SonarQube security hotspot

Question

SonarQube security hotspot

TheSlackOne opened this issue 2 years ago · 4 comments

Hello!, our SonarQube reports zip_open call to be a potencial security hotspot (severity low). I believe it might be a common issue that could be solved by passing a flag, but I couldn't find how.

Answer 1 · 2023-04-26T18:23:00.000Z

How do you understand this warning?

In my honest opinion it's not related to zip_open. It's about, how someone can compress e.g. GB of zeros what can end up with very tiny zip archive but after unziping it's full of garbage.

So, be careful how/where do you compress your data, but it's not related to this particular call.
Moreover, in your example, you're compressing data, you're passing inFiles, so it's your app responsibility to check if these files are garbage, or not.

Answer 2 · 2023-04-26T18:27:58.000Z

Yes, agree, and it is trusted data. I just wonder if I could do something from the zip_open() call, like passing a flag, to avoid the security hotspot warning.

Answer 3 · 2023-04-26T18:45:17.000Z

No, because this warning is very informative/generic.
SonarQuebe didn't analyze the zip library, just posted some info related to zip archives from DB (the same stuff you can find for some PHP library: https://rules.sonarsource.com/php/RSPEC-5042).

I would recommend to try real static analysis tools, like cpp-check, infer, clang static analysis or PVS studio.

Answer 4 · 2023-04-26T18:49:08.000Z

Thank you, Kuba, I appreciate your input.