Light

SonarQube security hotspot about zip HOT 4 CLOSED

TheSlackOne commented on June 2, 2024

SonarQube security hotspot

from zip.

Comments (4)

kuba-- commented on June 2, 2024

How do you understand this warning?

In my honest opinion it's not related to zip_open. It's about, how someone can compress e.g. GB of zeros what can end up with very tiny zip archive but after unziping it's full of garbage.

So, be careful how/where do you compress your data, but it's not related to this particular call.
Moreover, in your example, you're compressing data, you're passing inFiles, so it's your app responsibility to check if these files are garbage, or not.

from zip.

TheSlackOne commented on June 2, 2024

Yes, agree, and it is trusted data. I just wonder if I could do something from the zip_open() call, like passing a flag, to avoid the security hotspot warning.

from zip.

kuba-- commented on June 2, 2024

No, because this warning is very informative/generic.
SonarQuebe didn't analyze the zip library, just posted some info related to zip archives from DB (the same stuff you can find for some PHP library: https://rules.sonarsource.com/php/RSPEC-5042).

I would recommend to try real static analysis tools, like cpp-check, infer, clang static analysis or PVS studio.

from zip.

TheSlackOne commented on June 2, 2024

Thank you, Kuba, I appreciate your input.

from zip.

Related Issues (20)

Warnings HOT 1
zip_create Why does create not support directory creation！ HOT 3
zip_extract The extracted file name is garbled and does not support Chinese name extraction HOT 1
typedef conflict HOT 1
zip_close error when opening zip archive in read mode HOT 5
Check if file or stream is a valid "zip" archive HOT 10
64-bit Linux compatibility HOT 3
Can CodeQL scans be enabled for this repository? HOT 1
Bindings HOT 7
Remove zip entries by index. HOT 2
redefinition of 's_tdefl_num_probes' when `miniz.h` included in cpp HOT 1
Find offset of a file in a zip file? HOT 6
Issue when deleting files HOT 3
Failed to compile with Android Studio NDK r26b HOT 1
zip_entries_delete fails for in memory stream zip HOT 12
Reading a portion of the file HOT 6
Multiple issues with zip file HOT 7
Code for supporting direct usage of file streams (FILE *) HOT 1
miniz.h: surround function definitions with an #ifdef HOT 2
Failed to build 32-bit with gcc HOT 1

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.