yup #89
yup #89
Conversation
…uaViewSDK into feature/playground
…ground Conflicts: Android/LuaViewDemo/LuaViewDemo.iml Android/LuaViewSDK/LuaViewSDK.iml
Dev 5.10.0 playground See merge request !54
# Conflicts: # LuaViewSDK.podspec
|
城西 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
城西 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| <repository> | ||
| <id>releases</id> | ||
| <url>http://mvnrepo.alibaba-inc.com/mvn/releases</url> | ||
| </repository> |
Check failure
Code scanning / CodeQL
Failure to use HTTPS or SFTP URL in Maven artifact upload/download High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, the repository URLs in the <distributionManagement> section of the Maven POM file should be updated to use HTTPS instead of HTTP. This ensures secure communication with the artifact repository, protecting against MITM attacks and supply chain vulnerabilities.
Steps to implement the fix:
- Locate the
<distributionManagement>section in the POM file. - Update the
<url>elements for both<repository>and<snapshotRepository>to use HTTPS instead of HTTP. - Verify that the repository supports HTTPS and that the updated URLs are correct.
No additional methods, imports, or definitions are required for this fix.
| @@ -55,12 +55,12 @@ | ||
|
|
||
| <distributionManagement> | ||
| <repository> | ||
| <id>releases</id> | ||
| <url>http://mvnrepo.alibaba-inc.com/mvn/releases</url> | ||
| </repository> | ||
| <snapshotRepository> | ||
| <id>snapshots</id> | ||
| <url>http://mvnrepo.alibaba-inc.com/mvn/snapshots</url> | ||
| </snapshotRepository> | ||
| </distributionManagement> | ||
| <distributionManagement> | ||
| <repository> | ||
| <id>releases</id> | ||
| <url>https://mvnrepo.alibaba-inc.com/mvn/releases</url> | ||
| </repository> | ||
| <snapshotRepository> | ||
| <id>snapshots</id> | ||
| <url>https://mvnrepo.alibaba-inc.com/mvn/snapshots</url> | ||
| </snapshotRepository> | ||
| </distributionManagement> | ||
|
|
| <snapshotRepository> | ||
| <id>snapshots</id> | ||
| <url>http://mvnrepo.alibaba-inc.com/mvn/snapshots</url> | ||
| </snapshotRepository> |
Check failure
Code scanning / CodeQL
Failure to use HTTPS or SFTP URL in Maven artifact upload/download High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, the repository URLs in the <distributionManagement> section should be updated to use HTTPS instead of HTTP. This ensures that all communication with the artifact repository is encrypted and secure.
Steps to implement the fix:
- Replace the
http://protocol in the<url>tags of both<repository>and<snapshotRepository>withhttps://. - Verify that the repository supports HTTPS and update any necessary credentials or configurations if required.
| @@ -58,3 +58,3 @@ | ||
| <id>releases</id> | ||
| <url>http://mvnrepo.alibaba-inc.com/mvn/releases</url> | ||
| <url>https://mvnrepo.alibaba-inc.com/mvn/releases</url> | ||
| </repository> | ||
| @@ -62,3 +62,3 @@ | ||
| <id>snapshots</id> | ||
| <url>http://mvnrepo.alibaba-inc.com/mvn/snapshots</url> | ||
| <url>https://mvnrepo.alibaba-inc.com/mvn/snapshots</url> | ||
| </snapshotRepository> |
| DebugUtil.tsi("luaviewp-unpackBundle-zip"); | ||
| while ((entry = zipStream.getNextEntry()) != null) { | ||
| // 处理../ 这种方式只能使用单层路径,不能处理子目录,在这里可以添加公用path | ||
| rawName = entry.getName(); |
Check failure
Code scanning / CodeQL
Arbitrary file access during archive extraction ("Zip Slip") High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, we need to validate the constructed file paths to ensure they remain within the intended directory (scriptBundleFolderPath). This can be achieved by normalizing the paths using java.io.File.getCanonicalFile() or java.nio.file.Path.normalize() and verifying that the normalized path starts with the intended directory's canonical path. If the validation fails, the code should throw an exception or skip processing the entry.
Steps to implement the fix:
- Normalize the constructed file path using
File.getCanonicalFile()to resolve any symbolic links or traversal sequences. - Validate that the normalized path starts with the canonical path of the destination directory (
scriptBundleFolderPath). - Reject or skip entries that fail the validation.
| @@ -211,3 +211,7 @@ | ||
| filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName); | ||
| File dir = new File(filePath); | ||
| File dir = new File(filePath).getCanonicalFile(); | ||
| File baseDir = new File(scriptBundleFolderPath).getCanonicalFile(); | ||
| if (!dir.getPath().startsWith(baseDir.getPath())) { | ||
| throw new IOException("Invalid zip entry: " + rawName); | ||
| } | ||
| if (!dir.exists()) { | ||
| @@ -226,3 +230,8 @@ | ||
| filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName); | ||
| luaRes.put(filePath, fileData); | ||
| File file = new File(filePath).getCanonicalFile(); | ||
| File baseDir = new File(scriptBundleFolderPath).getCanonicalFile(); | ||
| if (!file.getPath().startsWith(baseDir.getPath())) { | ||
| throw new IOException("Invalid zip entry: " + rawName); | ||
| } | ||
| luaRes.put(file.getPath(), fileData); | ||
| } |
| if (entry.isDirectory()) { | ||
| filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName); | ||
| File dir = new File(filePath); | ||
| if (!dir.exists()) { |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, we need to validate the constructed paths to ensure they remain within a controlled directory and do not contain any path traversal sequences or special characters. This can be achieved by normalizing the paths and verifying that they start with the expected base directory (scriptBundleFolderPath). Additionally, we should reject any input that contains path separators (/ or \) or .. sequences.
Steps to implement the fix:
- Use
java.nio.file.Pathsto normalize the constructed paths and verify that they remain within thescriptBundleFolderPath. - Add a validation step to reject any
rawNamethat contains path separators (/or\) or..sequences. - Ensure that the
FileUtil.getSecurityFileNamemethod is robust and complements the validation logic.
| @@ -202,5 +202,5 @@ | ||
| rawName = entry.getName(); | ||
| if (rawName == null || rawName.indexOf("../") != -1) { | ||
| if (rawName == null || rawName.contains("..") || rawName.contains("/") || rawName.contains("\\")) { | ||
| zipStream.close(); | ||
| return null; | ||
| throw new IllegalArgumentException("Invalid entry name in zip file: " + rawName); | ||
| } | ||
| @@ -209,5 +209,12 @@ | ||
|
|
||
| filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName); | ||
| Path normalizedPath = Paths.get(filePath).normalize(); | ||
| Path basePath = Paths.get(scriptBundleFolderPath).normalize(); | ||
| if (!normalizedPath.startsWith(basePath)) { | ||
| zipStream.close(); | ||
| throw new IllegalArgumentException("Path traversal detected: " + filePath); | ||
| } | ||
|
|
||
| if (entry.isDirectory()) { | ||
| filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName); | ||
| File dir = new File(filePath); | ||
| File dir = new File(normalizedPath.toString()); | ||
| if (!dir.exists()) { |
| filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName); | ||
| File dir = new File(filePath); | ||
| if (!dir.exists()) { | ||
| dir.mkdir(); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
| if (cipher == null) { | ||
| final SecretKeySpec skeySpec = new SecretKeySpec(keys, ALGORITHM_AES); | ||
| final IvParameterSpec ivParameterSpec = new IvParameterSpec(cIv); | ||
| cipher = Cipher.getInstance(ALGORITHM_AES); |
Check failure
Code scanning / CodeQL
Use of a broken or risky cryptographic algorithm High
| final SecretKeySpec skeySpec = new SecretKeySpec(keys, ALGORITHM_AES); | ||
| final IvParameterSpec ivParameterSpec = new IvParameterSpec(cIv); | ||
| cipher = Cipher.getInstance(ALGORITHM_AES); | ||
| cipher.init(Cipher.DECRYPT_MODE, skeySpec, ivParameterSpec); |
Check failure
Code scanning / CodeQL
Using a static initialization vector for encryption High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, we need to replace the static IV (cIv) with a dynamically generated random IV for each encryption session. This can be achieved using SecureRandom to generate a random IV. The IV should be stored alongside the ciphertext to allow decryption later, as the IV is required for decryption.
In the provided code, the aes method initializes the Cipher object for decryption. To ensure compatibility with encryption, the IV should be passed as an additional parameter to the aes method. This requires modifying the method signature and updating the logic to use a dynamic IV.
| @@ -34,7 +34,3 @@ | ||
| private static final String CACHE_PUBLIC_KEY = AppCache.CACHE_PUBLIC_KEY; | ||
| public static final byte[] cIv = new byte[16]; | ||
|
|
||
| static { | ||
| Arrays.fill(cIv, (byte) 0); | ||
| } | ||
| // Removed static IV definition and initialization. | ||
|
|
||
| @@ -72,3 +68,3 @@ | ||
| */ | ||
| public static byte[] aes(final byte[] keys, final byte[] encrypted) { | ||
| public static byte[] aes(final byte[] keys, final byte[] encrypted, final byte[] iv) { | ||
| try { | ||
| @@ -77,3 +73,3 @@ | ||
| final SecretKeySpec skeySpec = new SecretKeySpec(keys, ALGORITHM_AES); | ||
| final IvParameterSpec ivParameterSpec = new IvParameterSpec(cIv); | ||
| final IvParameterSpec ivParameterSpec = new IvParameterSpec(iv); | ||
| cipher = Cipher.getInstance(ALGORITHM_AES); |
|
|
||
| public long skip(long n) throws IOException { | ||
| final long k = Math.min(n, j - i); | ||
| i += k; |
Check failure
Code scanning / CodeQL
Implicit narrowing conversion in compound assignment High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, we need to ensure that the types of the variables involved in the compound assignment are compatible. Since k is of type long, we should change the type of i from int to long. This will eliminate the need for an implicit cast and prevent potential data loss or overflow. The change should be made in the declaration of i on line 452, as well as in any other parts of the code that depend on i.
| @@ -451,3 +451,4 @@ | ||
| protected byte[] b; | ||
| protected int i = 0, j = 0; | ||
| protected long i = 0; | ||
| protected int j = 0; | ||
|
|
|
|
||
| void reserveregs(int n) { | ||
| this.checkstack(n); | ||
| this.freereg += n; |
Check failure
Code scanning / CodeQL
Implicit narrowing conversion in compound assignment High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, we need to ensure that the type of freereg is at least as wide as the type of n to avoid implicit narrowing conversions. The best approach is to change the type of freereg from short to int. This ensures that the result of this.freereg + n remains within the bounds of the type and avoids the need for an implicit cast.
The changes required are:
- Update the declaration of
freeregon line 66 to useintinstead ofshort. - Ensure that all references to
freeregin the file remain consistent with the new type.
| @@ -65,3 +65,3 @@ | ||
| short nups; /* number of upvalues */ | ||
| short freereg; /* first free register */ | ||
| int freereg; /* first free register */ | ||
|
|
| <!--shake--> | ||
| <uses-permission android:name="android.permission.VIBRATE"/> | ||
| <uses-sdk android:minSdkVersion="14"/> | ||
| <application android:allowBackup="true" android:label="@string/app_name" tools:replace="android:allowBackup,android:label" android:debuggable="true"> |
Check failure
Code scanning / CodeQL
Android debuggable attribute enabled High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, the android:debuggable attribute should either be removed entirely or explicitly set to false. The default value for android:debuggable is false when the attribute is omitted, so removing it is sufficient. This ensures that the application cannot be debugged in production, adhering to best practices for security.
The change should be made in the Android/LuaViewSDK/target/AndroidManifest.xml file, specifically on line 20 where the android:debuggable attribute is currently set to true.
| @@ -19,3 +19,3 @@ | ||
| <uses-sdk android:minSdkVersion="14"/> | ||
| <application android:allowBackup="true" android:label="@string/app_name" tools:replace="android:allowBackup,android:label" android:debuggable="true"> | ||
| <application android:allowBackup="true" android:label="@string/app_name" tools:replace="android:allowBackup,android:label"> | ||
| <activity android:name="com.taobao.luaview.activity.LuaViewActivity"/> |
macports.conf.5.txt