Skip to content

yup#89

Open
lakeyscott wants to merge 1826 commits into
gh-pagesfrom
master
Open

yup#89
lakeyscott wants to merge 1826 commits into
gh-pagesfrom
master

Conversation

@lakeyscott

Copy link
Copy Markdown

@CLAassistant

CLAassistant commented Jul 15, 2018

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


城西 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


城西 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-advanced-security

Copy link
Copy Markdown

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Comment on lines +57 to +60
<repository>
<id>releases</id>
<url>http://mvnrepo.alibaba-inc.com/mvn/releases</url>
</repository>

Check failure

Code scanning / CodeQL

Failure to use HTTPS or SFTP URL in Maven artifact upload/download

Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://mvnrepo.alibaba-inc.com/mvn/releases
Comment on lines +61 to +64
<snapshotRepository>
<id>snapshots</id>
<url>http://mvnrepo.alibaba-inc.com/mvn/snapshots</url>
</snapshotRepository>

Check failure

Code scanning / CodeQL

Failure to use HTTPS or SFTP URL in Maven artifact upload/download

Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://mvnrepo.alibaba-inc.com/mvn/snapshots
DebugUtil.tsi("luaviewp-unpackBundle-zip");
while ((entry = zipStream.getNextEntry()) != null) {
// 处理../ 这种方式只能使用单层路径,不能处理子目录,在这里可以添加公用path
rawName = entry.getName();

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip")

Unsanitized archive entry, which may contain '..', is used in a [file system operation](1). Unsanitized archive entry, which may contain '..', is used in a [file system operation](2).
if (entry.isDirectory()) {
filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName);
File dir = new File(filePath);
if (!dir.exists()) {

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName);
File dir = new File(filePath);
if (!dir.exists()) {
dir.mkdir();

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
if (cipher == null) {
final SecretKeySpec skeySpec = new SecretKeySpec(keys, ALGORITHM_AES);
final IvParameterSpec ivParameterSpec = new IvParameterSpec(cIv);
cipher = Cipher.getInstance(ALGORITHM_AES);

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm

Cryptographic algorithm [AES/CBC/PKCS5Padding](1) is insecure. CBC mode with PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks. Consider using GCM instead.
final SecretKeySpec skeySpec = new SecretKeySpec(keys, ALGORITHM_AES);
final IvParameterSpec ivParameterSpec = new IvParameterSpec(cIv);
cipher = Cipher.getInstance(ALGORITHM_AES);
cipher.init(Cipher.DECRYPT_MODE, skeySpec, ivParameterSpec);

Check failure

Code scanning / CodeQL

Using a static initialization vector for encryption

A [static initialization vector](1) should not be used for encryption.

public long skip(long n) throws IOException {
final long k = Math.min(n, j - i);
i += k;

Check failure

Code scanning / CodeQL

Implicit narrowing conversion in compound assignment

Implicit cast of source type long to narrower destination type [int](1).

void reserveregs(int n) {
this.checkstack(n);
this.freereg += n;

Check failure

Code scanning / CodeQL

Implicit narrowing conversion in compound assignment

Implicit cast of source type int to narrower destination type [short](1).
<!--shake-->
<uses-permission android:name="android.permission.VIBRATE"/>
<uses-sdk android:minSdkVersion="14"/>
<application android:allowBackup="true" android:label="@string/app_name" tools:replace="android:allowBackup,android:label" android:debuggable="true">

Check failure

Code scanning / CodeQL

Android debuggable attribute enabled

The 'android:debuggable' attribute is enabled.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants