Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: [RTD-540] solve bomb zip security hotspot #357

Merged
merged 9 commits into from Apr 3, 2023
Merged

fix: [RTD-540] solve bomb zip security hotspot #357

merged 9 commits into from Apr 3, 2023

Conversation

and-mora
Copy link
Contributor

@and-mora and-mora commented Mar 27, 2023
edited

Description

This PR proposes to fix the zip bomb security hotspot by setting the max size allowed for the uncompressed files.

List of Changes

  • fix sonar security hotspot
  • remove codeql action

Motivation and Context

How Has This Been Tested?

  • Unit Test Suite
  • Integration Test Suite
  • Load Tests

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Chore change (non-breaking change which doesn't provide a direct value to users)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.

@and-mora and-mora changed the base branch from master to develop March 27, 2023 13:46
@and-mora and-mora marked this pull request as ready for review March 27, 2023 13:48
@and-mora and-mora marked this pull request as draft March 28, 2023 07:23
@and-mora and-mora marked this pull request as ready for review March 28, 2023 10:18
@and-mora and-mora force-pushed the RTD-540-solve-bomb-zip-sec-hotspot branch from 3fae237 to b358dd5 Compare March 30, 2023 13:03
@sonarcloud
Copy link

sonarcloud bot commented Mar 30, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

100.0% 100.0% Coverage
0.0% 0.0% Duplication

petretiandrea
petretiandrea approved these changes Apr 3, 2023
View reviewed changes
Copy link
Contributor

@petretiandrea petretiandrea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice refactor 🎉

@and-mora and-mora merged commit ad6d0a3 into develop Apr 3, 2023
6 of 7 checks passed
@and-mora and-mora deleted the RTD-540-solve-bomb-zip-sec-hotspot branch April 3, 2023 10:11
and-mora added a commit that referenced this pull request May 11, 2023
@and-mora
fix: [RTD-1655] reduce log severity on ack confirm failure (#358)
e431c27 
* fix: [RTD-540] use nio library to create temp file (#356)

* fix: [RTD-540] solve bomb zip security hotspot (#357)

* [RTD-540] solve zip bomb by checking uncompressed file size

* [RTD-540] solve zip bomb by checking uncompressed file size

* [RTD-540] solve zip slip vulnerability

* [RTD-540] add compression ratio check

* [RTD-540] typo

* [RTD-540] utilize copyLarge of apache common

* [RTD-540] remove common io library usage

* [RTD-540] reduce cognitive complexity

* [RTD-540] remove codeql action

* [RTD-1655] reduce log severity on ack confirm failure

* [RTD-1655] bump pom version to 2.0.3
and-mora added a commit that referenced this pull request May 12, 2023
@and-mora
Merge pull request #359 from pagopa/develop
9b9940a 
* fix: [RTD-540] use nio library to create temp file (#356)

* fix: [RTD-540] solve bomb zip security hotspot (#357)

* [RTD-540] solve zip bomb by checking uncompressed file size

* [RTD-540] solve zip bomb by checking uncompressed file size

* [RTD-540] solve zip slip vulnerability

* [RTD-540] add compression ratio check

* [RTD-540] typo

* [RTD-540] utilize copyLarge of apache common

* [RTD-540] remove common io library usage

* [RTD-540] reduce cognitive complexity

* [RTD-540] remove codeql action

* fix: [RTD-1655] reduce log severity on ack confirm failure (#358)

* fix: [RTD-540] use nio library to create temp file (#356)

* fix: [RTD-540] solve bomb zip security hotspot (#357)

* [RTD-540] solve zip bomb by checking uncompressed file size

* [RTD-540] solve zip bomb by checking uncompressed file size

* [RTD-540] solve zip slip vulnerability

* [RTD-540] add compression ratio check

* [RTD-540] typo

* [RTD-540] utilize copyLarge of apache common

* [RTD-540] remove common io library usage

* [RTD-540] reduce cognitive complexity

* [RTD-540] remove codeql action

* [RTD-1655] reduce log severity on ack confirm failure

* [RTD-1655] bump pom version to 2.0.3

* fix: [RTD-1669] fix conditional flow after ack list retrieve fails (#360)

* [RTD-1669] fix conditional flow on ade-ack step failure
* [RTD-1669] improve failure handling and logging
@github-actions
Copy link

🎉 This PR is included in version 2.0.3 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petretiandrea petretiandrea petretiandrea approved these changes

@GiovanniMancini GiovanniMancini Awaiting requested review from GiovanniMancini GiovanniMancini is a code owner

@TommasoLencioni TommasoLencioni Awaiting requested review from TommasoLencioni TommasoLencioni is a code owner

@lucaconsalvi lucaconsalvi Awaiting requested review from lucaconsalvi lucaconsalvi is a code owner

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@and-mora @petretiandrea