]> source.dussan.org Git - sonarqube.git/commitdiff
projects / sonarqube.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a2c45a9)
SONAR-17183 Fix SSF-207
authorZipeng WU <zipeng.wu@sonarsource.com>
Mon, 15 Aug 2022 06:31:14 +0000 (08:31 +0200)
committersonartech <sonartech@sonarsource.com>
Tue, 23 Aug 2022 20:03:04 +0000 (20:03 +0000)
build.gradle patch | blob | history
server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStep.java patch | blob | history
server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest.java patch | blob | history
server/sonar-ce-task-projectanalysis/src/test/resources/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest/zip-bomb.zip [new file with mode: 0644] patch | blob

diff --git a/build.gradle b/build.gradle
index c576ccef91db78abe191e1a2c16ba5c93f2b2ab5..5d6e47a450262fb5b707f8cd599f4ec72a5bd68a 100644 (file)
--- a/build.gradle
+++ b/build.gradle
@@ -179,7 +179,7 @@ subprojects {
       dependency 'org.sonarsource.kotlin:sonar-kotlin-plugin:2.10.0.1456'
       dependency 'org.sonarsource.slang:sonar-ruby-plugin:1.10.0.3710'
       dependency 'org.sonarsource.slang:sonar-scala-plugin:1.10.0.3710'
-      dependency 'org.sonarsource.api.plugin:sonar-plugin-api:9.9.0.229'
+      dependency 'org.sonarsource.api.plugin:sonar-plugin-api:9.10.0.269'
       dependency 'org.sonarsource.xml:sonar-xml-plugin:2.5.0.3376'
       dependency 'org.sonarsource.iac:sonar-iac-plugin:1.9.2.2279'
       dependency 'org.sonarsource.text:sonar-text-plugin:1.1.0.282'
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStep.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStep.java
index 13662b05974aeb55ff0e4dfeae21f6049cde222a..449e2e86d6c3cdf4d8ffbf8474548aef28758dc2 100644 (file)
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStep.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStep.java
@@ -45,6 +45,7 @@ import static org.sonar.core.util.FileUtils.humanReadableByteCountSI;
  */
 public class ExtractReportStep implements ComputationStep {
 
+  static final long REPORT_SIZE_THRESHOLD_IN_BYTES = 2_000_000_000;
   private static final Logger LOGGER = Loggers.get(ExtractReportStep.class);
 
   private final DbClient dbClient;
@@ -68,7 +69,7 @@ public class ExtractReportStep implements ComputationStep {
         File unzippedDir = tempFolder.newDir();
         try (DbInputStream reportStream = opt.get();
              InputStream zipStream = new BufferedInputStream(reportStream)) {
-          ZipUtils.unzip(zipStream, unzippedDir);
+          ZipUtils.unzip(zipStream, unzippedDir, REPORT_SIZE_THRESHOLD_IN_BYTES);
         } catch (IOException e) {
           throw new IllegalStateException("Fail to extract report " + task.getUuid() + " from database", e);
         }
diff --git a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest.java b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest.java
index 47038e99dc26d010c1d4d04ef175e06387eeff7f..980a0c9dc052b51e85f3da4c58a56689703d8fc0 100644 (file)
--- a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest.java
+++ b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest.java
@@ -22,6 +22,7 @@ package org.sonar.ce.task.projectanalysis.step;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.URL;
 import org.apache.commons.io.FileUtils;
 import org.junit.Rule;
 import org.junit.Test;
@@ -91,6 +92,21 @@ public class ExtractReportStepTest {
     assertThat(logTester.logs(LoggerLevel.DEBUG)).anyMatch(log -> log.matches("Analysis report is \\d+ bytes uncompressed"));
   }
 
+  @Test
+  public void unzip_report_should_fail_if_unzip_size_exceed_threshold() throws Exception {
+    logTester.setLevel(LoggerLevel.DEBUG);
+    URL zipBombFile = getClass().getResource("/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest/zip-bomb.zip");
+    try (InputStream input = zipBombFile.openStream()) {
+      dbTester.getDbClient().ceTaskInputDao().insert(dbTester.getSession(), TASK_UUID, input);
+    }
+    dbTester.getSession().commit();
+    dbTester.getSession().close();
+
+    assertThatThrownBy(() -> underTest.execute(new TestComputationStepContext()))
+      .isInstanceOf(IllegalStateException.class)
+      .hasMessage("Decompression failed because unzipped size reached threshold: 2000000000 bytes");
+  }
+
   private File generateReport() throws IOException {
     File zipDir = tempFolder.newDir();
     File metadataFile = new File(zipDir, "metadata.pb");
diff --git a/server/sonar-ce-task-projectanalysis/src/test/resources/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest/zip-bomb.zip b/server/sonar-ce-task-projectanalysis/src/test/resources/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest/zip-bomb.zip
new file mode 100644 (file)
index 0000000..d06da2c
Binary files /dev/null and b/server/sonar-ce-task-projectanalysis/src/test/resources/org/sonar/ce/task/projectanalysis/step/ExtractReportStepTest/zip-bomb.zip differ
Continuous Inspection: https://github.com/SonarSource/sonarqube