From 042d657901a3455ab272d3e5342616f958e93ce5 Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Sat, 11 Oct 2025 04:14:27 +0000
Subject: [PATCH 1/3] Update dependency
 org.apache.maven.plugins:maven-pmd-plugin to v3.28.0

---
 pom.xml                      | 2 +-
 template-placeholder/pom.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 14c3d10..7236c13 100644
--- a/pom.xml
+++ b/pom.xml
@@ -70,7 +70,7 @@
 					<plugin>
 						<groupId>org.apache.maven.plugins</groupId>
 						<artifactId>maven-pmd-plugin</artifactId>
-						<version>3.27.0</version>
+						<version>3.28.0</version>
 						<configuration>
 							<analysisCache>true</analysisCache>
 							<includeTests>true</includeTests>
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index ea07c2f..74cf0ee 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -240,7 +240,7 @@
 					<plugin>
 						<groupId>org.apache.maven.plugins</groupId>
 						<artifactId>maven-pmd-plugin</artifactId>
-						<version>3.27.0</version>
+						<version>3.28.0</version>
 						<configuration>
 							<analysisCache>true</analysisCache>
 							<includeTests>true</includeTests>

From d4bea48af9898d69073377a80fe6289ad4a2fc39 Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Sun, 12 Oct 2025 04:13:47 +0000
Subject: [PATCH 2/3] Update dependency com.puppycrawl.tools:checkstyle to
 v12.0.1

---
 pom.xml                      | 2 +-
 template-placeholder/pom.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 14c3d10..6c2a198 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,7 +45,7 @@
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>12.0.0</version>
+								<version>12.0.1</version>
 							</dependency>
 						</dependencies>
 						<configuration>
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index ea07c2f..67b916c 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -215,7 +215,7 @@
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>12.0.0</version>
+								<version>12.0.1</version>
 							</dependency>
 						</dependencies>
 						<configuration>

From e28c251a2dbf97e5e8273177d05a6f8743c9902c Mon Sep 17 00:00:00 2001
From: AB <a.bierler@xdev-software.de>
Date: Wed, 15 Oct 2025 11:20:00 +0200
Subject: [PATCH 3/3] Detect ZIP slip

---
 .config/pmd/java/ruleset.xml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml
index 4570323..c72b66a 100644
--- a/.config/pmd/java/ruleset.xml
+++ b/.config/pmd/java/ruleset.xml
@@ -316,6 +316,28 @@
 		</properties>
 	</rule>
 
+	<rule name="EnsureZipEntryNameIsSanitized"
+		language="java"
+		message="ZipEntry name should be sanitized"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+		<description>
+			ZipEntry name should be sanitized.
+			Unsanitized names may contain '..' which can result in path traversal ("ZipSlip").
+
+			You can suppress this warning when you properly sanitized the name.
+		</description>
+		<priority>4</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+<![CDATA[
+//MethodCall[pmd-java:matchesSig('java.util.zip.ZipEntry#getName()') or pmd-java:matchesSig('org.apache.commons.compress.archivers.ArchiveEntry#getName()')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
+
 	<rule name="JavaObjectSerializationIsUnsafe"
 		language="java"
 		message="Using Java Object (De-)Serialization is unsafe and has led to too many security vulnerabilities"