Lessons- Java

Lessons learnt from all the source code reviews here in Java

Apache Pulsar:

When reviewing similar code, here are the red flags and fix patterns you should apply:

Check how file paths are constructed.

  • If you see new File(base, entryName), ask: What if entryName has ../?

  • Ensure Path.resolve().normalize() and boundary checks are used.

Always enforce extraction boundaries.

  • Verify target.startsWith(base) after normalization.

Prefer ZipFile over JarFile when unpacking archives.

  • ZipFile gives better control and is the general-purpose class.

Log and abort on malicious input.

  • Don’t silently skip invalid entries; fail early.

Security smells in the old code:

  • No validation on entry names.

  • Trusting archive contents blindly.

PreviousCVE-2024-27317 Apache Pulsar

Last updated