SonarQube Version:
- Enterprise Edition
- Version 9.9.3 (build 79811)
Why does SonarQube still show a vulnerability after making changes based on its suggestion? SonarQube recommended checking the zip file before processing, so I implemented a separate method for validating the zip file. Here’s the code for processing the zip file after validation.
bool isValidFile = ValidateZipFile(path, fileName);
if (isValidFile) {
processing the file...........
}
ValidateZipFile method:
private bool ValidateZipFile(string path, string fileName)
{
const int thresholdSize = 1000000000;
const double thresholdRatio = 10;
const int byteSize = 1024;
int totalSizeArchive = 0;
int totalEntryArchive = 0;
using (var zipToOpen = new FileStream(path + fileName, FileMode.Open))
{
using (var archive = new ZipArchive(zipToOpen, ZipArchiveMode.Read))
{
foreach (ZipArchiveEntry entry in archive.Entries)
{
totalEntryArchive++;
using (Stream st = entry.Open())
{
byte[] buffer = new byte[1024];
int totalSizeEntry = 0;
int numBytesRead = 0;
do
{
numBytesRead = st.Read(buffer, 0, byteSize);
totalSizeEntry += numBytesRead;
totalSizeArchive += numBytesRead;
double compressionRatio = (double)totalSizeEntry / entry.CompressedLength;
if (compressionRatio > thresholdRatio)
{
throw new IOException("Zip Bomb Attack detected. CompressionRation exceed the threshold ratio ");
}
}
while (numBytesRead > 0);
}
if (totalSizeArchive > thresholdSize)
{
throw new IOException("Uncompressed data size exceeds the threshold ");
}
if (totalEntryArchive > 1)
{
throw new IOException("Too many entries in the archive.");
}
}
}
}
return true;
}