diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 929e145..d9c2be9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ jobs: cache: maven - name: Set up Zig - uses: mlugg/setup-zig@v2 + uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 4ba160f..9c60b1c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -31,7 +31,7 @@ jobs: gpg-passphrase: GPG_PASSPHRASE - name: Set up Zig - uses: mlugg/setup-zig@v2 + uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index 3a84c41..2b00bd7 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -28,7 +28,7 @@ jobs: cache: maven - name: Set up Zig - uses: mlugg/setup-zig@v2 + uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 diff --git a/zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java b/zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java index e3f46d7..0923252 100644 --- a/zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java +++ b/zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java @@ -7,9 +7,12 @@ import java.lang.foreign.Linker; import java.lang.foreign.SymbolLookup; import java.lang.invoke.MethodHandle; +import java.nio.file.FileSystems; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.StandardCopyOption; +import java.nio.file.attribute.FileAttribute; +import java.nio.file.attribute.PosixFilePermissions; /// Infrastructure — loads the bundled `libzstd` shared library and binds /// native symbols to {@link MethodHandle}s via the Foreign Function & Memory API. @@ -45,9 +48,10 @@ private static String extractBundledLib() { throw new UnsatisfiedLinkError("No bundled zstd library found for platform " + classifier); } // Extract into a private, owner-only temp directory rather than a file - // loose in the shared temp root: createTempDirectory is 0700 on POSIX, so - // no other local user can swap the library between extraction and dlopen. - Path dir = Files.createTempDirectory("zstd-"); + // loose in the shared temp root, so no other local user can swap the + // library between extraction and dlopen. The owner-only (0700) mode is + // set atomically at creation via a POSIX permission attribute. + Path dir = Files.createTempDirectory("zstd-", ownerOnlyAttributes()); Path lib = dir.resolve("libzstd." + ext); Files.copy(in, lib, StandardCopyOption.REPLACE_EXISTING); lib.toFile().deleteOnExit(); @@ -58,6 +62,18 @@ private static String extractBundledLib() { } } + /// Owner-only (`rwx------`) directory permissions as a creation attribute on + /// POSIX file systems; an empty array elsewhere (a Windows temp directory is + /// already per-user, and the POSIX attribute is unsupported there). + private static FileAttribute[] ownerOnlyAttributes() { + if (FileSystems.getDefault().supportedFileAttributeViews().contains("posix")) { + return new FileAttribute[] { + PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------")) + }; + } + return new FileAttribute[0]; + } + private static String libExtension(String classifier) { if (classifier.startsWith("osx")) { return "dylib"; diff --git a/zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java b/zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java index 86c9070..6619135 100644 --- a/zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java +++ b/zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java @@ -14,7 +14,7 @@ public final class ZstdFrame { /// Sentinel returned by `ZSTD_decompressBound` when the input is not valid. - private static final long CONTENTSIZE_ERROR = -2L; + private static final long CONTENT_SIZE_ERROR = -2L; /// Tests whether `data` begins with a valid zstd frame (standard or skippable). /// @@ -213,7 +213,7 @@ private static long decompressedBound(MemorySegment data, long size) { } catch (Throwable t) { throw NativeCall.rethrow(t); } - if (bound == CONTENTSIZE_ERROR) { + if (bound == CONTENT_SIZE_ERROR) { throw new ZstdException("not valid zstd data"); } return bound;