Mitigate security issue 163 (!23297) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge olafurpg/jvm-security into main Jul 28, 2021

Created by: olafurpg

Previously, we shelled out to the unzip command-line tool to extract sources from a JVM dependency source jar. Now, we use the Go stdlib zip package instead. For security reasons, we don't extract files

that are under the .git/ directory (can include pre-commit hooks).
that extract outside the target directory. Addresses the most urgent security concerns from https://github.com/sourcegraph/security-issues/issues/163

Mitigate security issue 163

Merge request reports