github-advanced-security[bot] commented on code in PR #9363:
URL: https://github.com/apache/rocketmq/pull/9363#discussion_r2058011628
##########
auth/src/test/java/org/apache/rocketmq/auth/migration/plain/AclTestHelper.java:
##########
@@ -101,20 +105,66 @@
if (!home.exists()) {
Assert.assertTrue(home.mkdirs());
}
- PathMatchingResourcePatternResolver resolver = new
PathMatchingResourcePatternResolver(AclTestHelper.class.getClassLoader());
- Resource[] resources =
resolver.getResources(String.format("classpath:%s/**/*", folder));
- for (Resource resource : resources) {
- if (!resource.isReadable()) {
- continue;
+
+ // Get the resource URL for the folder
+ URL folderUrl =
AclTestHelper.class.getClassLoader().getResource(folder);
+ if (folderUrl == null) {
+ throw new IOException("Resource folder not found: " + folder);
+ }
+
+ // Check if the resource is in a JAR or in the file system
+ if ("file".equals(folderUrl.getProtocol())) {
+ // Resource is in the file system
+ File sourceDir = new File(folderUrl.getFile());
+ copyDirectory(sourceDir, home, folder, into);
+ } else if ("jar".equals(folderUrl.getProtocol())) {
+ // Resource is in a JAR file
+ copyResourcesFromJar(folderUrl, home, folder, into);
+ } else {
+ throw new IOException("Unsupported protocol: " +
folderUrl.getProtocol());
+ }
+
+ return home;
+ }
+
+ private static void copyDirectory(File sourceDir, File destDir, String
folderName, boolean into) throws IOException {
+ if (!sourceDir.isDirectory()) {
+ return;
+ }
+
+ File[] files = sourceDir.listFiles();
+ if (files == null) {
+ return;
+ }
+
+ for (File file : files) {
+ String path = file.getAbsolutePath();
+ try (InputStream inputStream = new FileInputStream(file)) {
+ copyTo(path, inputStream, destDir, folderName, into);
}
- String description = resource.getDescription();
- int start = description.indexOf('[');
- int end = description.lastIndexOf(']');
- String path = description.substring(start + 1, end);
- try (InputStream inputStream = resource.getInputStream()) {
- copyTo(path, inputStream, home, folder, into);
+ }
+ }
+
+ private static void copyResourcesFromJar(URL jarUrl, File destDir, String
folderName, boolean into) throws IOException {
+ try {
+ JarURLConnection jarConnection = (JarURLConnection)
jarUrl.openConnection();
+ JarFile jar = jarConnection.getJarFile();
+
+ Enumeration<JarEntry> entries = jar.entries();
+ String folderPath = folderName + "/";
+
+ while (entries.hasMoreElements()) {
+ JarEntry entry = entries.nextElement();
+ String entryName = entry.getName();
Review Comment:
## Arbitrary file access during archive extraction ("Zip Slip")
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](1).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](2).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](3).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](4).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](5).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](6).
[Show more
details](https://github.com/apache/rocketmq/security/code-scanning/24)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
