github-code-scanning[bot] commented on code in PR #4:
URL:
https://github.com/apache/sling-org-apache-sling-tooling-support-install/pull/4#discussion_r1020503172
##########
src/main/java/org/apache/sling/tooling/support/install/impl/InstallServlet.java:
##########
@@ -262,49 +235,45 @@
return found;
}
- private static void createJar(final File sourceDir, final File jarFile,
final Manifest mf)
- throws IOException {
- final JarOutputStream zos = new JarOutputStream(new
FileOutputStream(jarFile));
- try {
+ private static void createJar(final Path sourceDir, final Path jarFile,
final Manifest mf) throws IOException {
+ try (JarOutputStream zos = new
JarOutputStream(Files.newOutputStream(jarFile))) {
zos.setLevel(Deflater.NO_COMPRESSION);
// manifest first
final ZipEntry anEntry = new ZipEntry(JarFile.MANIFEST_NAME);
zos.putNextEntry(anEntry);
mf.write(zos);
zos.closeEntry();
zipDir(sourceDir, zos, "");
- } finally {
- try {
- zos.close();
- } catch ( final IOException ignore ) {
- // ignore
- }
}
}
- public static void zipDir(final File sourceDir, final ZipOutputStream zos,
final String path)
- throws IOException {
- final byte[] readBuffer = new byte[8192];
- int bytesIn = 0;
+ public static void zipDir(final Path sourceDir, final ZipOutputStream zos,
final String prefix) throws IOException {
+ try (Stream<Path> stream = Files.list(sourceDir)) {
Review Comment:
## I/O function calls should not be vulnerable to path injection attacks
<!--SONAR_ISSUE_KEY:AYRoJJXWSHsDn9lThPYU-->Change this code to not construct
the path from user-controlled data. <p>See more on <a
href="https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-tooling-support-install&issues=AYRoJJXWSHsDn9lThPYU&open=AYRoJJXWSHsDn9lThPYU&pullRequest=4";>SonarCloud</a></p>
[Show more
details](https://github.com/apache/sling-org-apache-sling-tooling-support-install/security/code-scanning/10)
##########
src/main/java/org/apache/sling/tooling/support/install/impl/InstallServlet.java:
##########
@@ -96,77 +93,57 @@
result.render(resp.getWriter());
return;
}
-
if (isMultipart) {
- installBasedOnUploadedJar(req, resp);
+ installBasedOnUploadedJar(req, resp, refreshPackages);
} else {
- installBasedOnDirectory(resp, new File(dirPath));
+ installBasedOnDirectory(resp, Paths.get(dirPath), refreshPackages);
Review Comment:
## Exceptions should not be thrown from servlet methods
<!--SONAR_ISSUE_KEY:AYRoJJXWSHsDn9lThPYR-->Handle the following exception
that could be thrown by "installBasedOnDirectory": IOException. <p>See more on
<a
href="https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-tooling-support-install&issues=AYRoJJXWSHsDn9lThPYR&open=AYRoJJXWSHsDn9lThPYR&pullRequest=4";>SonarCloud</a></p>
[Show more
details](https://github.com/apache/sling-org-apache-sling-tooling-support-install/security/code-scanning/12)
##########
src/main/java/org/apache/sling/tooling/support/install/impl/InstallServlet.java:
##########
@@ -96,77 +93,57 @@
result.render(resp.getWriter());
return;
}
-
if (isMultipart) {
- installBasedOnUploadedJar(req, resp);
+ installBasedOnUploadedJar(req, resp, refreshPackages);
Review Comment:
## Exceptions should not be thrown from servlet methods
<!--SONAR_ISSUE_KEY:AYRoJJXWSHsDn9lThPYQ-->Handle the following exceptions
that could be thrown by "installBasedOnUploadedJar": IOException,
ServletException. <p>See more on <a
href="https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-tooling-support-install&issues=AYRoJJXWSHsDn9lThPYQ&open=AYRoJJXWSHsDn9lThPYQ&pullRequest=4";>SonarCloud</a></p>
[Show more
details](https://github.com/apache/sling-org-apache-sling-tooling-support-install/security/code-scanning/13)
##########
src/main/java/org/apache/sling/tooling/support/install/impl/InstallServlet.java:
##########
@@ -182,49 +159,39 @@
new InstallationResult(false, message + " : " +
e.getMessage()).render(resp.getWriter());
}
- private void installBasedOnDirectory(HttpServletResponse resp, final File
dir) throws FileNotFoundException,
- IOException {
-
+ private void installBasedOnDirectory(HttpServletResponse resp, final Path
dir, boolean refreshPackages) throws IOException {
InstallationResult result = null;
- if ( dir.exists() && dir.isDirectory() ) {
+ if (Files.isDirectory(dir)) {
logger.info("Checking dir {} for bundle install", dir);
- final File manifestFile = new File(dir, JarFile.MANIFEST_NAME);
- if ( manifestFile.exists() ) {
- FileInputStream fis = null;
- try {
- fis = new FileInputStream(manifestFile);
+ final Path manifestFile = dir.resolve(JarFile.MANIFEST_NAME);
+ if (Files.exists(dir)) {
+ try (InputStream fis = Files.newInputStream(manifestFile)) {
Review Comment:
## I/O function calls should not be vulnerable to path injection attacks
<!--SONAR_ISSUE_KEY:AYRoJJXWSHsDn9lThPYT-->Change this code to not construct
the path from user-controlled data. <p>See more on <a
href="https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-tooling-support-install&issues=AYRoJJXWSHsDn9lThPYT&open=AYRoJJXWSHsDn9lThPYT&pullRequest=4";>SonarCloud</a></p>
[Show more
details](https://github.com/apache/sling-org-apache-sling-tooling-support-install/security/code-scanning/11)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
