[javasecurity:S6096] Zip slip reported when prevented using Java NIO

Make sure to read this post before raising a thread here:

Then tell us:

  • What language is this for?
    • Java
  • Which rule?
    • javasecurity:S6096
  • Why do you believe it’s a false-positive?
    • It is prevented by checking normalized path with targetDirectory path as described here
  • Are you using
    • SonarQube - Enterprise Edition Version 10.2 (build 77647)
  • How can we reproduce the problem?
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Path;
import java.util.Enumeration;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;

public class Example {

    private static final String targetDirectory = "/example/directory/";

    public void extractEntry(ZipFile zipFile) throws IOException {

        Enumeration<? extends ZipEntry> entries = zipFile.entries();
        while (entries.hasMoreElements()) {
            ZipEntry entry = entries.nextElement();
            String name = entry.getName();
            String dest = targetDirectory + name;
            if (!Path.of(dest).normalize().startsWith(Path.of(targetDirectory).normalize())) {
                throw new IOException("Entry is outside of the target dir.");
            try (InputStream zis = zipFile.getInputStream(entry);
                 FileOutputStream fos = new FileOutputStream(dest)) {
                byte[] readBuffer = new byte[4096];
                int bytesIn;
                while ((bytesIn = zis.read(readBuffer)) != -1) {
                    fos.write(readBuffer, 0, bytesIn);

Answered here by @Pierre-Loup_Tristant:

Hi Dave562,

Yes, this is the correct answer. I somehow replied to the wrong thread, sorry about that.

The limitation is related to validators of path-traversal-like vulnerability (S2083 and S6096). It doesn’t affect other rules. The “universal” way to protect against path traversal happens in two steps: compute the normalized/canonical path, then make sure this path is not located outside of the destination folder. As of today the engine does not correctly support this two-step validation and it leads to false-positive. I don’t know when we will be able to overcome this limitation.


Hello @Pierre-Loup_Tristant,

thanks for explanation, I don’t have access to linked Jira, but I understand the limitation now.