Whenever I use the Inject Hooks feature, save the modified code as a Jar and run it, I get the following error:

C:\Users\Alexander\Desktop>java -jar hook-test.jar
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.lang.VerifyError: Operand stack overflow
Exception Details:
  Location:
    Main.access$13()V @0: ldc_w
  Reason:
    Exceeded max stack size.
  Current Frame:
    bci: @0
    flags: { }
    locals: { }
    stack: { }
  Bytecode:
    0x0000000: 1301 4db8 002e b801 4fb1

        at java.lang.Class.getDeclaredMethods0(Native Method)
        at java.lang.Class.privateGetDeclaredMethods(Unknown Source)
        at java.lang.Class.privateGetMethodRecursive(Unknown Source)
        at java.lang.Class.getMethod0(Unknown Source)
        at java.lang.Class.getMethod(Unknown Source)
        at sun.launcher.LauncherHelper.validateMainClass(Unknown Source)
        at sun.launcher.LauncherHelper.checkAndLoadMain(Unknown Source)

I have tried this with several Jars, with and without obfuscation. One of the Jars I tried to hook is a program I made long ago, so if you need an example, feel free to download it:

• original Jar
• Jar with hooks

My guess is that BCV inserts the bytecode for the hooks without updating the size of the method that the hook was inserted into.

Hi, I just discovered this project. Anyway, I have some suggestions for the Krakatau decompiler and disassembler support.

• You should disable assertions by passing -O to Python. The assertions are useful for testing or debugging, but for normal use, you're better off disabling them. Disabling assertions also makes things slightly faster. Note that this is an option for python itself, not Krakatau, so the command line would look like python -O Krakatau...
• Likewise, you should pass the -skip option to the decompiler to skip each class or method on errors instead of stopping at the first error. It's better to decompile some classes than none.
• Also, on Windows, Krakatau sanitizes the output paths to avoid collisions, so the path of the output file isn't necessarily the same as the actual name of the class. Even on other OSes, you can get errors if the class name is too long or contains special characters. I'd recommend outputting to a jar/zip file instead, since the output path inside the zip file is always the same as the actual class name. You can do this by passing a path ending in .jar or .zip to -out, e.g. -out temp.jar
• Lastly, Pypy is usually faster than CPython, so I'd recommend using pypy over python when possible.

I am by no means a licensing/law expert, but it seems there may be some licensing conflicts with some files in the repo. The only licensing details I can find seem to be GPLv3

smali seems to be bsd and apache apktool seems to be bsd and apache enjarify seems to be apache etc

Would it be appropriate to include license details for all of these?

This PR also contains #288 and #266

The project has mostly been migrated to Maven (it is able to compile on my machine at least. It reports a build failure, but it built successfully anyways).

This way, updating most libraries was pretty easy and, thus, some decompilers even support newer Java versions (e.g. Java 14 records can be decompiled with CFR now)

Also, this PR fixes the Code Style everywhere as far as humanly possible (for me at least, I spent 10 hours working on this project at the time of writing this lol).

Please test and review, thank you :) This PR will help the community to develop this application easier and further.

Fixes #289 Fixes #282 Fixes #269 Fixes #268

I have both JEB (https://www.pnfsoftware.com/) and JADX (https://github.com/skylot/jadx) decompilers Could you advise how to integrate, write plugin or modify source? Both have cmd and GUI versions. Thanks

Please send this error log to https://github.com/Konloch/bytecode-viewer/issues or Konloch at https://the.bytecode.club or [email protected]
If you hold appropriate legal rights to the relevant class/jar/apk file please include that as well.
Bytecode Viewer Version: 2.10.16 [Fat Jar], OS: Mac OS X, Java: 1.8.0_302

java.lang.StringIndexOutOfBoundsException: String index out of range: -3
	at java.lang.String.substring(String.java:1967)
	at org.objectweb.asm.signature.SignatureReader.parseType(SignatureReader.java:178)
	at org.objectweb.asm.signature.SignatureReader.accept(SignatureReader.java:111)
	at org.objectweb.asm.commons.Remapper.mapSignature(Remapper.java:209)
	at org.objectweb.asm.commons.ClassRemapper.visitMethod(ClassRemapper.java:193)
	at org.objectweb.asm.ClassVisitor.visitMethod(ClassVisitor.java:366)
	at com.googlecode.d2j.dex.Dex2Asm.collectBasicMethodInfo(Dex2Asm.java:330)
	at com.googlecode.d2j.dex.Dex2Asm.convertMethod(Dex2Asm.java:639)
	at com.googlecode.d2j.dex.Dex2Asm.convertClass(Dex2Asm.java:526)
	at com.googlecode.d2j.dex.Dex2Asm.convertClass(Dex2Asm.java:428)
	at com.googlecode.d2j.dex.Dex2Asm.convertDex(Dex2Asm.java:542)
	at com.googlecode.d2j.dex.Dex2jar.doTranslate(Dex2jar.java:135)
	at com.googlecode.d2j.dex.Dex2jar.to(Dex2jar.java:235)
	at the.bytecode.club.bytecodeviewer.util.Dex2Jar.dex2Jar(Dex2Jar.java:42)
	at the.bytecode.club.bytecodeviewer.resources.importing.impl.APKResourceImporter.open(APKResourceImporter.java:66)
	at the.bytecode.club.bytecodeviewer.resources.importing.ImportResource.importKnownFile(ImportResource.java:88)
	at the.bytecode.club.bytecodeviewer.resources.importing.ImportResource.run(ImportResource.java:60)
	at java.lang.Thread.run(Thread.java:748)

Hi,

I have just downloaded this today and it keeps saying the files downloaded are corrupted and to restart.

after every restart, the same messages appear (multiple items are corrupted)

It starts with the following screenshot.

Using version 2.9.10

Get in touch to send you the apk or download from market Windfinder_1.9.3.apk

Bytecode Viewer Version: 2.9.6

java.io.FileNotFoundException: C:\Users\LimElect.Bytecode-Viewer\bcv_temp\eMLngxtvvwYrJCSTAkyJteXmHueLenzT.apk (The system cannot find the file specified) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.(Unknown Source) at the.bytecode.club.bytecodeviewer.JarUtils.loadResources(JarUtils.java:80) at the.bytecode.club.bytecodeviewer.BytecodeViewer$3.run(BytecodeViewer.java:627)

Bytecode Viewer Version: 2.9.6

brut.a.a.e: resource spec: 0x01010462 at brut.a.d.a.d.b(Unknown Source) at brut.a.d.a.g.a(Unknown Source) at brut.a.d.a.g.a(Unknown Source) at brut.a.d.a.a.q.c(Unknown Source) at brut.a.d.a.a.t.a(Unknown Source) at brut.a.d.a.a(Unknown Source) at brut.a.d.a.c(Unknown Source) at brut.a.a.b(Unknown Source) at brut.a.c.a(Unknown Source) at brut.apktool.Main.a(Unknown Source) at brut.apktool.Main.main(Unknown Source) at the.bytecode.club.bytecodeviewer.APKTool.decodeResources(APKTool.java:13) at the.bytecode.club.bytecodeviewer.BytecodeViewer$3.run(BytecodeViewer.java:626)

why? please help me. I have configured the python environment, but still error

/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python: can't open file '/disassemble.py': [Errno 2] No such file or directory

Exit Value is 2 Bytecode Viewer Version: 2.9.8

java.io.FileNotFoundException: /Users/roy/.Bytecode-Viewer/bcv_temp/qprmTwYSTEJsGWWgKJVPaelBsNntxVfe/com/miui/zeus/b/a/b$a$a.j (No such file or directory) at java.io.FileInputStream.open0(Native Method) at java.io.FileInputStream.open(FileInputStream.java:195) at java.io.FileInputStream.(FileInputStream.java:138) at java.io.FileReader.(FileReader.java:72) at me.konloch.kontainer.io.DiskReader.loadAsString(DiskReader.java:62) at the.bytecode.club.bytecodeviewer.decompilers.KrakatauDisassembler.decompileClassNode(KrakatauDisassembler.java:87) at the.bytecode.club.bytecodeviewer.gui.ClassViewer$15.doShit(ClassViewer.java:1306) at the.bytecode.club.bytecodeviewer.gui.PaneUpdaterThread.run(PaneUpdaterThread.java:16)

Bytecode Viewer Version: 2.9.8, Preview Copy: false, Fat Jar: false

java.lang.NullPointerException at the.bytecode.club.bytecodeviewer.BytecodeViewer$6.run(BytecodeViewer.java:868)

Bytecode Viewer Version: 2.9.8, Preview Copy: false, Fat Jar: false

brut.a.a.e: resource spec: 0x010104e2 at brut.a.b.a.d.b(Unknown Source) at c.c.a.a.b.d.a(Unknown Source) at c.c.a.a.b.d.a(Unknown Source) at brut.a.b.a.a.r.d(Unknown Source) at brut.a.b.a.a.r.a(Unknown Source) at brut.a.b.a.a.s.h(Unknown Source) at brut.a.b.a.a.u.a(Unknown Source) at brut.a.b.a.c(Unknown Source) at brut.a.a.b(Unknown Source) at brut.a.c.a(Unknown Source) at brut.apktool.Main.main(Unknown Source) at the.bytecode.club.bytecodeviewer.APKTool.decodeResources(APKTool.java:13) at the.bytecode.club.bytecodeviewer.BytecodeViewer$6.run(BytecodeViewer.java:864)

I try decompile apk file. Open any java class and try save without changes. Bytecodeviewer gives an error message - " package android.util does not exist". I try make import android.util; but still gives the same error. What i make wrong?

Hello I would like to know how can I edit or if I can edit the files/code from .jar file that I Imported inside the program? I want to edit messages from .jar file if it's okey... :D

Please send this error log to https://github.com/Konloch/bytecode-viewer/issues or Konloch at https://the.bytecode.club or [email protected] If you hold appropriate legal rights to the relevant class/jar/apk file please include that as well. Bytecode Viewer Version: 2.11.2 [Fat Jar], OS: Linux, Java: 11.0.16

java.lang.IllegalStateException: LabelNode index not found. (Label not in InsnList?) at the.bytecode.club.bytecodeviewer.decompilers.bytecode.InstructionPrinter.resolveLabel(InstructionPrinter.java:384) at the.bytecode.club.bytecodeviewer.decompilers.bytecode.MethodNodeDecompiler.decompile(MethodNodeDecompiler.java:156) at the.bytecode.club.bytecodeviewer.decompilers.bytecode.ClassNodeDecompiler.decompile(ClassNodeDecompiler.java:95) at the.bytecode.club.bytecodeviewer.decompilers.impl.BytecodeDisassembler.decompileClassNode(BytecodeDisassembler.java:35) at the.bytecode.club.bytecodeviewer.gui.util.BytecodeViewPanelUpdater.processDisplay(BytecodeViewPanelUpdater.java:108) at the.bytecode.club.bytecodeviewer.gui.util.BytecodeViewPanelUpdater.run(BytecodeViewPanelUpdater.java:159) at java.base/java.lang.Thread.run(Thread.java:829)

It worked fine initially for like 2-3 times but after that it always hangs on the step and while i waited for some time today, it threw Out of Memory exception.

Happened while using command line as well as on dragging the apk on UI.

System: MacOS Monterey 12.4; 8GB RAM

Bytecode Viewer 2.11.2 [Fat Jar] - Created by @Konloch https://bytecodeviewer.com - https://the.bytecode.club Warning: the fonts "Times" and "Lucida Bright" are not available for the Java logical font "Serif", which may have unexpected appearance or behavior. Re-enable the "Times" font to remove this warning. Extracting Krakatau Start up took 4 seconds Opening...myapk_apkcombo.com.apk

I: Using Apktool 2.6.1 on AqIMUKmjlbgmPUEySdIbuZbvBeABWF.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /Users/myUser/.Bytecode-Viewer/bcv_temp/yOFBVttFREvW/1.apk I: Regular manifest package... I: Decoding file-resources... Successfully extracted Krakatau Extracting Enjarify I: Decoding values / XMLs... I: Baksmaling classes.dex... I: Baksmaling classes2.dex... Successfully extracted Enjarify I: Baksmaling classes3.dex... I: Baksmaling classes4.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... I: Copying META-INF/services directory Exception in thread "Import Resource" java.lang.OutOfMemoryError: GC overhead limit exceeded at java.util.HashMap.newNode(HashMap.java:1750) at java.util.HashMap.putVal(HashMap.java:642) at java.util.HashMap.put(HashMap.java:612) at java.util.HashSet.add(HashSet.java:220) at com.googlecode.dex2jar.ir.ts.UniqueQueue.add(UniqueQueue.java:31) at com.googlecode.dex2jar.ir.ts.UniqueQueue.addAll(UniqueQueue.java:21) at com.googlecode.dex2jar.ir.ts.UnSSATransformer$LiveA.markUsed(UnSSATransformer.java:401) at com.googlecode.dex2jar.ir.ts.UnSSATransformer$LiveA.analyzeValue(UnSSATransformer.java:374) at com.googlecode.dex2jar.ir.ts.an.BaseAnalyze.analyze(BaseAnalyze.java:57) at com.googlecode.dex2jar.ir.ts.UnSSATransformer.transform(UnSSATransformer.java:274) at com.googlecode.d2j.dex.Dex2jar$2.optimize(Dex2jar.java:132) at com.googlecode.d2j.dex.Dex2Asm.convertCode(Dex2Asm.java:598) at com.googlecode.d2j.dex.ExDex2Asm.convertCode(ExDex2Asm.java:24) at com.googlecode.d2j.dex.Dex2jar$2.convertCode(Dex2jar.java:91) at com.googlecode.d2j.dex.Dex2Asm.convertMethod(Dex2Asm.java:782) at com.googlecode.d2j.dex.Dex2Asm.convertClass(Dex2Asm.java:549) at com.googlecode.d2j.dex.Dex2Asm.convertClass(Dex2Asm.java:450) at com.googlecode.d2j.dex.Dex2Asm.convertDex(Dex2Asm.java:606) at com.googlecode.d2j.dex.Dex2jar.doTranslate(Dex2jar.java:146) at com.googlecode.d2j.dex.Dex2jar.to(Dex2jar.java:246) at the.bytecode.club.bytecodeviewer.util.Dex2Jar.dex2Jar(Dex2Jar.java:42) at the.bytecode.club.bytecodeviewer.resources.importing.impl.APKResourceImporter.open(APKResourceImporter.java:66) at the.bytecode.club.bytecodeviewer.resources.importing.ImportResource.importKnownFile(ImportResource.java:87) at the.bytecode.club.bytecodeviewer.resources.importing.ImportResource.run(ImportResource.java:59) at java.lang.Thread.run(Thread.java:748)

Security Vulnerability Fix

This pull request fixes a partial-path traversal vulnerability due to an insufficient path traversal guard.

Even if you deem, as the maintainer of this project, this is not necessarily fixing a security vulnerability, it is still a valid security hardening.

Preamble

Impact

This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.

Why?

To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var.

The Fix

Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.

For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())

Other Examples

• CVE-2022-31159 - aws/aws-sdk-java
• CVE-2022-23457 - ESAPI/esapi-java-legacy

:arrow_right: Vulnerability Disclosure :arrow_left:

:wave: Vulnerability disclosure is a super important part of the vulnerability handling process and should not be skipped! This may be completely new to you, and that's okay, I'm here to assist!

First question, do we need to perform vulnerability disclosure? It depends!

1. Is the vulnerable code only in tests or example code? No disclosure required!
2. Is the vulnerable code in code shipped to your end users? Vulnerability disclosure is probably required!

For partial path traversal, consider if user-supplied input could ever flow to this logic. If user supplied input could reach this conditional, it's insufficient and, as such, most likely a vulnerability.

Vulnerability Disclosure How-To

You have a few options options to perform vulnerability disclosure. However, I'd like to suggest the following 2 options:

1. Request a CVE number from GitHub by creating a repository-level GitHub Security Advisory. This has the advantage that, if you provide sufficient information, GitHub will automatically generate Dependabot alerts for your downstream consumers, resolving this vulnerability more quickly.
2. Reach out to the team at Snyk to assist with CVE issuance. They can be reached at the Snyk's Disclosure Email. Note: Please include JLLeitschuh Disclosure in the subject of your email so it is not missed.

Detecting this and Future Vulnerabilities

You can automatically detect future vulnerabilities like this by enabling the free (for open-source) GitHub Action.

I'm not an employee of GitHub, I'm simply an open-source security researcher.

Source

This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly hand crafted to bring this security fix to your repository.

The source code that generated this PR can be found here: PartialPathTraversalVulnerability

Why didn't you disclose privately (ie. coordinated disclosure)?

This PR was automatically generated, in-bulk, and sent to this project as well as many others, all at the same time.

This is technically what is called a "Full Disclosure" in vulnerability disclosure, and I agree it's less than ideal. If GitHub offered a way to create private pull requests to submit pull requests, I'd leverage it, but that infrastructure, sadly, doesn't exist yet.

The problem is that as an open source software security researcher, I (exactly like open source maintainers), I only have so much time in a day. I'm able to find vulnerabilities impacting hundreds, or sometimes thousands of open source projects with tools like GitHub Code Search and CodeQL. The problem is that my knowledge of vulnerabilities doesn't scale very well.

Individualized vulnerability disclosure takes time and care. It's a long and tedious process, and I have a significant amount of experience with it (I have over 50 CVEs to my name). Even tracking down the reporting channel (email, Jira, ect..) can take time and isn't automatable. Unfortunately, when facing prblems of this scale, individual reporting doesn't work well either.

Additionally, if I just spam out emails or issues, I'll just overwhelm already over taxed maintainers, I don't want to do this either.

By creating a pull request, I am aiming to provide maintainers something highly actionable to actually fix the identified vulnerability; a pull request.

There's a larger discussion on this topic that can be found here: https://github.com/JLLeitschuh/security-research/discussions/12

Opting-Out

If you'd like to opt-out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

User-agent: JLLeitschuh/security-research
Disallow: *

This bot will respect the ROBOTS.txt format for future contributions.

Alternatively, if this project is no longer actively maintained, consider archiving the repository.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed-off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

- Git Commit Signoff documentation

If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

Sponsorship & Support

This contribution is sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

This PR was generated by Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

Tracking

All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/13

Security Vulnerability Fix

This pull request fixes a Zip Slip vulnerability either due to an insufficient, or missing guard when unzipping zip files.

Even if you deem, as the maintainer of this project, this is not necessarily fixing a security vulnerability, it is still, most likely, a valid security hardening.

Preamble

Impact

This issue allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability.

Why?

The best description of Zip-Slip can be found in the white paper published by Snyk: Zip Slip Vulnerability

But I had a guard in place, why wasn't it sufficient?

If the changes you see are a change to the guard, not the addition of a new guard, this is probably because this code contains a Zip-Slip vulnerability due to a partial path traversal vulnerability.

To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var.

The Fix

Implementing a guard comparing paths with the method java.nio.files.Path#startsWith will adequately protect against this vulnerability.

For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())

Other Examples

• CVE-2018-1002201 - zeroturnaround/zt-zip
• CVE-2018-1002202 - srikanth-lingala/zip4j
• CVE-2018-8009 - apache/hadoop

:arrow_right: Vulnerability Disclosure :arrow_left:

:wave: Vulnerability disclosure is a super important part of the vulnerability handling process and should not be skipped! This may be completely new to you, and that's okay, I'm here to assist!

First question, do we need to perform vulnerability disclosure? It depends!

1. Is the vulnerable code only in tests or example code? No disclosure required!
2. Is the vulnerable code in code shipped to your end users? Vulnerability disclosure is probably required!

For partial path traversal, consider if user-supplied input could ever flow to this logic. If user-supplied input could reach this conditional, it's insufficient and, as such, most likely a vulnerability.

Vulnerability Disclosure How-To

You have a few options options to perform vulnerability disclosure. However, I'd like to suggest the following 2 options:

1. Request a CVE number from GitHub by creating a repository-level GitHub Security Advisory. This has the advantage that, if you provide sufficient information, GitHub will automatically generate Dependabot alerts for your downstream consumers, resolving this vulnerability more quickly.
2. Reach out to the team at Snyk to assist with CVE issuance. They can be reached at the Snyk's Disclosure Email. Note: Please include JLLeitschuh Disclosure in the subject of your email so it is not missed.

Detecting this and Future Vulnerabilities

You can automatically detect future vulnerabilities like this by enabling the free (for open-source) GitHub Action.

I'm not an employee of GitHub, I'm simply an open-source security researcher.

Source

This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly handcrafted to bring this security fix to your repository.

The source code that generated this PR can be found here: Zip Slip

Why didn't you disclose privately (ie. coordinated disclosure)?

This PR was automatically generated, in-bulk, and sent to this project as well as many others, all at the same time.

This is technically what is called a "Full Disclosure" in vulnerability disclosure, and I agree it's less than ideal. If GitHub offered a way to create private pull requests to submit pull requests, I'd leverage it, but that infrastructure, sadly, doesn't exist yet.

The problem is that, as an open source software security researcher, I (exactly like open source maintainers), I only have so much time in a day. I'm able to find vulnerabilities impacting hundreds, or sometimes thousands of open source projects with tools like GitHub Code Search and CodeQL. The problem is that my knowledge of vulnerabilities doesn't scale very well.

Individualized vulnerability disclosure takes time and care. It's a long and tedious process, and I have a significant amount of experience with it (I have over 50 CVEs to my name). Even tracking down the reporting channel (email, Jira, etc..) can take time and isn't automatable. Unfortunately, when facing problems of this scale, individual reporting doesn't work well either.

Additionally, if I just spam out emails or issues, I'll just overwhelm already over-taxed maintainers, I don't want to do this either.

By creating a pull request, I am aiming to provide maintainers something highly actionable to actually fix the identified vulnerability; a pull request.

There's a larger discussion on this topic that can be found here: https://github.com/JLLeitschuh/security-research/discussions/12

Opting Out

If you'd like to opt out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

User-agent: JLLeitschuh/security-research
Disallow: *

This bot will respect the ROBOTS.txt format for future contributions.

Alternatively, if this project is no longer actively maintained, consider archiving the repository.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

- Git Commit Signoff documentation

If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

Sponsorship & Support

This contribution is sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

This PR was generated by Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

Tracking

All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/16