Java SonarQube问题:确保扩展此存档文件是安全的
我有从zip文件展开文件的代码:Java SonarQube问题:确保扩展此存档文件是安全的,java,sonarqube,Java,Sonarqube,我有从zip文件展开文件的代码: **private void checkZipFile(ZipInputStream zis) throws OnboardException { ZipEntry zipEntry; try { int entries=0; while ((zipEntry = zis.getNextEntry()) != null) {
**private void checkZipFile(ZipInputStream zis) throws OnboardException {
ZipEntry zipEntry;
try {
int entries=0;
while ((zipEntry = zis.getNextEntry()) != null) {
entries++;
if(validateFileName(zipEntry.getName(),System.getProperty("user.dir")) || zipEntry.getSize()>0x6400000 || entries>5000 || zipEntry.getName().contains("..")) {
System.out.println("File is outside extraction target directory.");
}
}
}
private boolean validateFileName(String fileName, String dist) throws IOException {
File destDir = utils.createFile(dist);
String canonicalDestDirPath = destDir.getCanonicalPath();
System.out.println("1---------"+canonicalDestDirPath);
File destfile = utils.createFile(dist,fileName);
String canonicalDestFile = destfile.getCanonicalPath();
if (!canonicalDestFile.startsWith(canonicalDestDirPath + File.separator)) {
return true;
}
return false;
}**
在SonarQube报告中,我在这一行得到了关键的安全热点:
而((zipEntry=zis.getNextEntry())!=null)
我怎样才能解决这个问题?对我来说很安全
先谢谢你