Fix spotbugs-security warnings

junixsocket-common/src/main/java/org/newsclub/net/unix/AFServerSocket.java

@@ -44,6 +44,7 @@
  * @author Christian Kohlschütter
  */
 @SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.CouplingBetweenObjects"})
+@SuppressFBWarnings("UNENCRYPTED_SERVER_SOCKET")
 public abstract class AFServerSocket<A extends AFSocketAddress> extends ServerSocket implements
     AFSomeSocketThing {
   private final AFSocketImpl<A> implementation;

junixsocket-common/src/main/java/org/newsclub/net/unix/AFSocket.java

@@ -68,7 +68,7 @@ public abstract class AFSocket<A extends AFSocketAddress> extends Socket impleme
    * @param afh The conversion helper to get a socket address from an encoded hostname.
    * @throws SocketException on error.
    */
-  @SuppressFBWarnings("CT_CONSTRUCTOR_THROW")
+  @SuppressFBWarnings({"CT_CONSTRUCTOR_THROW", "UNENCRYPTED_SOCKET"})
   protected AFSocket(final AFSocketImpl<A> impl, AFSocketAddressFromHostname<A> afh)
       throws SocketException {
     super(impl);

junixsocket-common/src/main/java/org/newsclub/net/unix/AFSocketAddress.java

@@ -194,6 +194,7 @@ private static void initAFSocketAddress(AFSocketAddress addr, int port,
    * @return The new instance.
    * @throws SocketException on error.
    */
+  @SuppressFBWarnings("OBJECT_DESERIALIZATION") // we craft the serialized data
   protected static <A extends AFSocketAddress> A newDeserializedAFSocketAddress(int port,
       final byte[] socketAddress, Lease<ByteBuffer> nativeAddress, AFAddressFamily<A> af,
       AFSocketAddressConstructor<A> constructor) throws SocketException {

junixsocket-common/src/main/java/org/newsclub/net/unix/AFSocketFactory.java

@@ -26,6 +26,8 @@
 
 import javax.net.SocketFactory;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * The base for a SocketFactory that connects to UNIX sockets.
  *
@@ -35,6 +37,7 @@
  * @see AFUNIXSocketFactory
  * @param <A> The supported address type.
  */
+@SuppressFBWarnings("UNENCRYPTED_SOCKET")
 public abstract class AFSocketFactory<A extends AFSocketAddress> extends SocketFactory implements
     AFSocketAddressFromHostname<A> {
 
@@ -77,6 +80,7 @@ protected final boolean isInetAddressSupported(InetAddress address) {
   protected abstract Socket connectTo(A addr) throws IOException;
 
   @SuppressWarnings("unchecked")
+  @SuppressFBWarnings("UNENCRYPTED_SOCKET")
   private Socket connectTo(SocketAddress addr) throws IOException {
     if (AFSocketAddress.canMap(addr, socketAddressClass)) {
       return connectTo((A) AFSocketAddress.mapOrFail(addr, socketAddressClass));

junixsocket-common/src/main/java/org/newsclub/net/unix/AFTIPCSocketAddress.java

@@ -39,6 +39,8 @@
 import org.eclipse.jdt.annotation.NonNullByDefault;
 import org.newsclub.net.unix.pool.ObjectPool.Lease;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * An {@link AFSocketAddress} for TIPC sockets.
  *
@@ -110,6 +112,7 @@
  *
  * @author Christian Kohlschütter (documentation credits to Jon Maloy and the TIPC team).
  */
+@SuppressFBWarnings("REDOS")
 public final class AFTIPCSocketAddress extends AFSocketAddress {
   private static final long serialVersionUID = 1L; // do not change!
 

junixsocket-common/src/main/java/org/newsclub/net/unix/AFUNIXSocketAddress.java

@@ -39,6 +39,8 @@
 import org.eclipse.jdt.annotation.NonNull;
 import org.newsclub.net.unix.pool.ObjectPool.Lease;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * Describes an {@link InetSocketAddress} that actually uses AF_UNIX sockets instead of AF_INET.
  *
@@ -48,6 +50,7 @@
  * @author Christian Kohlschütter
  */
 @SuppressWarnings("PMD.ShortMethodName")
+@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 public final class AFUNIXSocketAddress extends AFSocketAddress {
   private static final long serialVersionUID = 1L; // do not change!
 

junixsocket-common/src/main/java/org/newsclub/net/unix/AFUNIXSocketFactory.java

@@ -26,6 +26,8 @@
 
 import javax.net.SocketFactory;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * The base for a SocketFactory that connects to UNIX sockets.
  *
@@ -59,6 +61,7 @@ protected AFUNIXSocket connectTo(AFUNIXSocketAddress addr) throws IOException {
    * system property "org.newsclub.net.unix.socket.hostname"), forwarding all other
    * requests to the fallback {@link SocketFactory}.
    */
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   private abstract static class DefaultSocketHostnameSocketFactory extends AFUNIXSocketFactory {
     private static final String PROP_SOCKET_HOSTNAME = "org.newsclub.net.unix.socket.hostname";
 
@@ -89,6 +92,7 @@ private static String getDefaultSocketHostname() {
    * This is particularly useful for JDBC drivers that take a "socketFactory" and a
    * "socketFactoryArg". The latter will be passed as a constructor argument.
    */
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   public static final class FactoryArg extends DefaultSocketHostnameSocketFactory {
     private final File socketFile;
 
@@ -133,6 +137,7 @@ public AFUNIXSocketAddress addressFromHost(String host, int port) throws SocketE
    * NOTE: While it is technically possible, it is highly discouraged to programmatically change the
    * value of the property as it can lead to concurrency issues and undefined behavior.
    */
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   public static final class SystemProperty extends DefaultSocketHostnameSocketFactory {
     private static final String PROP_SOCKET_DEFAULT = "org.newsclub.net.unix.socket.default";
 
@@ -167,6 +172,7 @@ public AFUNIXSocketAddress addressFromHost(String host, int port) throws SocketE
    * encoded and without the closing bracket. Since this is an invalid hostname, it will not trigger
    * a DNS lookup, but can still be used within a JDBC Connection URL.
    */
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   public static final class URIScheme extends AFUNIXSocketFactory {
     private static final String FILE_SCHEME_PREFIX = "file://";
     private static final String FILE_SCHEME_PREFIX_ENCODED = "file%";

junixsocket-common/src/main/java/org/newsclub/net/unix/AFVSOCKSocketAddress.java

@@ -35,11 +35,14 @@
 
 import org.newsclub.net.unix.pool.ObjectPool.Lease;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * An {@link AFSocketAddress} for VSOCK sockets.
  *
  * @author Christian Kohlschütter
  */
+@SuppressFBWarnings("REDOS")
 public final class AFVSOCKSocketAddress extends AFSocketAddress {
   private static final long serialVersionUID = 1L; // do not change!
 

junixsocket-common/src/main/java/org/newsclub/net/unix/HostAndPort.java

@@ -26,11 +26,14 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * Hostname and port.
  *
  * @author Christian Kohlschütter
  */
+@SuppressFBWarnings("REDOS")
 public final class HostAndPort {
   private static final Pattern PAT_HOST_AND_PORT = Pattern.compile(
       "^//((?<userinfo>[^/\\@]*)\\@)?(?<host>[^/\\:]+)(?:\\:(?<port>[0-9]+))?");

junixsocket-common/src/main/java/org/newsclub/net/unix/NativeLibraryLoader.java

@@ -35,7 +35,7 @@
 
 import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
 
-@SuppressFBWarnings("RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE")
+@SuppressFBWarnings({"RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE", "PATH_TRAVERSAL_IN"})
 final class NativeLibraryLoader implements Closeable {
   private static final String PROP_LIBRARY_DISABLE = "org.newsclub.net.unix.library.disable";
   private static final String PROP_LIBRARY_OVERRIDE = "org.newsclub.net.unix.library.override";
@@ -210,6 +210,7 @@ private void deleteLibTmpDelFiles(File libDir) {
 
     @Override
     @SuppressWarnings("PMD.CognitiveComplexity")
+    @SuppressFBWarnings("URLCONNECTION_SSRF_FD")
     synchronized String load() throws IOException, LinkageError {
       if (libraryNameAndVersion == null) {
         return null;

junixsocket-common/src/main/java/org/newsclub/net/unix/RAFChannelProvider.java

@@ -25,11 +25,14 @@
 import java.util.UUID;
 import java.util.concurrent.atomic.AtomicBoolean;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * Hack to get a readable AND writable {@link FileChannel} for a {@link FileDescriptor}.
  *
  * @author Christian Kohlschütter
  */
+@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 final class RAFChannelProvider extends RandomAccessFile implements FileDescriptorAccess {
   private static final File DEV_NULL = new File("/dev/null");
 

junixsocket-common/src/main/java/org/newsclub/net/unix/SocketAddressUtil.java

@@ -23,12 +23,15 @@
 
 import org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * {@link SocketAddress}-related helper methods.
  *
  * @author Christian Kohlschütter
  */
 @IgnoreJRERequirement // see src/main/java15
+@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 final class SocketAddressUtil {
   private SocketAddressUtil() {
     throw new IllegalStateException("No instances");

junixsocket-common/src/test/java/org/newsclub/net/unix/AFUNIXSocketAddressTest.java

@@ -38,7 +38,7 @@
 import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
 import com.kohlschutter.testutil.AssertUtil;
 
-@SuppressFBWarnings("DMI_HARDCODED_ABSOLUTE_FILENAME")
+@SuppressFBWarnings({"DMI_HARDCODED_ABSOLUTE_FILENAME", "OBJECT_DESERIALIZATION"})
 public class AFUNIXSocketAddressTest {
 
   @Test

junixsocket-common/src/test/java/org/newsclub/net/unix/SocketChannelTest.java

@@ -45,10 +45,12 @@
 
 import org.junit.jupiter.api.Test;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
 import com.kohlschutter.testutil.TestAbortedWithImportantMessageException;
 import com.kohlschutter.testutil.TestAbortedWithImportantMessageException.MessageType;
 import com.kohlschutter.testutil.TestAsyncUtil;
 
+@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 public abstract class SocketChannelTest<A extends SocketAddress> extends SocketTestBase<A> {
   protected SocketChannelTest(AddressSpecifics<A> asp) {
     super(asp);

junixsocket-common/src/test/java/org/newsclub/net/unix/SocketTestBase.java

@@ -65,7 +65,8 @@
  */
 @SuppressWarnings({"PMD.AbstractClassWithoutAbstractMethod", "PMD.CouplingBetweenObjects"})
 @SuppressFBWarnings({
-    "THROWS_METHOD_THROWS_CLAUSE_THROWABLE", "THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION"})
+    "THROWS_METHOD_THROWS_CLAUSE_THROWABLE", "THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION",
+    "PREDICTABLE_RANDOM"})
 public abstract class SocketTestBase<A extends SocketAddress> { // NOTE: needs to be public for
                                                                 // junit
 

junixsocket-common/src/test/java/org/newsclub/net/unix/java/JavaAddressSpecifics.java

@@ -35,6 +35,9 @@
 import org.newsclub.net.unix.CloseablePair;
 import org.opentest4j.TestAbortedException;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
+@SuppressFBWarnings({"UNENCRYPTED_SERVER_SOCKET", "UNENCRYPTED_SOCKET"})
 public final class JavaAddressSpecifics implements AddressSpecifics<InetSocketAddress> {
   public static final AddressSpecifics<InetSocketAddress> INSTANCE = new JavaAddressSpecifics();
 

junixsocket-common/src/test/java/org/newsclub/net/unix/jep380/SocketChannelTest.java

@@ -33,7 +33,7 @@
 @AFSocketCapabilityRequirement(AFSocketCapability.CAPABILITY_UNIX_DOMAIN)
 @AvailabilityRequirement(classes = "java.net.UnixDomainSocketAddress", //
     message = "This test requires Java 16 or later")
-@SuppressFBWarnings("NM_SAME_SIMPLE_NAME_AS_SUPERCLASS")
+@SuppressFBWarnings({"NM_SAME_SIMPLE_NAME_AS_SUPERCLASS", "PATH_TRAVERSAL_IN"})
 public final class SocketChannelTest extends
     org.newsclub.net.unix.SocketChannelTest<SocketAddress> {
 

junixsocket-darwin/src/test/java/org/newsclub/net/unix/darwin/system/UtunTest.java

@@ -42,6 +42,7 @@
 import org.newsclub.net.unix.AFSocketCapability;
 import org.newsclub.net.unix.AFSocketCapabilityRequirement;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
 import com.kohlschutter.testutil.ExecutionEnvironmentRequirement;
 import com.kohlschutter.testutil.ExecutionEnvironmentRequirement.Rule;
 
@@ -54,6 +55,7 @@
  * @author Christian Kohlschütter
  */
 @SuppressWarnings("PMD.AvoidUsingHardCodedIP")
+@SuppressFBWarnings("COMMAND_INJECTION")
 public class UtunTest {
   private static final Inet4Address UTUN_SRC_IP;
   private static final Inet4Address UTUN_DST_IP;

junixsocket-demo/src/main/java/org/newsclub/net/unix/demo/DemoHelper.java

@@ -32,10 +32,12 @@
 import org.newsclub.net.unix.AFUNIXSocketAddress;
 
 import com.kohlschutter.annotations.compiletime.ExcludeFromCodeCoverageGeneratedReport;
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
 
 /**
  * Just a helper class to simplify controlling the demo from the command line.
  */
+@SuppressFBWarnings({"UNENCRYPTED_SOCKET", "PATH_TRAVERSAL_IN"})
 public final class DemoHelper {
   @ExcludeFromCodeCoverageGeneratedReport(reason = "unreachable")
   private DemoHelper() {
@@ -194,6 +196,7 @@ public static Socket connectSocket(SocketAddress socketAddress) throws IOExcepti
     }
   }
 
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   public static SocketAddress parseAddress(String[] args, SocketAddress defaultAddress)
       throws IOException {
     if (args.length == 0) {
@@ -205,6 +208,7 @@ public static SocketAddress parseAddress(String[] args, SocketAddress defaultAdd
     }
   }
 
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   public static SocketAddress parseAddress(String opt, String val, SocketAddress defaultAddress)
       throws IOException {
     if (opt == null || val == null) {

junixsocket-demo/src/main/java/org/newsclub/net/unix/demo/client/DemoClient.java

@@ -23,11 +23,14 @@
 import org.newsclub.net.unix.AFSocket;
 import org.newsclub.net.unix.demo.DemoHelper;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * A demo program to configure and run several {@link AFSocket} client demos from the command line.
  *
  * @author Christian Kohlschütter
  */
+@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 public final class DemoClient {
   public static void main(String[] args) throws IOException, InterruptedException {
     final DemoClientBase demoClient;

junixsocket-demo/src/main/java/org/newsclub/net/unix/demo/client/DemoClientBase.java

@@ -24,6 +24,8 @@
 import org.newsclub.net.unix.AFSocketAddress;
 import org.newsclub.net.unix.AFUNIXSocket;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 /**
  * An {@link AFUNIXSocket} client that's just good for demo purposes.
  *
@@ -38,6 +40,7 @@ public void close() throws IOException {
     }
   }
 
+  @SuppressFBWarnings("UNENCRYPTED_SOCKET")
   public void connect(SocketAddress endpoint) throws IOException {
     System.out.println("Connect " + this + " to " + endpoint);
     if (endpoint instanceof AFSocketAddress) {

junixsocket-demo/src/main/java/org/newsclub/net/unix/demo/nanohttpd/NanoHttpdServerDemo.java

@@ -28,6 +28,8 @@
 import org.newsclub.net.unix.demo.DemoHelper;
 import org.newsclub.net.unix.demo.okhttp.OkHttpClientDemo;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 import fi.iki.elonen.NanoHTTPD;
 
 /**
@@ -38,6 +40,7 @@
  * @author Christian Kohlschütter
  * @see OkHttpClientDemo
  */
+@SuppressFBWarnings("UNENCRYPTED_SERVER_SOCKET")
 public final class NanoHttpdServerDemo extends NanoHTTPD {
 
   public NanoHttpdServerDemo(SocketAddress socketAddress) throws IOException {
@@ -62,6 +65,7 @@ public ServerSocket create() throws IOException {
     }
   }
 
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   public static void main(String[] args) throws IOException {
     SocketAddress addr = DemoHelper.parseAddress(args, //
         AFUNIXSocketAddress.of(new File("/tmp/junixsocket-http-server.sock")));

junixsocket-demo/src/main/java/org/newsclub/net/unix/demo/netty/EchoServer.java

@@ -25,6 +25,8 @@
 import org.newsclub.net.unix.AFUNIXSelectorProvider;
 import org.newsclub.net.unix.AFUNIXSocketAddress;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
+
 import io.netty.bootstrap.ServerBootstrap;
 import io.netty.channel.ChannelFuture;
 import io.netty.channel.ChannelInitializer;
@@ -41,6 +43,7 @@
  * guide for 4.x</a>
  */
 @SuppressWarnings("FutureReturnValueIgnored" /* errorprone */)
+@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 public class EchoServer {
   private final AFSocketAddress addr;
 
@@ -81,6 +84,7 @@ public void initChannel(SocketChannel ch) throws Exception {
     }
   }
 
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   public static void main(String[] args) throws Exception {
     File path = new File("/tmp/nettyecho");
     if (args.length > 0) {

junixsocket-demo/src/main/java/org/newsclub/net/unix/demo/okhttp/OkHttpClientDemo.java

@@ -28,6 +28,7 @@
 import org.newsclub.net.unix.demo.DemoHelper;
 import org.newsclub.net.unix.demo.nanohttpd.NanoHttpdServerDemo;
 
+import com.kohlschutter.annotations.compiletime.SuppressFBWarnings;
 import com.kohlschutter.util.IOUtil;
 
 import okhttp3.OkHttpClient;
@@ -45,6 +46,7 @@
  * @see NanoHttpdServerDemo
  */
 public class OkHttpClientDemo {
+  @SuppressFBWarnings("PATH_TRAVERSAL_IN")
   public static void main(String[] args) throws IOException {
     SocketAddress addr = DemoHelper.parseAddress(args, //
         AFUNIXSocketAddress.of(new File("/tmp/junixsocket-http-server.sock")));