Fix Fortify security scanning (#1066)

* Fix Fortify security scanning
* Arbitrary file access during archive extraction ("Zip Slip")
Issue: 207277

* Remove GX Jar ClassLoader that has security issues and is not used.

Author: iroqueta

android/src/main/java/com/genexus/db/Namespace.java

@@ -16,9 +16,6 @@ public class Namespace extends AbstractNamespace
 	public static final int GXDB_CLIENT = 0;
 	public static final int GXDB_SERVER = 1;
 	private static Hashtable namespaceList = new Hashtable();
-
-	private GXJarClassLoader classLoader;
-
 	private Hashtable dataSources = new Hashtable();
 	private String 	name;
 
@@ -233,27 +230,6 @@ public static Namespace getNamespace(String name)
 
 	public void reset()
 	{
-		if	(classLoader != null)
-		{
-            classLoader = null;
-/*			try
-			{
-				classLoader.resetClassLoader();
-			}
-			catch (java.io.IOException e)
-			{
-				System.err.println("Error resetting namespace classloader " + e.getMessage());
-			}
-*/
-		}
-	}
-
-	public synchronized GXJarClassLoader getClassLoader()
-	{
-        if(classLoader == null)
-            classLoader = new GXJarClassLoader(classesArchive, autoReload);
-        else classLoader = classLoader.getClassLoaderInstance();
-        return classLoader;
 	}
 
 	public int getDataSourceCount()

common/src/main/java/com/genexus/GXJarClassLoader.java

@@ -588,6 +588,9 @@ private static void decompressZip(File archive, String directory) throws IOExcep
 			ZipEntry zipEntry;
 			while ((zipEntry = zis.getNextEntry()) != null) {
 				File newFile = new File(directory, zipEntry.getName());
+				if (HasZipSlipVulnerability(newFile, directory)) {
+					throw new IOException("Bad tar entry: " + zipEntry.getName());
+				}
 				if (zipEntry.isDirectory()) {
 					if (!newFile.isDirectory() && !newFile.mkdirs()) {
 						throw new IOException("Failed to create directory " + newFile);
@@ -614,6 +617,9 @@ private static void decompress7z(File archive, String directory) throws IOExcept
 			SevenZArchiveEntry entry;
 			while ((entry = sevenZFile.getNextEntry()) != null) {
 				File newFile = new File(directory, entry.getName());
+				if (HasZipSlipVulnerability(newFile, directory)) {
+					throw new IOException("Bad tar entry: " + entry.getName());
+				}
 				if (entry.isDirectory()) {
 					if (!newFile.isDirectory() && !newFile.mkdirs()) {
 						throw new IOException("Failed to create directory " + newFile);
@@ -640,6 +646,9 @@ private static void decompressTar(File archive, String directory) throws IOExcep
 			TarArchiveEntry entry;
 			while ((entry = tis.getNextEntry()) != null) {
 				File newFile = new File(directory, entry.getName());
+				if (HasZipSlipVulnerability(newFile, directory)) {
+					throw new IOException("Bad tar entry: " + entry.getName());
+				}
 				if (entry.isDirectory()) {
 					if (!newFile.isDirectory() && !newFile.mkdirs()) {
 						throw new IOException("Failed to create directory " + newFile);
@@ -787,4 +796,12 @@ private static void decompressJar(File archive, String directory) throws IOExcep
 			}
 		}
 	}
+
+	// Check for Zip Slip vulnerability: ensure extracted file remains within target directory
+	// Use Path.normalize() and Path.startsWith()
+	private static boolean HasZipSlipVulnerability(File file, String directory) {
+		java.nio.file.Path destDirPath = new File(directory).toPath().toAbsolutePath().normalize();
+		java.nio.file.Path newFilePath = file.toPath().toAbsolutePath().normalize();
+		return !newFilePath.startsWith(destDirPath);
+	}
 }

gxcompress/src/main/java/com/genexus/compression/GXCompressor.java

@@ -18,8 +18,6 @@ public class Namespace extends AbstractNamespace
 	public static final int GXDB_SERVER = 1;
 	private static ConcurrentHashMap<String, String> namespaceListCheck = new ConcurrentHashMap<String, String>();
 	private static ConcurrentHashMap<String, Namespace> namespaceList = new ConcurrentHashMap<String, Namespace>();
-
-	private GXJarClassLoader classLoader;
 	private ConcurrentHashMap<String, DataSource> dataSources = new ConcurrentHashMap<String, DataSource>();
 
 	private String 	name;
@@ -257,19 +255,6 @@ public static Namespace getNamespace(String name)
 
 	public void reset()
 	{
-		if	(classLoader != null)
-		{
-            classLoader = null;
-/*			try
-			{
-				classLoader.resetClassLoader();
-			}
-			catch (java.io.IOException e)
-			{
-				System.err.println("Error resetting namespace classloader " + e.getMessage());
-			}
-*/
-		}
 		for (Enumeration<UserInformation> en = DBConnectionManager.getInstance().getServerConnections(); en.hasMoreElements();)
 		{
 			ServerUserInformation user = (ServerUserInformation) en.nextElement();
@@ -280,14 +265,6 @@ public void reset()
 		}
 	}
 
-	public synchronized GXJarClassLoader getClassLoader()
-	{
-        if(classLoader == null)
-            classLoader = new GXJarClassLoader(classesArchive, autoReload);
-        else classLoader = classLoader.getClassLoaderInstance();
-        return classLoader;
-	}
-
 	public int getDataSourceCount()
 	{
 		return dataSources.size();