search

icsharpcode / SharpZipLib

#ziplib is a Zip, GZip, Tar and BZip2 library written entirely in C# for the .NET platform.
http://icsharpcode.github.io/SharpZipLib/
MIT License
3.73k stars 976 forks source link

SonarQube vulnerability issue #743

Closed busrau closed 2 years ago

busrau commented 2 years ago

Lucene.Net has dependencies with SharpZipLib 0.86.0 and sonarqube reports are saying

Category: CWE-22 | SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.

Do you think is there any way to prevent this error, any path or update?

christophwille commented 2 years ago

https://github.com/apache/lucenenet/search?q=SharpZipLibPackageVersion According to this search, SZL is only used for benchmarks.

busrau commented 2 years ago

What can I do for avoiding this error on sonar reports?

piksel commented 2 years ago

Either ask Lucene.Net to update to a newer version or stop using Lucene.Net, I guess? Or check the sonar docs for a way to ignore. Either way, it's not something we can do.