From 610b00353541ade9202ab315c882c738630f61c1 Mon Sep 17 00:00:00 2001
From: Davide Angelocola <davide.angelocola@gmail.com>
Date: Fri, 26 Jun 2026 22:11:53 +0200
Subject: [PATCH 1/2] security: pin setup-zig to a commit SHA; mark temp-dir
 vuln reviewed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolve the SECURITY-category Sonar findings:

- S7637: pin the third-party mlugg/setup-zig action to a full commit SHA
  (d1434d0, v2) in ci/sonar/publish workflows, so a moved tag can't swap
  the action under us. The first-party actions/* are not flagged.
- S5443: NativeLibrary extracts the bundled library into an owner-only
  directory (Files.createTempDirectory, 0700 on POSIX) — the rule's
  warning is already mitigated with no further code change available, so
  suppress it for that file via sonar.issue.ignore with a documented why.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/ci.yml                              | 2 +-
 .github/workflows/publish.yml                         | 2 +-
 .github/workflows/sonar.yml                           | 2 +-
 pom.xml                                               | 8 ++++++++
 zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java | 4 ++--
 5 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 929e145..d9c2be9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,7 +24,7 @@ jobs:
           cache: maven
 
       - name: Set up Zig
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
         with:
           version: 0.16.0
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 4ba160f..9c60b1c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -31,7 +31,7 @@ jobs:
           gpg-passphrase: GPG_PASSPHRASE
 
       - name: Set up Zig
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
         with:
           version: 0.16.0
 
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
index 3a84c41..2b00bd7 100644
--- a/.github/workflows/sonar.yml
+++ b/.github/workflows/sonar.yml
@@ -28,7 +28,7 @@ jobs:
           cache: maven
 
       - name: Set up Zig
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
         with:
           version: 0.16.0
 
diff --git a/pom.xml b/pom.xml
index 93b8b69..a2308be 100644
--- a/pom.xml
+++ b/pom.xml
@@ -63,6 +63,14 @@
 		<sonar.host.url>https://sonarcloud.io</sonar.host.url>
 		<sonar.organization>dfa11</sonar.organization>
 		<sonar.projectKey>dfa1_zstd-java</sonar.projectKey>
+		<!-- S5443 (temp dir in a publicly-writable location) on NativeLibrary is a
+		     reviewed false positive: the bundled library is extracted into a private
+		     directory created with Files.createTempDirectory, which is owner-only
+		     (0700) on POSIX, closing the swap/symlink window the rule warns about.
+		     There is no further code mitigation, so suppress it for that file. -->
+		<sonar.issue.ignore.multicriteria>tempdir</sonar.issue.ignore.multicriteria>
+		<sonar.issue.ignore.multicriteria.tempdir.ruleKey>java:S5443</sonar.issue.ignore.multicriteria.tempdir.ruleKey>
+		<sonar.issue.ignore.multicriteria.tempdir.resourceKey>**/NativeLibrary.java</sonar.issue.ignore.multicriteria.tempdir.resourceKey>
 		<!-- The benchmark module is a JMH harness, not shipped runtime: its
 		     @Setup/@TearDown lifecycle trips false "resource not closed" reports and
 		     it has no tests by design. Exclude from analysis entirely (which also
diff --git a/zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java b/zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java
index 86c9070..6619135 100644
--- a/zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java
+++ b/zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java
@@ -14,7 +14,7 @@
 public final class ZstdFrame {
 
     /// Sentinel returned by `ZSTD_decompressBound` when the input is not valid.
-    private static final long CONTENTSIZE_ERROR = -2L;
+    private static final long CONTENT_SIZE_ERROR = -2L;
 
     /// Tests whether `data` begins with a valid zstd frame (standard or skippable).
     ///
@@ -213,7 +213,7 @@ private static long decompressedBound(MemorySegment data, long size) {
         } catch (Throwable t) {
             throw NativeCall.rethrow(t);
         }
-        if (bound == CONTENTSIZE_ERROR) {
+        if (bound == CONTENT_SIZE_ERROR) {
             throw new ZstdException("not valid zstd data");
         }
         return bound;

From b2ed28b0361560e88964896e23b1559a4a8a1375 Mon Sep 17 00:00:00 2001
From: Davide Angelocola <davide.angelocola@gmail.com>
Date: Fri, 26 Jun 2026 22:14:33 +0200
Subject: [PATCH 2/2] security: set owner-only temp dir permissions atomically
 (S5443)

Properly fix S5443 instead of suppressing it: create the extraction
directory with an explicit owner-only (rwx------) POSIX permission
attribute at creation time, the rule's compliant pattern. Falls back to
no attribute on non-POSIX file systems, where the temp directory is
already per-user. Revert the earlier pom-level suppression.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 pom.xml                                       |  8 -------
 .../io/github/dfa1/zstd/NativeLibrary.java    | 22 ++++++++++++++++---
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/pom.xml b/pom.xml
index a2308be..93b8b69 100644
--- a/pom.xml
+++ b/pom.xml
@@ -63,14 +63,6 @@
 		<sonar.host.url>https://sonarcloud.io</sonar.host.url>
 		<sonar.organization>dfa11</sonar.organization>
 		<sonar.projectKey>dfa1_zstd-java</sonar.projectKey>
-		<!-- S5443 (temp dir in a publicly-writable location) on NativeLibrary is a
-		     reviewed false positive: the bundled library is extracted into a private
-		     directory created with Files.createTempDirectory, which is owner-only
-		     (0700) on POSIX, closing the swap/symlink window the rule warns about.
-		     There is no further code mitigation, so suppress it for that file. -->
-		<sonar.issue.ignore.multicriteria>tempdir</sonar.issue.ignore.multicriteria>
-		<sonar.issue.ignore.multicriteria.tempdir.ruleKey>java:S5443</sonar.issue.ignore.multicriteria.tempdir.ruleKey>
-		<sonar.issue.ignore.multicriteria.tempdir.resourceKey>**/NativeLibrary.java</sonar.issue.ignore.multicriteria.tempdir.resourceKey>
 		<!-- The benchmark module is a JMH harness, not shipped runtime: its
 		     @Setup/@TearDown lifecycle trips false "resource not closed" reports and
 		     it has no tests by design. Exclude from analysis entirely (which also
diff --git a/zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java b/zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java
index e3f46d7..0923252 100644
--- a/zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java
+++ b/zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java
@@ -7,9 +7,12 @@
 import java.lang.foreign.Linker;
 import java.lang.foreign.SymbolLookup;
 import java.lang.invoke.MethodHandle;
+import java.nio.file.FileSystems;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.PosixFilePermissions;
 
 /// Infrastructure — loads the bundled `libzstd` shared library and binds
 /// native symbols to {@link MethodHandle}s via the Foreign Function & Memory API.
@@ -45,9 +48,10 @@ private static String extractBundledLib() {
                 throw new UnsatisfiedLinkError("No bundled zstd library found for platform " + classifier);
             }
             // Extract into a private, owner-only temp directory rather than a file
-            // loose in the shared temp root: createTempDirectory is 0700 on POSIX, so
-            // no other local user can swap the library between extraction and dlopen.
-            Path dir = Files.createTempDirectory("zstd-");
+            // loose in the shared temp root, so no other local user can swap the
+            // library between extraction and dlopen. The owner-only (0700) mode is
+            // set atomically at creation via a POSIX permission attribute.
+            Path dir = Files.createTempDirectory("zstd-", ownerOnlyAttributes());
             Path lib = dir.resolve("libzstd." + ext);
             Files.copy(in, lib, StandardCopyOption.REPLACE_EXISTING);
             lib.toFile().deleteOnExit();
@@ -58,6 +62,18 @@ private static String extractBundledLib() {
         }
     }
 
+    /// Owner-only (`rwx------`) directory permissions as a creation attribute on
+    /// POSIX file systems; an empty array elsewhere (a Windows temp directory is
+    /// already per-user, and the POSIX attribute is unsupported there).
+    private static FileAttribute<?>[] ownerOnlyAttributes() {
+        if (FileSystems.getDefault().supportedFileAttributeViews().contains("posix")) {
+            return new FileAttribute<?>[] {
+                PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"))
+            };
+        }
+        return new FileAttribute<?>[0];
+    }
+
     private static String libExtension(String classifier) {
         if (classifier.startsWith("osx")) {
             return "dylib";