data, 0, count);
                    total += count;
                }
@@ -78,7 +78,7 @@ public class ZipHandler {
                }
                FileOutputStream fos = new FileOutputStream(entry.getName());
                BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
+                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"  "this test gives a FP"
                    dest.write(data, 0, count);
                }
                dest.flush();
@@ -100,7 +100,7 @@ public class ZipHandler {
                // Write the files to the disk
                FileOutputStream fos = new FileOutputStream(entry.getName()); 
                BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
+                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis" 
                    dest.write(data, 0, count);
                }
                dest.flush();