Fortify Privacy Violation in ZipOutputStream.write() method

Question

In Fortify code scan, we have a privacy violation in below Java code, which converts a byte[] to ZipOutputStream, which is later converted to another byte[]. The exact sink line is zos.write(arr);

private byte[] zipFile(String filename, byte[] arr) throws UnableToZipException, IOException {
    try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
            ZipOutputStream zos = new ZipOutputStream(baos)) {
        ZipEntry entry = new ZipEntry(filename);
        entry.setSize(arr.length);
        zos.putNextEntry(entry);
        zos.write(arr);
        zos.closeEntry();
        zos.close();
        return baos.toByteArray();
    } catch (Exception e) {
        e.printStackTrace();
    }
}

Is it a valid violation or a false positive? I am not writing the ZipOutputStream to the local directory. If it is a valid privacy violation, how to resolve it?

score 1 · Answer 1 · answered Jul 28 '20 at 16:44

1

You shouldn't be looking this code in isolation. Fortify scan will also provide details on from where the data enters to this method. You need to figure out what the value getting passed to this method for arr parameter. If the value getting passed is private information then it will show up as privacy violation.

answered Jul 28 '20 at 16:44

Hitesh A. Bosamiya

371
1
6

That array war an encrypted array. So the issue turned out to be a false positive! – User_1940878 Aug 21 '20 at 08:00

Fortify Privacy Violation in ZipOutputStream.write() method

1 Answers1