Change order of ensureSafeEntry to satisfy CodeQL (#618)

jonesbusy · web-flow · commit f751374df9b9 · 2026-03-04T15:01:32.000+01:00
Signed-off-by: Valentin Delaye &lt;jonesbusy@users.noreply.github.com&gt;
diff --git a/src/main/java/land/oras/utils/ArchiveUtils.java b/src/main/java/land/oras/utils/ArchiveUtils.java
@@ -352,12 +352,12 @@ static void unzip(InputStream fis, Path target) {
                 // Iterate through zip entries
                 while ((entry = zais.getNextEntry()) != null) {
 
-                    // Prevent path traversal attacks
-                    Path outputPath = target.resolve(entry.getName()).normalize();
-
                     // Check if the entry is outside the target directory
                     ensureSafeEntry(entry, target);
 
+                    // Prevent path traversal attacks
+                    Path outputPath = target.resolve(entry.getName()).normalize();
+
                     if (entry.isDirectory()) {
                         LOG.debug("Extracting directory: {}", entry.getName());
                         Files.createDirectories(outputPath);
@@ -403,12 +403,12 @@ public static void untar(InputStream fis, Path target) {
                 // Iterate through tar entries
                 while ((entry = tais.getNextEntry()) != null) {
 
-                    // Prevent path traversal attacks
-                    Path outputPath = target.resolve(entry.getName()).normalize();
-
                     // Check if the entry is outside the target directory
                     ensureSafeEntry(entry, target);
 
+                    // Prevent path traversal attacks
+                    Path outputPath = target.resolve(entry.getName()).normalize();
+
                     LOG.trace("Extracting entry: {}", entry.getName());
 
                     if (entry.isDirectory()) {
