Checker Zip

belongs to group Basic
Identify incorrect uses of zip and jar entries

Frameworks supported by this checker

  • java up to 11
  • android up to API level 28
  • dotnet

Warnings generated by this checker

  • EmptyJarEntryWarning: an empty jar entry is added to a jar file [ CWE909 ]
  • EmptyZipEntryWarning: an empty zip entry is added to a zip file [ CWE909 ]

Options accepted by this checker

  • none

Annotations understood by this checker

  • none


Description

The programmatic construction of zip or jar archives might be incorrect, when for instance empty entries get added to an archive. This checker looks for inconsistent operation in the creation of such archives.

Action: Check if, for instance, empty entries are added to a jar or zip archive.

The programmatic construction of zip or other archives might be incorrect, when for instance empty entries get added to an archive. This checker looks for inconsistent operation in the creation of such archives.

Action: Check if, for instance, empty entries are added to zip or or other archives.

Examples

Consider the following program:

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.jar.JarOutputStream;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;

public class ZipCreator {
  public static void main(String[] args) {
    try (ZipOutputStream jos = new JarOutputStream(new FileOutputStream(new File("archive.jar")))) {
      ZipEntry entry = new ZipEntry("doc.txt");
      jos.putNextEntry(entry);
      jos.closeEntry();
    }
    catch (IOException e) {
      e.printStackTrace();
    }

    try (ZipOutputStream jos = new ZipOutputStream(new FileOutputStream(new File("archive.jar")))) {
      ZipEntry entry = new ZipEntry("doc.txt");
      jos.putNextEntry(entry);
      jos.closeEntry();
    }
    catch (IOException e) {
      e.printStackTrace();
    }

    try (JarOutputStream jos = new JarOutputStream(new FileOutputStream(new File("archive.jar")));
         FileInputStream fis = new FileInputStream(new File("test.txt"))) {

      ZipEntry entry = new ZipEntry("doc.txt");
      jos.putNextEntry(entry);

      byte[] buf = new byte[1024];
      int len;
      while((len = fis.read(buf)) > 0)
        jos.write(buf, 0, len);

      jos.closeEntry();
    }
    catch (IOException e) {
      e.printStackTrace();
    }
  }
}

This checker issues the following warnings:

ZipCreator.java:14: [Zip: EmptyJarEntryWarning] Empty entry added to jar file
ZipCreator.java:23: [Zip: EmptyZipEntryWarning] Empty entry added to zip file

since empty entries are added to a jar and zip archive at lines 14 and 23, respectively. In this example, the programmer probably forgot to add content to the empty entries, in a way similar to what is done, instead, at lines 35-38.

Consider the following program:

using System.IO;
using System.IO.Compression;

namespace DocumentationExamples
{

    class Zip
    {
        static void Main(string[] args)
        {
            using (FileStream zipToOpen = new FileStream(@"c:\users\exampleuser\release.zip", FileMode.Open))
            {
                using (ZipArchive archive = new ZipArchive(zipToOpen, ZipArchiveMode.Update))
                {
                    ZipArchiveEntry emptyEntry = archive.CreateEntry("Empty.txt");
                    ZipArchiveEntry emptyEntry1 = archive.CreateEntry("Empty1.txt");
                    using (StreamWriter writer = new StreamWriter(emptyEntry1.Open()))
                    {
                    }
                    ZipArchiveEntry readmeEntry = archive.CreateEntry("Readme.txt");
                    using (StreamWriter writer = new StreamWriter(readmeEntry.Open()))
                    {
                        writer.WriteLine("Information about this package.");
                        writer.WriteLine("========================");
                    }
                }
            }
        }
    }
    
}

This checker issues the following warnings:

DocumentationExamples.cs:15: [Zip: EmptyJarEntryWarning] Empty entry added to zip file
DocumentationExamples.cs:16: [Zip: EmptyZipEntryWarning] Empty entry added to zip file

since empty entries are added to a zip archive at lines 15 and 16. In this example, the programmer probably forgot to add content to the empty entries, in a way similar to what is done, instead, at lines 23-24.