Skip to content

Commit 8ba48e8

Browse files
am0o0am0o0
committed
fix examples
1 parent dd3cc33 commit 8ba48e8

File tree

5 files changed

+38
-25
lines changed

5 files changed

+38
-25
lines changed

.favorites.json

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
[
2+
{
3+
"type": "File",
4+
"name": "/home/am/CodeQL-home/codeql-repo-amammad/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/example_good.java",
5+
"parent_id": null,
6+
"workspaceRoot": "/home/am/CodeQL-home/codeql-repo-amammad",
7+
"workspacePath": "java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/example_good.java",
8+
"id": "VOluGJntmAYZyTdQ"
9+
}
10+
]

java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/BadExample.java

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
package org.example;
2+
3+
import java.nio.file.StandardCopyOption;
4+
import java.util.Enumeration;
5+
import java.io.IOException;
6+
import java.util.zip.*;
7+
import java.util.zip.ZipEntry;
8+
import java.io.File;
9+
import java.nio.file.Files;
10+
11+
12+
class BadExample {
13+
public static void ZipInputStreamUnSafe(String filename) throws IOException {
14+
File f = new File(filename);
15+
try (ZipFile zipFile = new ZipFile(f)) {
16+
Enumeration<? extends ZipEntry> entries = zipFile.entries();
17+
18+
while (entries.hasMoreElements()) {
19+
ZipEntry ze = entries.nextElement();
20+
File out = new File("./tmp/tmp.txt");
21+
Files.copy(zipFile.getInputStream(ze), out.toPath(), StandardCopyOption.REPLACE_EXISTING);
22+
}
23+
}
24+
}
25+
}

java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,12 @@
1717
<p>
1818
In the following example, the decompressed file size is not checked before decompression, exposing the application to a denial of service.
1919
</p>
20-
<sample src="example_bad.java" />
20+
<sample src="BadExample.java" />
2121

2222
<p>
2323
A better approach is shown in the following example, where a ZIP file is read within a loop and a size threshold is checked every cycle.
2424
</p>
25-
<sample src="example_good.java"/>
25+
<sample src="GoodExample.java"/>
2626

2727
</example>
2828
<references>

java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/example_good.java renamed to java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/GoodExample.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
import java.io.FileOutputStream;
44
import java.util.zip.ZipEntry;
55

6-
public class Main {
6+
public class GoodExample {
77
public static void ZipInputStreamSafe(String filename) throws IOException {
88
int UncompressedSizeThreshold = 10 * 1024 * 1024; // 10MB
99
int BUFFERSIZE = 256;

java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/example_bad.java

Lines changed: 0 additions & 22 deletions
This file was deleted.

0 commit comments

Comments
 (0)