Potential fix for code scanning alert no. 1: Arbitrary file access during archive extraction ("Zip Slip")

[smals-jy]

Potential fix for https://github.com/smals-jy/evs/security/code-scanning/1

To fix the problem, we need to ensure that the file paths constructed from jar entry names are validated to prevent directory traversal attacks. This can be achieved by verifying that the normalized full path of the output file starts with a prefix that matches the destination directory. We will use java.nio.file.Path.normalize() and java.nio.file.Path.startsWith() for this purpose.

1. Modify the getMatchingJarEntries method in ResourceResolver.java to validate the jar entry names.
2. Ensure that the constructed file paths are within the intended directory.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced validation when loading resources from archives and disk locations
  • Improved path security checks to prevent unauthorized file access

[coderabbitai]

Warning

Review limit reached

@smals-jy, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 22 minutes and 49 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 77539d57-6bb4-40f1-b655-e3825758833b

📥 Commits

Reviewing files that changed from the base of the PR and between a5b9a16 and bd21580.

📒 Files selected for processing (1)

• core/src/main/java/org/imec/ivlab/core/util/ResourceResolver.java

📝 Walkthrough

Walkthrough

Two resource-scanning methods gain path-normalization guards against directory traversal. ResourceResolver.getMatchingJarEntries now normalizes jar entry names and the startsWith prefix as File paths before accepting entries. TableDefinitionReader.getFilesWithSuffix normalizes resolved file paths and rejects any path that falls outside folderToScan.

Changes

Directory Traversal Prevention

Layer / File(s)	Summary
Path traversal guards in jar and disk resource scanning core/src/main/java/org/imec/ivlab/core/util/ResourceResolver.java, core/src/main/java/org/imec/ivlab/core/kmehr/tables/TableDefinitionReader.java	getMatchingJarEntries captures jarEntry.getName() into entryName, normalizes it alongside startsWith as File paths, and throws IOException if the normalized entry does not start with the normalized prefix. getFilesWithSuffix normalizes resourceAsFile and throws IOException if it does not start with the normalized folderToScan path.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 A bunny guards the folder door,
No sneaky paths shall slip through more!
Normalized and checked with care,
Traversal tricks find nothing there.
The warren's safe, the entries clean — ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: a fix for a Zip Slip vulnerability (arbitrary file access during archive extraction). It directly corresponds to the PR's core objective of addressing code scanning alert no. 1.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[smals-jy]

@coderabbitai Code doesn't compile because of this change, can you give full code & sutff that must be changed because of that ? Thx

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the PR diff
gh pr view 1087 --repo smals-jy/evs --json files,body,title

Length of output: 1695

---

🏁 Script executed:

#!/bin/bash
# Find ResourceResolver.java
fd ResourceResolver.java --exec cat {}

Length of output: 4664

---

🏁 Script executed:

#!/bin/bash
# Get the PR diff to see exactly what changed
gh api repos/smals-jy/evs/pulls/1087/files | jq -r '.[] | "=== " + .filename + " ===\n" + .patch'

Length of output: 2635

---

🏁 Script executed:

#!/bin/bash
# Find and cat TableDefinitionReader.java
fd TableDefinitionReader.java --exec cat {}

Length of output: 11134

---

---

@smals-jy There are two problems with the TableDefinitionReader.java change:

1. Compilation error: getFilesWithSuffix doesn't declare throws IOException, so throw new IOException(...) in its body causes a compile error.
2. Logic error: resourceAsFile is a temporary file created by IOUtils.getResourceAsFile() in the system temp directory — its path will never start with folderToScan, so the validation would always throw and break normal jar-mode execution.

The good news is the actual Zip Slip fix in ResourceResolver.java is correct and compiles fine — it already fully protects the code. The change to TableDefinitionReader.java should simply be reverted.

Here is the corrected TableDefinitionReader.java with that block removed:

private List<File> getFilesWithSuffix(String folderToScan, String fileEndsWith) {

    List<File> files = new ArrayList<>();

    String fileSeparatorInJarFile = "/";

    log.trace("Will try to find this folder on disk: " + folderToScan);
    File dirOnDisk = null;
    try {
        dirOnDisk = IOUtils.getFile(this.getClass().getClassLoader(), folderToScan);
    } catch (RuntimeException e) {

    }
    if (dirOnDisk != null && dirOnDisk.exists()) {
        log.trace("folder exists on disk: " + folderToScan);
        try {
            Files.list(Paths.get(dirOnDisk.getAbsolutePath()))
                .filter(path -> StringUtils.endsWith(path.toString(), fileEndsWith))
                .forEach(path -> files.add(
                    IOUtils.getResourceAsFile(path.toString(),
                        TABLE_NAME_MARKER + StringUtils.substringAfterLast(path.toString(), File.separator))
                ));
        } catch (IOException e) {
            e.printStackTrace();
        }

    } else {
        log.trace("Folder does not exist on disk. Will look in jar file for table definitions using path: " + folderToScan);
        List<String> matchingJarEntries = ResourceResolver.getMatchingJarEntries(OSUtils.adaptFilePath(folderToScan, fileSeparatorInJarFile));
        if (matchingJarEntries != null) {
            log.trace("Found " + matchingJarEntries.size() + " jar entries.");
            for (String matchingJarEntry : matchingJarEntries) {
                String tempFileName = TABLE_NAME_MARKER + StringUtils.substringAfterLast(matchingJarEntry, fileSeparatorInJarFile);
                log.trace("Adding matching jar entry: " + matchingJarEntry + ". Name to be used for temp file: " + tempFileName);
                File resourceAsFile = IOUtils.getResourceAsFile(fileSeparatorInJarFile + matchingJarEntry, tempFileName);
                // NOTE: No path check here — Zip Slip is already prevented upstream in
                // ResourceResolver.getMatchingJarEntries() before entries are returned.
                log.trace("resource as file: " + resourceAsFile.getAbsolutePath());
                files.add(resourceAsFile);
            }
        }
    }

    log.info("Found " + files.size() + " files at location: " + folderToScan);

    return files;

}

And the ResourceResolver.java stays exactly as it is in the PR (no changes needed — it compiles and the logic is correct).

In summary: just revert the 4 added lines in TableDefinitionReader.java. The security fix is fully covered by ResourceResolver.java alone.

🐇 (╯°□°）╯

Revert the 4 added lines in TableDefinitionReader.java that cause both the compile error and a logic error; keep ResourceResolver.java unchanged.

---

The requested changes have been implemented and a pull request has been created: View PR

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@core/src/main/java/org/imec/ivlab/core/kmehr/tables/TableDefinitionReader.java`:
- Around line 274-277: The path traversal validation on line 276 is checking the
wrong thing: it validates the extracted temp file path (resourceAsFile) against
folderToScan, but these don't have a parent-child relationship for valid jar
resources, causing all valid resources to be rejected. Instead of validating
resourceAsFile's path, validate the jar entry name directly for directory
traversal patterns (such as containing ".." or starting with "/"). Additionally,
the IOException being thrown will cause a compilation error if not caught or
declared in the method signature, so ensure proper error handling.

In `@core/src/main/java/org/imec/ivlab/core/util/ResourceResolver.java`:
- Around line 92-96: The startsWithIgnoreCase check on line 92 in the
ResourceResolver class allows sibling entries with matching text prefixes (e.g.,
kmehr/tables-old matching kmehr/tables) to pass through, which then fails the
normalized path check on lines 94-95 and aborts the entire scan. Replace the
loose text prefix check with the normalized path comparison logic as the actual
match predicate instead of using it only for validation, and instead of throwing
an exception when a non-contained entry is found, skip it by continuing to the
next iteration of the loop.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c5a9a018-703b-409a-a601-1368ff947b76

📥 Commits

Reviewing files that changed from the base of the PR and between f16678e and a5b9a16.

📒 Files selected for processing (2)

• core/src/main/java/org/imec/ivlab/core/kmehr/tables/TableDefinitionReader.java
• core/src/main/java/org/imec/ivlab/core/util/ResourceResolver.java

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Validate the jar entry name, not the extracted temp file path.

Line 276 introduces an uncaught checked IOException, so this method will not compile. Also, resourceAsFile is the extracted/temp file from IOUtils.getResourceAsFile(...), not a child of the classpath folder string in folderToScan, so valid jar resources will be rejected.

Proposed fix

-                    File resourceAsFile = IOUtils.getResourceAsFile(fileSeparatorInJarFile + matchingJarEntry, tempFileName);
-                    // Validate the resource file path to prevent directory traversal
-                    if (!resourceAsFile.toPath().normalize().startsWith(new File(folderToScan).toPath().normalize())) {
-                        throw new IOException("Invalid resource file path: " + resourceAsFile.getAbsolutePath());
-                    }
+                    Path normalizedFolderToScan = Paths.get(OSUtils.adaptFilePath(folderToScan, fileSeparatorInJarFile)).normalize();
+                    Path normalizedJarEntry = Paths.get(matchingJarEntry).normalize();
+                    if (!normalizedJarEntry.startsWith(normalizedFolderToScan)) {
+                        throw new IllegalArgumentException("Invalid jar entry: " + matchingJarEntry);
+                    }
+                    File resourceAsFile = IOUtils.getResourceAsFile(fileSeparatorInJarFile + matchingJarEntry, tempFileName);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@core/src/main/java/org/imec/ivlab/core/kmehr/tables/TableDefinitionReader.java`
around lines 274 - 277, The path traversal validation on line 276 is checking
the wrong thing: it validates the extracted temp file path (resourceAsFile)
against folderToScan, but these don't have a parent-child relationship for valid
jar resources, causing all valid resources to be rejected. Instead of validating
resourceAsFile's path, validate the jar entry name directly for directory
traversal patterns (such as containing ".." or starting with "/"). Additionally,
the IOException being thrown will cause a compilation error if not caught or
declared in the method signature, so ensure proper error handling.