github-advanced-security[bot] commented on code in PR #474:
URL: https://github.com/apache/datasketches-java/pull/474#discussion_r1371097139
##########
src/main/java/org/apache/datasketches/common/Util.java:
##########
@@ -819,4 +833,190 @@
return c.compare((T)item1, (T)item2) <= 0;
}
+ //Get Resources
+
+ /**
+ * Gets the file defined by the given resource file's shortFileName.
+ * @param shortFileName the last name in the pathname's name sequence.
+ * @return the file defined by the given resource file's shortFileName.
+ */
+ public static File getResourceFile(final String shortFileName) {
+ Objects.requireNonNull(shortFileName, "input parameter 'String
shortFileName' cannot be null.");
+ final String slashName = (shortFileName.charAt(0) == '/') ? shortFileName
: '/' + shortFileName;
+ final URL url = Util.class.getResource(slashName);
+ Objects.requireNonNull(url, "resource " + slashName + " returns null
URL.");
+ File file;
+ file = createTempFile(slashName);
+ if (url.getProtocol().equals("jar")) { //definitely a jar
+ try (final InputStream input = Util.class.getResourceAsStream(slashName);
+ final OutputStream out = new FileOutputStream(file)) {
+ Objects.requireNonNull(input, "InputStream is null.");
+ int numRead = 0;
+ final byte[] buf = new byte[1024];
+ while ((numRead = input.read(buf)) != -1) { out.write(buf, 0,
numRead); }
+ } catch (final IOException e ) { throw new RuntimeException(e); }
+ } else { //protocol says resource is not a jar, must be a file
+ file = new File(getResourcePath(url));
+ }
+ if (!file.setReadable(false, true)) {
+ throw new IllegalStateException("Failed to set owner only 'Readable' on
file");
+ }
+ if (!file.setWritable(false, false)) {
+ throw new IllegalStateException("Failed to set everyone 'Not Writable'
on file");
+ }
+ return file;
+ }
+
+ /**
+ * Returns a byte array of the contents of the file defined by the given
resource file's shortFileName.
+ * @param shortFileName the last name in the pathname's name sequence.
+ * @return a byte array of the contents of the file defined by the given
resource file's shortFileName.
+ * @throws IllegalArgumentException if resource cannot be read.
+ */
+ public static byte[] getResourceBytes(final String shortFileName) {
+ Objects.requireNonNull(shortFileName, "input parameter 'String
shortFileName' cannot be null.");
+ final String slashName = (shortFileName.charAt(0) == '/') ? shortFileName
: '/' + shortFileName;
+ final URL url = Util.class.getResource(slashName);
+ Objects.requireNonNull(url, "resource " + slashName + " returns null
URL.");
+ final byte[] out;
+ if (url.getProtocol().equals("jar")) { //definitely a jar
+ try (final InputStream input =
Util.class.getResourceAsStream(slashName)) {
+ out = readAllBytesFromInputStream(input);
+ } catch (final IOException e) { throw new RuntimeException(e); }
+ } else { //protocol says resource is not a jar, must be a file
+ try {
+ out = Files.readAllBytes(Paths.get(getResourcePath(url)));
+ } catch (final IOException e) { throw new RuntimeException(e); }
+ }
+ return out;
+ }
+
+ /**
+ * Note: This is only needed in Java 8 as it is part of Java 9+.
+ * Read all bytes from the given <i>InputStream</i>.
+ * This is limited to streams that are no longer than the maximum
allocatable byte array determined by the VM.
+ * This may be a little smaller than <i>Integer.MAX_VALUE</i>.
+ * @param in the Input Stream
+ * @return byte array
+ */
+ public static byte[] readAllBytesFromInputStream(final InputStream in) {
+ return readBytesFromInputStream(Integer.MAX_VALUE, in);
+ }
+
+ private static final int BUF_SIZE = 1 << 13;
+
+ /**
+ * Note: This is only needed in Java 8 as is part of Java 9+.
+ * Read <i>numBytesToRead</i> bytes from an input stream into a single byte
array.
+ * This is limited to streams that are no longer than the maximum
allocatable byte array determined by the VM.
+ * This may be a little smaller than <i>Integer.MAX_VALUE</i>.
+ * @param numBytesToRead number of bytes to read
+ * @param in the InputStream
+ * @return the filled byte array from the input stream
+ * @throws IllegalArgumentException if array size grows larger than what can
be safely allocated by some VMs.
+
+ */
+ public static byte[] readBytesFromInputStream(final int numBytesToRead,
final InputStream in) {
+ if (numBytesToRead < 0) { throw new
IllegalArgumentException("numBytesToRead must be positive or zero."); }
+
+ List<byte[]> buffers = null;
+ byte[] result = null;
+ int totalBytesRead = 0;
+ int remaining = numBytesToRead;
+ int chunkCnt;
+ do {
+ final byte[] partialBuffer = new byte[Math.min(remaining, BUF_SIZE)];
+ int numRead = 0;
+
+ try {
+ // reads input stream in chunks of partial buffers, stops at EOF or
when remaining is zero.
+ while ((chunkCnt =
+ in.read(partialBuffer, numRead, Math.min(partialBuffer.length
- numRead, remaining))) > 0) {
+ numRead += chunkCnt;
+ remaining -= chunkCnt;
+ }
+ } catch (final IOException e) { throw new RuntimeException(e); }
+
+ if (numRead > 0) {
+ if (Integer.MAX_VALUE - Long.BYTES - totalBytesRead < numRead) {
+ throw new IllegalArgumentException(
+ "Input stream is larger than what can be safely allocated as
a byte[] in some VMs."); }
+ totalBytesRead += numRead;
+ if (result == null) {
+ result = partialBuffer;
+ } else {
+ if (buffers == null) {
+ buffers = new ArrayList<>();
+ buffers.add(result);
+ }
+ buffers.add(partialBuffer);
+ }
+ }
+ } while (chunkCnt >= 0 && remaining > 0);
+
+ final byte[] out;
+ if (buffers == null) {
+ if (result == null) {
+ out = new byte[0];
+ } else {
+ out = result.length == totalBytesRead ? result :
Arrays.copyOf(result, totalBytesRead);
+ }
+ return out;
+ }
+
+ result = new byte[totalBytesRead];
+ int offset = 0;
+ remaining = totalBytesRead;
+ for (byte[] b : buffers) {
+ final int count = Math.min(b.length, remaining);
+ System.arraycopy(b, 0, result, offset, count);
+ offset += count;
+ remaining -= count;
+ }
+ return result;
+ }
+
+ private static String getResourcePath(final URL url) { //must not be null
+ try {
+ final URI uri = url.toURI();
+ //decodes any special characters
+ final String path = uri.isAbsolute() ?
Paths.get(uri).toAbsolutePath().toString() : uri.getPath();
+ return path;
+ } catch (final URISyntaxException e) {
+ throw new IllegalArgumentException("Cannot find resource: " +
url.toString() + LS + e);
+ }
+ }
+
+ /**
+ * Create an empty temporary file.
+ * On a Mac these files are stored at the system variable $TMPDIR. They
should be cleared on a reboot.
+ * @param shortFileName the name before prefixes and suffixes are added here
and by the OS.
+ * The final extension will be the current extension. The prefix "temp_" is
added here.
+ * @return a temp file,which will be eventually deleted by the OS
+ */
+ private static File createTempFile(final String shortFileName) {
+ //remove any leading slash
+ final String resName = (shortFileName.charAt(0) == '/') ?
shortFileName.substring(1) : shortFileName;
+ final String suffix;
+ final String name;
+ final int lastIdx = resName.length() - 1;
+ final int lastIdxOfDot = resName.lastIndexOf('.');
+ if (lastIdxOfDot == -1) {
+ suffix = ".tmp";
+ name = resName;
+ } else if (lastIdxOfDot == lastIdx) {
+ suffix = ".tmp";
+ name = resName.substring(0, lastIdxOfDot);
+ } else { //has a real suffix
+ suffix = resName.substring(lastIdxOfDot);
+ name = resName.substring(0, lastIdxOfDot);
+ }
+ final File file;
+ try {
+ file = File.createTempFile("temp_" + name, suffix);
Review Comment:
## Local information disclosure in a temporary directory
Local information disclosure vulnerability due to use of file readable by
other local users.
[Show more
details](https://github.com/apache/datasketches-java/security/code-scanning/649)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
