From d3970a5c62f34c36edf71b00fe9058f86f8c44aa Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sun, 28 Apr 2019 08:37:47 +0000 Subject: [PATCH] Fix various minor issues found by LGTM - Unnecessary boxing - Integer overflow - Path traversal via zip - Dangerous synchronization pattern --- .../player/controller/PodcastReceiverAdminController.java | 2 +- .../org/airsonic/player/controller/StreamController.java | 2 +- .../org/airsonic/player/controller/UploadController.java | 5 ++++- .../java/org/airsonic/player/monitor/MetricsManager.java | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/PodcastReceiverAdminController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/PodcastReceiverAdminController.java index ba0bf4ca..65354639 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/controller/PodcastReceiverAdminController.java +++ b/airsonic-main/src/main/java/org/airsonic/player/controller/PodcastReceiverAdminController.java @@ -84,7 +84,7 @@ public class PodcastReceiverAdminController { } private void download(int[] episodeIds) { - for (Integer episodeId : episodeIds) { + for (int episodeId : episodeIds) { PodcastEpisode episode = podcastService.getEpisode(episodeId, false); if (episode != null && episode.getUrl() != null && (episode.getStatus() == PodcastStatus.NEW || diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/StreamController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/StreamController.java index dd026721..d02d076c 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/controller/StreamController.java +++ b/airsonic-main/src/main/java/org/airsonic/player/controller/StreamController.java @@ -311,7 +311,7 @@ public class StreamController { return file.getFileSize(); } - return duration * maxBitRate * 1000L / 8L; + return duration * (long)maxBitRate * 1000L / 8L; } private HttpRange getRange(HttpServletRequest request, MediaFile file) { diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/UploadController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/UploadController.java index cf299e95..4e0ee662 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/controller/UploadController.java +++ b/airsonic-main/src/main/java/org/airsonic/player/controller/UploadController.java @@ -173,6 +173,9 @@ public class UploadController { while (entries.hasMoreElements()) { ZipEntry entry = (ZipEntry) entries.nextElement(); File entryFile = new File(file.getParentFile(), entry.getName()); + if (!entryFile.toPath().normalize().startsWith(file.getParentFile().toPath())) { + throw new Exception("Bad zip filename: " + StringUtil.toHtml(entryFile.getPath())); + } if (!entry.isDirectory()) { @@ -263,4 +266,4 @@ public class UploadController { } } -} \ No newline at end of file +} diff --git a/airsonic-main/src/main/java/org/airsonic/player/monitor/MetricsManager.java b/airsonic-main/src/main/java/org/airsonic/player/monitor/MetricsManager.java index b0034259..8293b6cf 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/monitor/MetricsManager.java +++ b/airsonic-main/src/main/java/org/airsonic/player/monitor/MetricsManager.java @@ -20,7 +20,7 @@ public class MetricsManager { // Main metrics registry private static final MetricRegistry metrics = new MetricRegistry(); - private static Boolean metricsActivatedByConfiguration = null; + private static volatile Boolean metricsActivatedByConfiguration = null; private static Object _lock = new Object(); // Potential metrics reporters