Creates empty ZIP file entry¶
ID: java/empty-zip-file-entryKind: problemSecurity severity: Severity: warningPrecision: mediumTags: - quality - reliability - correctnessQuery suites: - java-security-and-quality.qls
Click to see the query in the CodeQL repository
TheZipOutputStream class is used to write ZIP files to a file or other stream. A ZIP file consists of a number ofentries. Usually each entry corresponds to a file in the directory structure being zipped. There is a method onZipOutputStream that is slightly confusingly namedputNextEntry. Despite its name, it does not write a whole entry. Instead, it writes themetadata for an entry. The content for that entry is then written using thewrite method. Finally the entry is closed usingcloseEntry.
Therefore, if you callputNextEntry andcloseEntry but omit the call towrite, an empty ZIP file entry is written to the output stream.
Recommendation¶
Ensure that you include a call toZipOutputStream.write.
Example¶
In the following example, thearchive method callsputNextEntry andcloseEntry but the call towrite is left out.
classArchiveimplementsCloseable{privateZipOutputStreamzipStream;publicArchive(Filezip)throwsIOException{OutputStreamstream=newFileOutputStream(zip);stream=newBufferedOutputStream(stream);zipStream=newZipOutputStream(stream);}publicvoidarchive(Stringname,byte[]content)throwsIOException{ZipEntryentry=newZipEntry(name);zipStream.putNextEntry(entry);// Missing call to 'write'zipStream.closeEntry();}publicvoidclose()throwsIOException{zipStream.close();}}
References¶
Java API Specification: ZipOutputStream.