Skip to content

Commit c9929b9

Browse files
dfa1claude
andauthored
security: resolve Sonar SECURITY-category issues (#20)
* security: pin setup-zig to a commit SHA; mark temp-dir vuln reviewed Resolve the SECURITY-category Sonar findings: - S7637: pin the third-party mlugg/setup-zig action to a full commit SHA (d1434d0, v2) in ci/sonar/publish workflows, so a moved tag can't swap the action under us. The first-party actions/* are not flagged. - S5443: NativeLibrary extracts the bundled library into an owner-only directory (Files.createTempDirectory, 0700 on POSIX) — the rule's warning is already mitigated with no further code change available, so suppress it for that file via sonar.issue.ignore with a documented why. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * security: set owner-only temp dir permissions atomically (S5443) Properly fix S5443 instead of suppressing it: create the extraction directory with an explicit owner-only (rwx------) POSIX permission attribute at creation time, the rule's compliant pattern. Falls back to no attribute on non-POSIX file systems, where the temp directory is already per-user. Revert the earlier pom-level suppression. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 7cfcfe9 commit c9929b9

5 files changed

Lines changed: 24 additions & 8 deletions

File tree

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
cache: maven
2525

2626
- name: Set up Zig
27-
uses: mlugg/setup-zig@v2
27+
uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
2828
with:
2929
version: 0.16.0
3030

.github/workflows/publish.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ jobs:
3131
gpg-passphrase: GPG_PASSPHRASE
3232

3333
- name: Set up Zig
34-
uses: mlugg/setup-zig@v2
34+
uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
3535
with:
3636
version: 0.16.0
3737

.github/workflows/sonar.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828
cache: maven
2929

3030
- name: Set up Zig
31-
uses: mlugg/setup-zig@v2
31+
uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
3232
with:
3333
version: 0.16.0
3434

zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,12 @@
77
import java.lang.foreign.Linker;
88
import java.lang.foreign.SymbolLookup;
99
import java.lang.invoke.MethodHandle;
10+
import java.nio.file.FileSystems;
1011
import java.nio.file.Files;
1112
import java.nio.file.Path;
1213
import java.nio.file.StandardCopyOption;
14+
import java.nio.file.attribute.FileAttribute;
15+
import java.nio.file.attribute.PosixFilePermissions;
1316

1417
/// Infrastructure — loads the bundled `libzstd` shared library and binds
1518
/// native symbols to {@link MethodHandle}s via the Foreign Function & Memory API.
@@ -45,9 +48,10 @@ private static String extractBundledLib() {
4548
throw new UnsatisfiedLinkError("No bundled zstd library found for platform " + classifier);
4649
}
4750
// Extract into a private, owner-only temp directory rather than a file
48-
// loose in the shared temp root: createTempDirectory is 0700 on POSIX, so
49-
// no other local user can swap the library between extraction and dlopen.
50-
Path dir = Files.createTempDirectory("zstd-");
51+
// loose in the shared temp root, so no other local user can swap the
52+
// library between extraction and dlopen. The owner-only (0700) mode is
53+
// set atomically at creation via a POSIX permission attribute.
54+
Path dir = Files.createTempDirectory("zstd-", ownerOnlyAttributes());
5155
Path lib = dir.resolve("libzstd." + ext);
5256
Files.copy(in, lib, StandardCopyOption.REPLACE_EXISTING);
5357
lib.toFile().deleteOnExit();
@@ -58,6 +62,18 @@ private static String extractBundledLib() {
5862
}
5963
}
6064

65+
/// Owner-only (`rwx------`) directory permissions as a creation attribute on
66+
/// POSIX file systems; an empty array elsewhere (a Windows temp directory is
67+
/// already per-user, and the POSIX attribute is unsupported there).
68+
private static FileAttribute<?>[] ownerOnlyAttributes() {
69+
if (FileSystems.getDefault().supportedFileAttributeViews().contains("posix")) {
70+
return new FileAttribute<?>[] {
71+
PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"))
72+
};
73+
}
74+
return new FileAttribute<?>[0];
75+
}
76+
6177
private static String libExtension(String classifier) {
6278
if (classifier.startsWith("osx")) {
6379
return "dylib";

zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
public final class ZstdFrame {
1515

1616
/// Sentinel returned by `ZSTD_decompressBound` when the input is not valid.
17-
private static final long CONTENTSIZE_ERROR = -2L;
17+
private static final long CONTENT_SIZE_ERROR = -2L;
1818

1919
/// Tests whether `data` begins with a valid zstd frame (standard or skippable).
2020
///
@@ -213,7 +213,7 @@ private static long decompressedBound(MemorySegment data, long size) {
213213
} catch (Throwable t) {
214214
throw NativeCall.rethrow(t);
215215
}
216-
if (bound == CONTENTSIZE_ERROR) {
216+
if (bound == CONTENT_SIZE_ERROR) {
217217
throw new ZstdException("not valid zstd data");
218218
}
219219
return bound;

0 commit comments

Comments
 (0)