{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":632256243,"defaultBranch":"master","name":"testng-7.5","ownerLogin":"prashil-g","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2023-04-25T03:19:18.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/95269280?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1682392765.450291","currentOid":""},"activityList":{"items":[{"before":"f26498233fc910a348b06e8e7564544c9a508464","after":"c960951f91874d09ac0f94ee5016eb8bf57fcb1b","ref":"refs/heads/release_7.5","pushedAt":"2023-04-25T03:22:24.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"prashil-g","name":"Prashil Gupta","path":"/prashil-g","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/95269280?s=80&v=4"},"commit":{"message":"Cherrypick - 47afa2c8a29e2cf925238af1ad7c76fba282793f to 7.5 release\n\nvuln-fix: Zip Slip Vulnerability\n\nThis fixes a Zip-Slip vulnerability.\n\nThis change does one of two things. This change either\n\n1. Inserts a guard to protect against Zip Slip.\nOR\n2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.\n\nFor number 2, consider `\"/usr/outnot\".startsWith(\"/usr/out\")`.\nThe check is bypassed although `/outnot` is not under the `/out` directory.\nIt's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.\nFor example, on Linux, `println(new File(\"/var\"))` will print `/var`, but `println(new File(\"/var\", \"/\")` will print `/var/`;\nhowever, `println(new File(\"/var\", \"/\").getCanonicalPath())` will print `/var`.\n\nWeakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nSeverity: High\nCVSSS: 7.4\nDetection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)\n\nReported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>\nSigned-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>\n\nBug-tracker: https://github.com/JLLeitschuh/security-research/issues/16\n\nCo-authored-by: Moderne <team@moderne.io>","shortMessageHtmlLink":"Cherrypick - <a class=\"commit-link\" data-hovercard-type=\"commit\" data-hovercard-url=\"https://github.com/prashil-g/testng-7.5/commit/47afa2c8a29e2cf925238af1ad7c76fba282793f/hovercard\" href=\"https://github.com/prashil-g/testng-7.5/commit/47afa2c8a29e2cf925238af1ad7c76fba282793f\"><tt>47afa2c</tt></a> to 7.5 release"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAADH3-ZbQA","startCursor":null,"endCursor":null}},"title":"Activity · prashil-g/testng-7.5"}