Avoid codeql zip slip warning (#13193)

laurit · web-flow · commit 7938d83da7ba · 2025-03-13T15:40:39.000-07:00
diff --git a/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java b/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java
@@ -169,11 +169,11 @@ public Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundExce
   }
 
   private Class<?> findAgentClass(String name) throws ClassNotFoundException {
-    JarEntry jarEntry = findJarEntry(name.replace('.', '/') + ".class");
-    if (jarEntry != null) {
+    AgentJarResource jarResource = findAgentJarResource(name.replace('.', '/') + ".class");
+    if (jarResource != null) {
       byte[] bytes;
       try {
-        bytes = getJarEntryBytes(jarEntry);
+        bytes = getJarEntryBytes(jarResource.getJarEntry());
       } catch (IOException exception) {
         throw new ClassNotFoundException(name, exception);
       }
@@ -236,18 +236,20 @@ private static String getPackageName(String className) {
     return index == -1 ? null : className.substring(0, index);
   }
 
-  private JarEntry findJarEntry(String name) {
+  private AgentJarResource findAgentJarResource(String name) {
     // shading renames .class to .classdata
     boolean isClass = name.endsWith(".class");
     if (isClass) {
       name += getClassSuffix();
     }
 
-    JarEntry jarEntry = jarFile.getJarEntry(jarEntryPrefix + name);
+    String jarEntryName = jarEntryPrefix + name;
+    JarEntry jarEntry = jarFile.getJarEntry(jarEntryName);
+    AgentJarResource jarResource = AgentJarResource.create(jarEntryName, jarEntry);
     if (MULTI_RELEASE_JAR_ENABLE) {
-      jarEntry = findVersionedJarEntry(jarEntry, name);
+      jarResource = findVersionedAgentJarResource(jarResource, name);
     }
-    return jarEntry;
+    return jarResource;
   }
 
   // suffix appended to class resource names
@@ -256,22 +258,23 @@ protected String getClassSuffix() {
     return "data";
   }
 
-  private JarEntry findVersionedJarEntry(JarEntry jarEntry, String name) {
+  private AgentJarResource findVersionedAgentJarResource(
+      AgentJarResource jarResource, String name) {
     // same logic as in JarFile.getVersionedEntry
     if (!name.startsWith(META_INF)) {
       // search for versioned entry by looping over possible versions form high to low
       int version = JAVA_VERSION;
       while (version >= MIN_MULTI_RELEASE_JAR_JAVA_VERSION) {
-        JarEntry versionedJarEntry =
-            jarFile.getJarEntry(jarEntryPrefix + META_INF_VERSIONS + version + "/" + name);
+        String versionedJarEntryName = jarEntryPrefix + META_INF_VERSIONS + version + "/" + name;
+        JarEntry versionedJarEntry = jarFile.getJarEntry(versionedJarEntryName);
         if (versionedJarEntry != null) {
-          return versionedJarEntry;
+          return AgentJarResource.create(versionedJarEntryName, versionedJarEntry);
         }
         version--;
       }
     }
 
-    return jarEntry;
+    return jarResource;
   }
 
   @Override
@@ -296,17 +299,17 @@ public URL findResource(String name) {
   }
 
   private URL findJarResource(String name) {
-    JarEntry jarEntry = findJarEntry(name);
-    return getJarEntryUrl(jarEntry);
+    AgentJarResource jarResource = findAgentJarResource(name);
+    return getAgentJarResourceUrl(jarResource);
   }
 
-  private URL getJarEntryUrl(JarEntry jarEntry) {
-    if (jarEntry != null) {
+  private URL getAgentJarResourceUrl(AgentJarResource jarResource) {
+    if (jarResource != null) {
       try {
-        return new URL(jarBase, jarEntry.getName());
+        return new URL(jarBase, jarResource.getName());
       } catch (MalformedURLException e) {
         throw new IllegalStateException(
-            "Failed to construct url for jar entry " + jarEntry.getName(), e);
+            "Failed to construct url for jar entry " + jarResource.getName(), e);
       }
     }
 
@@ -374,7 +377,8 @@ public URL getResource(String resourceName) {
       // find from agent jar
       if (agentClassLoader != null) {
         JarEntry jarEntry = agentClassLoader.jarFile.getJarEntry(resourceName);
-        return agentClassLoader.getJarEntryUrl(jarEntry);
+        AgentJarResource jarResource = AgentJarResource.create(resourceName, jarEntry);
+        return agentClassLoader.getAgentJarResourceUrl(jarResource);
       }
       return null;
     }
@@ -385,6 +389,28 @@ protected Class<?> findClass(String name) throws ClassNotFoundException {
     }
   }
 
+  private static class AgentJarResource {
+    private final String name;
+    private final JarEntry jarEntry;
+
+    private AgentJarResource(String name, JarEntry jarEntry) {
+      this.name = name;
+      this.jarEntry = jarEntry;
+    }
+
+    String getName() {
+      return name;
+    }
+
+    JarEntry getJarEntry() {
+      return jarEntry;
+    }
+
+    static AgentJarResource create(String name, JarEntry jarEntry) {
+      return jarEntry != null ? new AgentJarResource(name, jarEntry) : null;
+    }
+  }
+
   private static class AgentClassLoaderUrlStreamHandler extends URLStreamHandler {
     private final JarFile jarFile;
 
