fix: Fix potential security issues

RomualdRousseau · Sep 22, 2024 · b44f148 · b44f148
1 parent cb6cdef
commit b44f148
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 16 deletions.
diff --git a/...java/com/github/romualdrousseau/any2json/transform/op/DropColumnsWhenEntropyLessThan.java b/...java/com/github/romualdrousseau/any2json/transform/op/DropColumnsWhenEntropyLessThan.java
@@ -10,7 +10,7 @@ public class DropColumnsWhenEntropyLessThan {
 
     public static void Apply(final BaseSheet sheet, final float minEntropy) {
         for(int j = 0; j <= sheet.getLastColumnNum(); j++) {
-            final HashMap<String, Double> x = new HashMap<>();
+            final var x = new HashMap<String, Double>();
             var n = 0;
             for(int i = 0; i <= sheet.getLastRowNum(); i++) {
                 if(sheet.hasCellDataAt(j, i)) {
@@ -31,7 +31,7 @@ public static void Apply(final BaseSheet sheet, final float minEntropy) {
 
     public static void Apply(final BaseSheet sheet, final float minEntropy, final int start, final int stop) {
         for(int j = 0; j <= sheet.getLastColumnNum(); j++) {
-            final HashMap<String, Double> x = new HashMap<>();
+            final var x = new HashMap<String, Double>();
             var n = 0;
             for(int i = start; i <= stop; i++) {
                 if(sheet.hasCellDataAt(j, i)) {
@@ -42,7 +42,7 @@ public static void Apply(final BaseSheet sheet, final float minEntropy, final in
                     }
                 }
             }
-            final float e = (float) computeEntropy(x, n);
+            final var e = (float) computeEntropy(x, n);
             if (e <= minEntropy) {
                 sheet.markColumnAsNull(j);
             }
@@ -51,7 +51,7 @@ public static void Apply(final BaseSheet sheet, final float minEntropy, final in
     }
 
     private static double computeEntropy(HashMap<String, Double> x, double n) {
-        var result = 0.0f;
+        var result = 0.0;
         for (final Entry<String, Double> e: x.entrySet()) {
             double p = e.getValue() / n;
             result += p * Math.log(p) / Math.log(2);

diff --git a/...in/java/com/github/romualdrousseau/any2json/transform/op/DropRowsWhenEntropyLessThan.java b/...in/java/com/github/romualdrousseau/any2json/transform/op/DropRowsWhenEntropyLessThan.java
@@ -12,7 +12,7 @@ public static void Apply(final BaseSheet sheet, final float minEntropy) {
         for(int i = 0; i <= sheet.getLastRowNum(); i++) {
             final var x = new HashMap<String, Double>();
             final var lastColumnNum = sheet.getLastColumnNum(i);
-            var n = 0;
+            int n = 0;
             for(int j = 0; j <= lastColumnNum; j++) {
                 if(sheet.hasCellDataAt(j, i)) {
                     final var value = sheet.getCellDataAt(j, i);
@@ -22,7 +22,7 @@ public static void Apply(final BaseSheet sheet, final float minEntropy) {
                     }
                 }
             }
-            final float e = (float) computeEntropy(x, n);
+            final var e = (float) computeEntropy(x, n);
             if (e <= minEntropy) {
                 sheet.markRowAsNull(i);
             }
@@ -32,8 +32,8 @@ public static void Apply(final BaseSheet sheet, final float minEntropy) {
 
     public static void Apply(final BaseSheet sheet, final float minEntropy, final int start, final int stop) {
         for(int i = 0; i <= sheet.getLastRowNum(); i++) {
-            final HashMap<String, Double> x = new HashMap<>();
-            var n = 0;
+            final var x = new HashMap<String, Double>();
+            int n = 0;
             for(int j = start; j <= stop; j++) {
                 if(sheet.hasCellDataAt(j, i)) {
                     final var value = sheet.getCellDataAt(j, i);
@@ -52,7 +52,7 @@ public static void Apply(final BaseSheet sheet, final float minEntropy, final in
     }
 
     private static double computeEntropy(final HashMap<String, Double> x, final double n) {
-        var result = 0.0f;
+        var result = 0.0;
         for (final Entry<String, Double> e: x.entrySet()) {
             final double p = e.getValue() / n;
             result += p * Math.log(p) / Math.log(2);

diff --git a/any2json/src/main/java/com/github/romualdrousseau/any2json/util/Disk.java b/any2json/src/main/java/com/github/romualdrousseau/any2json/util/Disk.java
@@ -7,12 +7,15 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Comparator;
+import java.util.List;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import java.util.zip.ZipOutputStream;
 
 public class Disk
 {
+    private static final List<String> DANGEROUS_PATH = List.of("..", ".");
+
     public static void copyDir(Path src, Path dest) throws IOException {
         Files.walk(src).forEach(source -> copyFile(source, dest.resolve(src.relativize(source))));
     }
@@ -25,11 +28,11 @@ public static void deleteDir(final Path dir) throws IOException {
     }
 
     public static void zipDir(final Path sourceDirPath, final File zipFilePath) throws IOException {
-        try (final ZipOutputStream zs = new ZipOutputStream(new FileOutputStream(zipFilePath))) {
+        try (final var zs = new ZipOutputStream(new FileOutputStream(zipFilePath))) {
             Files.walk(sourceDirPath)
                     .filter(path -> !Files.isDirectory(path))
                     .forEach(path -> {
-                        final ZipEntry zipEntry = new ZipEntry(sourceDirPath.relativize(path).toString().replace("\\", "/"));
+                        final var zipEntry = new ZipEntry(sourceDirPath.relativize(path).toString().replace("\\", "/"));
                         try {
                             zs.putNextEntry(zipEntry);
                             Files.copy(path, zs);
@@ -43,16 +46,20 @@ public static void zipDir(final Path sourceDirPath, final File zipFilePath) thro
 
     public static void unzipDir(final Path zipFile, final Path folder) throws IOException {
         final byte[] buffer = new byte[4096];
-        try (final ZipInputStream zis = new ZipInputStream(new FileInputStream(zipFile.toFile()))) {
+        try (final var zis = new ZipInputStream(new FileInputStream(zipFile.toFile()))) {
             ZipEntry ze = zis.getNextEntry();
             while (ze != null) {
-                final Path newFile = folder.resolve(ze.getName());
+                if (DANGEROUS_PATH.contains(ze.getName())) {
+                    continue;
+                }
+
+                final var newFile = folder.resolve(ze.getName());
 
                 // Ensure parent directory exists
                 newFile.getParent().toFile().mkdirs();
 
                 if (!ze.isDirectory()) {
-                    try (final FileOutputStream fos = new FileOutputStream(newFile.toFile())) {
+                    try (final var fos = new FileOutputStream(newFile.toFile())) {
                         int len;
                         while ((len = zis.read(buffer)) > 0) {
                             fos.write(buffer, 0, len);
@@ -75,8 +82,8 @@ public static void copyFile(Path src, Path dest) {
     }
 
     public static void removeFileName(final Path filename1, final Path filename2) {
-        final File file1 = filename1.toFile();
-        final File file2 = filename2.toFile();
+        final var file1 = filename1.toFile();
+        final var file2 = filename2.toFile();
         file1.renameTo(file2);
     }