Make sure to read this post before raising a thread here:
Then tell us:
- What language is this for :
- Java
- Which rule :
- S6096
- Why do you believe it’s a false-positive/false-negative?
- A Zip Slip vulnerability is impossible when using the entry name as a prefix or suffix for a file created by Files.createTempFile, according to Javadoc : Files (Java SE 17 & JDK 17)
- Are you using
- SonarQube Server - Enterprise Edition v2025.1 (102418)
- How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
public class Example {
public Path unzip(File zip) throws IOException {
try (ZipInputStream zis = new ZipInputStream(new FileInputStream(zip), StandardCharsets.UTF_8)) {
ZipEntry ze = zis.getNextEntry();
if (ze != null) {
/* This line uses the entry name as a suffix for the name of a new temporary file.
* This file will be created in the default temporary folder according to Javadoc
* and will throw an IllegalArgumentException if it contains characters that cannot be used in file names.
*/
Path unzippedFilePath = Files.createTempFile("unzipped", ze.getName());
Files.copy(zis, unzippedFilePath);
return unzippedFilePath;
} else {
return null;
}
}
}
}
