yup #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

lakeyscott wants to merge 1,826 commits into gh-pages

from master

Open

yup #89

lakeyscott wants to merge 1,826 commits into gh-pages from master

Conversation

lakeyscott

Copy link

@lakeyscott lakeyscott commented Jul 15, 2018

macports.conf.5.txt

野松 and others added 30 commits

March 22, 2017 10:24


 request udpate: 新增sdkVersion功能

6d17327


 requet udpate: 新增sdkversion api

6d39d44


 request udpate: add Copyrights to All LuaView files

3a8bef8


 request update: 新增所有lua脚本的 Copyrights

ae7bc17


 Merge branch 'dev_5.14.0' into develop

9d180fb


 [IOS] liblua.podspec

c7de61e


 [IOS] 更新liblua.podspec

8f54af0


 liblua.podspec文件

b68f473


 pod install

9384ca2


 liblua 0.5.0 依赖

7d449e9


 pod install

ed0012c


 [bugfix] PagerView支持支持后续传参数 initParams

3d63721


 PagerView支持initParams问题导致autoScroll设置无效

6f58213


 拓里 IOS lua脚本

4a71ed4


 fexlayout

2f92147

@yechunxiao19


 Merge branch 'feature/playground' of gitlab.alibaba-inc.com:luaview/L...

ca3e640

...uaViewSDK into feature/playground

@yechunxiao19

7fb5996

@yechunxiao19


 add .gitignore

d75898f

@yechunxiao19


 Merge branch 'feature/playground' into develop

cb3f860


 去除无用代码

77f34bd


 [bugfix] 文件名包多个a//b//c的可能 + 去除无用代码

ee40135


 no message

7f49588


 collection view支持先创建对象,再设置数据源

4656f51


 Merge remote-tracking branch 'origin/dev_5.14.0' into dev_5.10.0_play...

8d47d10

...ground
Conflicts:
	Android/LuaViewDemo/LuaViewDemo.iml
	Android/LuaViewSDK/LuaViewSDK.iml


 no message

1d8dac3


 no message

dcebeab


 脚本更新

3b969d3


 Merge branch 'dev_5.10.0_playground' into 'dev_5.14.0'

6640f32

Dev 5.10.0 playground
See merge request !54


 修改证书及版本号

e09bf0f


 Playground + demo

f1e3c75

野松 and others added 26 commits

June 15, 2017 20:28


 Merge branch 'dev_5.25.0' into deploy

fe478cd


 request update: update version to 0.5.2

58886f6


 Merge branch 'dev_5.25.0' into deploy

26c26a0


 request update: demo update

dab9781


 request update: bugfix update

d03b97c


 修改pod spec,去除lua源码

abc0173


 修改File.save API,同时支持string或data类型

d7d219a


 修正获取参数的方式

434feff


 request update: 兼容标准语法


 request update: 埋点重构

671536e


 request update: merge taohome

ef72a10


 request udpate: bugfix

54f41c9


 Merge branch 'feature/dev_5.25.0/taohome' into dev_5.25.0

f05eb61


 修改版本号为0.5.2

f68f8e6


 Merge branch 'dev_5.25.0' into develop

3daa6d3


 Merge branch 'develop'

ec5bc74

# Conflicts:
#	LuaViewSDK.podspec


 移除Playground App源码

c8245c4


 为AudioPlayer接口添加文件名适配

bae6e09


 添加LVCamera,显示摄像头的内容,有人脸识别和拍照功能

6374a09


 修复音频播放Bug

18785c8


 人脸检测主线程返回,定时器放到主线程

17dde52


 拍照保存文件添加jpg后缀

c503b9d


 暂时去除WebView组件

29aa040


 增加堆栈信息的判空,防止空对象

90bcbdf


 修复iOS demo无法编译的问题

d5b48f5


 升级版本到0.5.3

3aa5689

@CLAassistant

Copy link

CLAassistant commented Jul 15, 2018 •

edited

Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

城西 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

@CLAassistant

Copy link

CLAassistant commented Jul 15, 2018

CLA assistant check
Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

@github-advanced-security

Copy link

github-advanced-security bot commented May 29, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

github-advanced-security[bot]

github-advanced-security bot found potential problems

May 29, 2025

View reviewed changes

Android/LuaViewSDK/pom.xml

Comment on lines +57 to +60

<id>releases</id>

<url>http://mvnrepo.alibaba-inc.com/mvn/releases</url>

</repository>

Check failure

Code scanning / CodeQL

Failure to use HTTPS or SFTP URL in Maven artifact upload/download High

Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://mvnrepo.alibaba-inc.com/mvn/releases

Copilot Autofix

AI 5 months ago

To fix the issue, the repository URLs in the <distributionManagement> section of the Maven POM file should be updated to use HTTPS instead of HTTP. This ensures secure communication with the artifact repository, protecting against MITM attacks and supply chain vulnerabilities.

Steps to implement the fix:

Locate the <distributionManagement> section in the POM file.
Update the <url> elements for both <repository> and <snapshotRepository> to use HTTPS instead of HTTP.
Verify that the repository supports HTTPS and that the updated URLs are correct.

No additional methods, imports, or definitions are required for this fix.

Suggested changeset 1

Android/LuaViewSDK/pom.xml

@@ -55,12 +55,12 @@

<id>releases</id>

<url>http://mvnrepo.alibaba-inc.com/mvn/releases</url>

</repository>

<id>snapshots</id>

<url>http://mvnrepo.alibaba-inc.com/mvn/snapshots</url>

</snapshotRepository>

</distributionManagement>

<id>releases</id>

<url>https://mvnrepo.alibaba-inc.com/mvn/releases</url>

</repository>

<id>snapshots</id>

<url>https://mvnrepo.alibaba-inc.com/mvn/snapshots</url>

</snapshotRepository>

</distributionManagement>

Copilot is powered by AI and may make mistakes. Always verify output.

Android/LuaViewSDK/pom.xml

Comment on lines +61 to +64

<id>snapshots</id>

<url>http://mvnrepo.alibaba-inc.com/mvn/snapshots</url>

</snapshotRepository>

Check failure

Code scanning / CodeQL

Failure to use HTTPS or SFTP URL in Maven artifact upload/download High

Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://mvnrepo.alibaba-inc.com/mvn/snapshots

Copilot Autofix

AI 5 months ago

To fix the issue, the repository URLs in the <distributionManagement> section should be updated to use HTTPS instead of HTTP. This ensures that all communication with the artifact repository is encrypted and secure.

Steps to implement the fix:

Replace the http:// protocol in the <url> tags of both <repository> and <snapshotRepository> with https://.
Verify that the repository supports HTTPS and update any necessary credentials or configurations if required.

Suggested changeset 1

Android/LuaViewSDK/pom.xml

@@ -58,3 +58,3 @@

<id>releases</id>

<url>http://mvnrepo.alibaba-inc.com/mvn/releases</url>

<url>https://mvnrepo.alibaba-inc.com/mvn/releases</url>

</repository>

@@ -62,3 +62,3 @@

<id>snapshots</id>

<url>http://mvnrepo.alibaba-inc.com/mvn/snapshots</url>

<url>https://mvnrepo.alibaba-inc.com/mvn/snapshots</url>

</snapshotRepository>

Copilot is powered by AI and may make mistakes. Always verify output.

...ewSDK/src/com/taobao/luaview/scriptbundle/asynctask/delegate/ScriptBundleUnpackDelegate.java

DebugUtil.tsi("luaviewp-unpackBundle-zip");

while ((entry = zipStream.getNextEntry()) != null) {

// 处理../ 这种方式只能使用单层路径,不能处理子目录,在这里可以添加公用path

rawName = entry.getName();

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip") High

Unsanitized archive entry, which may contain '..', is used in a

file system operation

.
Unsanitized archive entry, which may contain '..', is used in a

file system operation

Copilot Autofix

AI 5 months ago

To fix the issue, we need to validate the constructed file paths to ensure they remain within the intended directory (scriptBundleFolderPath). This can be achieved by normalizing the paths using java.io.File.getCanonicalFile() or java.nio.file.Path.normalize() and verifying that the normalized path starts with the intended directory's canonical path. If the validation fails, the code should throw an exception or skip processing the entry.

Steps to implement the fix:

Normalize the constructed file path using File.getCanonicalFile() to resolve any symbolic links or traversal sequences.
Validate that the normalized path starts with the canonical path of the destination directory (scriptBundleFolderPath).
Reject or skip entries that fail the validation.

Suggested changeset 1

Android/LuaViewSDK/src/com/taobao/luaview/scriptbundle/asynctask/delegate/ScriptBundleUnpackDelegate.java

@@ -211,3 +211,7 @@

filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName);

File dir = new File(filePath);

File dir = new File(filePath).getCanonicalFile();

File baseDir = new File(scriptBundleFolderPath).getCanonicalFile();

if (!dir.getPath().startsWith(baseDir.getPath())) {

throw new IOException("Invalid zip entry: " + rawName);

}

if (!dir.exists()) {

@@ -226,3 +230,8 @@

filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName);

luaRes.put(filePath, fileData);

File file = new File(filePath).getCanonicalFile();

File baseDir = new File(scriptBundleFolderPath).getCanonicalFile();

if (!file.getPath().startsWith(baseDir.getPath())) {

throw new IOException("Invalid zip entry: " + rawName);

}

luaRes.put(file.getPath(), fileData);

}

Copilot is powered by AI and may make mistakes. Always verify output.

...ewSDK/src/com/taobao/luaview/scriptbundle/asynctask/delegate/ScriptBundleUnpackDelegate.java

if (entry.isDirectory()) {

filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName);

File dir = new File(filePath);

if (!dir.exists()) {

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a

user-provided value

Copilot Autofix

AI 5 months ago

To fix the issue, we need to validate the constructed paths to ensure they remain within a controlled directory and do not contain any path traversal sequences or special characters. This can be achieved by normalizing the paths and verifying that they start with the expected base directory (scriptBundleFolderPath). Additionally, we should reject any input that contains path separators (/ or \) or .. sequences.

Steps to implement the fix:

Use java.nio.file.Paths to normalize the constructed paths and verify that they remain within the scriptBundleFolderPath.
Add a validation step to reject any rawName that contains path separators (/ or \) or .. sequences.
Ensure that the FileUtil.getSecurityFileName method is robust and complements the validation logic.

Suggested changeset 1

Android/LuaViewSDK/src/com/taobao/luaview/scriptbundle/asynctask/delegate/ScriptBundleUnpackDelegate.java

@@ -202,5 +202,5 @@

rawName = entry.getName();

if (rawName == null || rawName.indexOf("../") != -1) {

if (rawName == null || rawName.contains("..") || rawName.contains("/") || rawName.contains("\\")) {

zipStream.close();

returnnull;

thrownewIllegalArgumentException("Invalid entry name in zip file: " + rawName);

}

@@ -209,5 +209,12 @@

filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName);

Path normalizedPath = Paths.get(filePath).normalize();

Path basePath = Paths.get(scriptBundleFolderPath).normalize();

if (!normalizedPath.startsWith(basePath)) {

zipStream.close();

throw new IllegalArgumentException("Path traversal detected: " + filePath);

}

if (entry.isDirectory()) {

filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName);

File dir = new File(filePath);

File dir = new File(normalizedPath.toString());

if (!dir.exists()) {

Copilot is powered by AI and may make mistakes. Always verify output.

...ewSDK/src/com/taobao/luaview/scriptbundle/asynctask/delegate/ScriptBundleUnpackDelegate.java

filePath = FileUtil.buildPath(scriptBundleFolderPath, fileName);

File dir = new File(filePath);

if (!dir.exists()) {

dir.mkdir();

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a

user-provided value

Android/LuaViewSDK/src/com/taobao/luaview/util/DecryptUtil.java

if (cipher == null) {

final SecretKeySpec skeySpec = new SecretKeySpec(keys, ALGORITHM_AES);

final IvParameterSpec ivParameterSpec = new IvParameterSpec(cIv);

cipher = Cipher.getInstance(ALGORITHM_AES);

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High

Cryptographic algorithm

AES/CBC/PKCS5Padding

is insecure. CBC mode with PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks. Consider using GCM instead.

Android/LuaViewSDK/src/com/taobao/luaview/util/DecryptUtil.java

final SecretKeySpec skeySpec = new SecretKeySpec(keys, ALGORITHM_AES);

final IvParameterSpec ivParameterSpec = new IvParameterSpec(cIv);

cipher = Cipher.getInstance(ALGORITHM_AES);

cipher.init(Cipher.DECRYPT_MODE, skeySpec, ivParameterSpec);

Check failure

Code scanning / CodeQL

Using a static initialization vector for encryption High

static initialization vector

should not be used for encryption.

Copilot Autofix

AI 5 months ago

To fix the issue, we need to replace the static IV (cIv) with a dynamically generated random IV for each encryption session. This can be achieved using SecureRandom to generate a random IV. The IV should be stored alongside the ciphertext to allow decryption later, as the IV is required for decryption.

In the provided code, the aes method initializes the Cipher object for decryption. To ensure compatibility with encryption, the IV should be passed as an additional parameter to the aes method. This requires modifying the method signature and updating the logic to use a dynamic IV.

Suggested changeset 1

Android/LuaViewSDK/src/com/taobao/luaview/util/DecryptUtil.java

@@ -34,7 +34,3 @@

private static final String CACHE_PUBLIC_KEY = AppCache.CACHE_PUBLIC_KEY;

public static final byte[] cIv = new byte[16];

static {

Arrays.fill(cIv, (byte) 0);

}

// Removed static IV definition and initialization.

@@ -72,3 +68,3 @@

public static byte[] aes(final byte[] keys, final byte[] encrypted) {

public static byte[] aes(final byte[] keys, final byte[] encrypted, finalbyte[] iv) {

try {

@@ -77,3 +73,3 @@

final SecretKeySpec skeySpec = new SecretKeySpec(keys, ALGORITHM_AES);

final IvParameterSpec ivParameterSpec = new IvParameterSpec(cIv);

final IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);

cipher = Cipher.getInstance(ALGORITHM_AES);

Copilot is powered by AI and may make mistakes. Always verify output.

Android/LuaViewSDK/src/org/luaj/vm2/Globals.java

public long skip(long n) throws IOException {

final long k = Math.min(n, j - i);

i += k;

Check failure

Code scanning / CodeQL

Implicit narrowing conversion in compound assignment High

Implicit cast of source type long to narrower destination type

int

Copilot Autofix

AI 5 months ago

To fix the issue, we need to ensure that the types of the variables involved in the compound assignment are compatible. Since k is of type long, we should change the type of i from int to long. This will eliminate the need for an implicit cast and prevent potential data loss or overflow. The change should be made in the declaration of i on line 452, as well as in any other parts of the code that depend on i.

Suggested changeset 1

Android/LuaViewSDK/src/org/luaj/vm2/Globals.java

@@ -451,3 +451,4 @@

protected byte[] b;

protected int i = 0, j = 0;

protected long i = 0;

protected int j = 0;

Copilot is powered by AI and may make mistakes. Always verify output.

Android/LuaViewSDK/src/org/luaj/vm2/compiler/FuncState.java

void reserveregs(int n) {

this.checkstack(n);

this.freereg += n;

Check failure

Code scanning / CodeQL

Implicit narrowing conversion in compound assignment High

Implicit cast of source type int to narrower destination type

short

Copilot Autofix

AI 5 months ago

To fix the issue, we need to ensure that the type of freereg is at least as wide as the type of n to avoid implicit narrowing conversions. The best approach is to change the type of freereg from short to int. This ensures that the result of this.freereg + n remains within the bounds of the type and avoids the need for an implicit cast.

The changes required are:

Update the declaration of freereg on line 66 to use int instead of short.
Ensure that all references to freereg in the file remain consistent with the new type.

Suggested changeset 1

Android/LuaViewSDK/src/org/luaj/vm2/compiler/FuncState.java

@@ -65,3 +65,3 @@

short nups; /* number of upvalues */

short freereg; /* first free register */

int freereg; /* first free register */

Copilot is powered by AI and may make mistakes. Always verify output.

Android/LuaViewSDK/target/AndroidManifest.xml

<uses-permission android:name="android.permission.VIBRATE"/>

<uses-sdk android:minSdkVersion="14"/>

Check failure

Code scanning / CodeQL

Android debuggable attribute enabled High

The 'android:debuggable' attribute is enabled.

Copilot Autofix

AI 5 months ago

To fix the issue, the android:debuggable attribute should either be removed entirely or explicitly set to false. The default value for android:debuggable is false when the attribute is omitted, so removing it is sufficient. This ensures that the application cannot be debugged in production, adhering to best practices for security.

The change should be made in the Android/LuaViewSDK/target/AndroidManifest.xml file, specifically on line 20 where the android:debuggable attribute is currently set to true.

Suggested changeset 1

Android/LuaViewSDK/target/AndroidManifest.xml

@@ -19,3 +19,3 @@

<uses-sdk android:minSdkVersion="14"/>

Copilot is powered by AI and may make mistakes. Always verify output.

yup #89

Are you sure you want to change the base?

yup #89

Uh oh!

Conversation

@lakeyscott lakeyscott commented Jul 15, 2018

Uh oh!

CLAassistant commented Jul 15, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

CLAassistant commented Jul 15, 2018

Uh oh!

github-advanced-security bot commented May 29, 2025

Uh oh!

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Check failure

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

CLAassistant commented Jul 15, 2018 •

edited

Loading