org.openrewrite.java.security.ZipSlip
Zip slip is an arbitrary file overwrite critical vulnerability, which typically results in remote command execution. A fuller description of this vulnerability is available in the Snyk documentation on it.
- CWE-22
GitHub, Issue Tracker, Maven Central
- groupId: org.openrewrite.recipe
- artifactId: rewrite-java-security
- version: 2.5.2
This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-java-security:2.5.2
in your build file or by running a shell command (in which case no build changes are needed):
{% tabs %}
{% tab title="Gradle" %}
- Add the following to your
build.gradle
file: {% code title="build.gradle" %}
plugins {
id("org.openrewrite.rewrite") version("6.11.2")
}
rewrite {
activeRecipe("org.openrewrite.java.security.ZipSlip")
}
repositories {
mavenCentral()
}
dependencies {
rewrite("org.openrewrite.recipe:rewrite-java-security:2.5.2")
}
{% endcode %}
2. Run gradle rewriteRun
to run the recipe.
{% endtab %}
{% tab title="Gradle init script" %}
- Create a file named
init.gradle
in the root of your project. {% code title="init.gradle" %}
initscript {
repositories {
maven { url "https://plugins.gradle.org/m2" }
}
dependencies { classpath("org.openrewrite:plugin:6.11.2") }
}
rootProject {
plugins.apply(org.openrewrite.gradle.RewritePlugin)
dependencies {
rewrite("org.openrewrite.recipe:rewrite-java-security:2.5.2")
}
rewrite {
activeRecipe("org.openrewrite.java.security.ZipSlip")
}
afterEvaluate {
if (repositories.isEmpty()) {
repositories {
mavenCentral()
}
}
}
}
{% endcode %}
2. Run gradle --init-script init.gradle rewriteRun
to run the recipe.
{% endtab %}
{% tab title="Maven POM" %}
- Add the following to your
pom.xml
file: {% code title="pom.xml" %}
<project>
<build>
<plugins>
<plugin>
<groupId>org.openrewrite.maven</groupId>
<artifactId>rewrite-maven-plugin</artifactId>
<version>5.27.0</version>
<configuration>
<activeRecipes>
<recipe>org.openrewrite.java.security.ZipSlip</recipe>
</activeRecipes>
</configuration>
<dependencies>
<dependency>
<groupId>org.openrewrite.recipe</groupId>
<artifactId>rewrite-java-security</artifactId>
<version>2.5.2</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
{% endcode %}
2. Run mvn rewrite:run
to run the recipe.
{% endtab %}
{% tab title="Maven Command Line" %} {% code title="shell" %} You will need to have Maven installed on your machine before you can run the following command.
mvn -U org.openrewrite.maven:rewrite-maven-plugin:run -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-java-security:RELEASE -Drewrite.activeRecipes=org.openrewrite.java.security.ZipSlip
{% endcode %} {% endtab %} {% tab title="Moderne CLI" %} You will need to have configured the Moderne CLI on your machine before you can run the following command.
{% code title="shell" %}
mod run . --recipe ZipSlip
{% endcode %} {% endtab %} {% endtabs %}
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.
Jonathan Leitschuh, Jonathan Schnéider, Knut Wannheden, Simon Verhoeven