Update to javaparser 3.27.1 #168
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes a Zip-Slip vulnerability.
This change does one of two things. This change either
1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: JLLeitschuh/security-research#16
Co-authored-by: Moderne <team@moderne.io>
…2/fix/JLL/zip-slip-vulnerability [SECURITY] Fix Zip Slip Vulnerability
….23.0 (javaparser#4705) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….13 (javaparser#4706) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Fix: issue 4707 Upgrading from junit 5.11.4 -> 5.12.1 causes junit exception
This is adapted from my own example and the example in 3710, to make up a more-or-less minimal reproduction case.
Without this check, the symbol resolver would loop between resolving a method call (used as scope argument for a new object creation) and resolving the method call's scope.
…ner class creation resolution with a constructor base work as expected.
…710-infinite-recursion-involving-object-creation-scopes Fix for javaparser#3710 by cutting off resolution loops involving object creation steps.
…lity-for-javassist-records
…dd-method-resolution-capability-for-javassist-records Implement MethodResolutionCapability in JavassistRecordDeclaration
Fix: issue 4697 Updating the com.google.guava:guava dependency to v334.5-jre fails.
…gurable and non-configurable printers (e.g. the LexicalPreservingPrinter)
Fix Switch toString to LexicalPreservingPrinter when configured
…lugin to v2.44.4 (javaparser#4714) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Fix formatting issues
…iles Java class paths support loading .class files either from .jar files, or from file hierarchies containing .class files. There's no reason why JarTypeSolver shouldn't be able to do that as well!
In particular, allow selecting the entire Java Class Library, and not just the absolute core JRE classes.
…e.maven.plugins-maven-checkstyle-plugin-3.x chore(deps): update dependency org.apache.maven.plugins:maven-checkstyle-plugin to v3.6.0
…r-plugin to v3.14.1 (javaparser#4844) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…n to v2.19.1 (javaparser#4845) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…avaparser#4847) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…gin to v2.2.1 (javaparser#4854) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…d declarations Fix issue 4846
… v3.6.0 (javaparser#4857) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…er#4858) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ackets. Fix: Adjusts the range limits of lambda expression parameters to ignore brackets.
…51.1 (javaparser#4862) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ncy-plugin to v3.9.0 (javaparser#4863) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…lves maven-deploy-plugin configuration issues
…try another configuration)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.