Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

Replace PomReader with ModuleName fixing Zip Slip (CWE-22)

Description

https://github.com/folio-org/mod-orders-storage/security/code-scanning/1
reports Arbitrary file access during archive extraction ("Zip Slip") (= https://cwe.mitre.org/data/definitions/22.html ) for https://github.com/folio-org/mod-orders-storage/blob/v13.7.2/src/main/java/org/folio/util/PomReaderUtil.java

Fix:

Use ModuleName.java instead that RMB’s domain-models-maven-plugin automatically generates. This allows to delete the duplicated code in PomReaderUtil.java and PomReaderUtilTest.java that has been copied from RMB: https://github.com/folio-org/raml-module-builder/blob/v35.2.0/domain-models-maven-plugin/src/main/java/org/folio/rest/tools/PomReader.java

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

Activity

Show:

Serhii_Nosko June 21, 2024 at 5:39 AM

Merged https://github.com/folio-org/mod-orders-storage/pull/419 , thanks for the fix, closing this ticket

Done

Details
Assignee
Julian Ladisch
Reporter
Julian Ladisch
Labels
security
Priority
P3
Development Team
Thunderjet
Fix versions
13.8.0
Release
Ramsons (R2 2024)
RCA Group
Implementation coding issue
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created June 20, 2024 at 11:37 AM

Updated June 21, 2024 at 5:39 AM

Resolved June 21, 2024 at 5:39 AM

TestRail: Cases

TestRail: Runs