security: resolve Sonar SECURITY-category issues

.github/workflows/ci.yml

@@ -24,7 +24,7 @@ jobs:
           cache: maven
 
       - name: Set up Zig
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
         with:
           version: 0.16.0
 

.github/workflows/publish.yml

@@ -31,7 +31,7 @@ jobs:
           gpg-passphrase: GPG_PASSPHRASE
 
       - name: Set up Zig
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
         with:
           version: 0.16.0
 

.github/workflows/sonar.yml

@@ -28,7 +28,7 @@ jobs:
           cache: maven
 
       - name: Set up Zig
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
         with:
           version: 0.16.0
 

zstd/src/main/java/io/github/dfa1/zstd/NativeLibrary.java

@@ -7,9 +7,12 @@
 import java.lang.foreign.Linker;
 import java.lang.foreign.SymbolLookup;
 import java.lang.invoke.MethodHandle;
+import java.nio.file.FileSystems;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.PosixFilePermissions;
 
 /// Infrastructure — loads the bundled `libzstd` shared library and binds
 /// native symbols to {@link MethodHandle}s via the Foreign Function & Memory API.
@@ -45,9 +48,10 @@ private static String extractBundledLib() {
                 throw new UnsatisfiedLinkError("No bundled zstd library found for platform " + classifier);
             }
             // Extract into a private, owner-only temp directory rather than a file
-            // loose in the shared temp root: createTempDirectory is 0700 on POSIX, so
-            // no other local user can swap the library between extraction and dlopen.
-            Path dir = Files.createTempDirectory("zstd-");
+            // loose in the shared temp root, so no other local user can swap the
+            // library between extraction and dlopen. The owner-only (0700) mode is
+            // set atomically at creation via a POSIX permission attribute.
+            Path dir = Files.createTempDirectory("zstd-", ownerOnlyAttributes());
             Path lib = dir.resolve("libzstd." + ext);
             Files.copy(in, lib, StandardCopyOption.REPLACE_EXISTING);
             lib.toFile().deleteOnExit();
@@ -58,6 +62,18 @@ private static String extractBundledLib() {
         }
     }
 
+    /// Owner-only (`rwx------`) directory permissions as a creation attribute on
+    /// POSIX file systems; an empty array elsewhere (a Windows temp directory is
+    /// already per-user, and the POSIX attribute is unsupported there).
+    private static FileAttribute<?>[] ownerOnlyAttributes() {
+        if (FileSystems.getDefault().supportedFileAttributeViews().contains("posix")) {
+            return new FileAttribute<?>[] {
+                PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"))
+            };
+        }
+        return new FileAttribute<?>[0];
+    }
+
     private static String libExtension(String classifier) {
         if (classifier.startsWith("osx")) {
             return "dylib";

zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java

@@ -14,7 +14,7 @@
 public final class ZstdFrame {
 
     /// Sentinel returned by `ZSTD_decompressBound` when the input is not valid.
-    private static final long CONTENTSIZE_ERROR = -2L;
+    private static final long CONTENT_SIZE_ERROR = -2L;
 
     /// Tests whether `data` begins with a valid zstd frame (standard or skippable).
     ///
@@ -213,7 +213,7 @@ private static long decompressedBound(MemorySegment data, long size) {
         } catch (Throwable t) {
             throw NativeCall.rethrow(t);
         }
-        if (bound == CONTENTSIZE_ERROR) {
+        if (bound == CONTENT_SIZE_ERROR) {
             throw new ZstdException("not valid zstd data");
         }
         return bound;