1535 Commits

Author SHA1 Message Date
Evgenii Kliuchnikov
4e6d8fbfa3 Retain source data for prepared dictionary.
Unlike pure-java prepared dictionary, in native prepared dictionaries source data is not copied, but referenced.

Likely because of copy-paste, `raw_data` field was not populated.

PiperOrigin-RevId: 944339020
2026-07-08 01:14:10 -07:00
Copybara-Service
362f43adef Merge pull request #1502 from eustas:zizmor
PiperOrigin-RevId: 943118404
2026-07-06 01:24:25 -07:00
Evgenii Kliuchnikov
73ffe712a4 Add zizmor audit
And fix findings.
Drive-by: fix windows build
2026-07-03 15:14:08 +00:00
Copybara-Service
27cc9fe9a4 Merge pull request #1500 from google:dependabot/github_actions/everything-0a43ab5142
PiperOrigin-RevId: 942121953
2026-07-03 06:51:37 -07:00
dependabot[bot]
2e0b1dc6e1 Bump the everything group across 1 directory with 7 updates
Bumps the everything group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `7.0.0` |
| [actions/setup-python](https://github.com/actions/setup-python) | `6.2.0` | `6.3.0` |
| [github/codeql-action/init](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |
| [github/codeql-action/autobuild](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |
| [github/codeql-action/analyze](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |
| [actions/cache](https://github.com/actions/cache) | `5.0.5` | `6.1.0` |
| [github/codeql-action/upload-sarif](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |



Updates `actions/checkout` from 6.0.2 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](de0fac2e45...9c091bb21b)

Updates `actions/setup-python` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](a309ff8b42...ece7cb06ca)

Updates `github/codeql-action/init` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](7211b7c807...8aad20d150)

Updates `github/codeql-action/autobuild` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](7211b7c807...8aad20d150)

Updates `github/codeql-action/analyze` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](7211b7c807...8aad20d150)

Updates `actions/cache` from 5.0.5 to 6.1.0
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](27d5ce7f10...55cc834586)

Updates `github/codeql-action/upload-sarif` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](7211b7c807...8aad20d150)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: everything
- dependency-name: actions/setup-python
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: everything
- dependency-name: github/codeql-action/init
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
- dependency-name: github/codeql-action/autobuild
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
- dependency-name: github/codeql-action/analyze
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: everything
- dependency-name: github/codeql-action/upload-sarif
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-30 08:14:10 +00:00
Copybara-Service
83fe766bc8 Merge pull request #1494 from aleister1102:fix/decoder-jni-push-bounds-check
PiperOrigin-RevId: 932949831
2026-06-16 01:42:51 -07:00
aleister1102
183d03c36c fix(java): validate decoder push length in Wrapper only
Per review feedback, keep the input length upper-bound check in
DecoderJNI.Wrapper.push() and remove the redundant native guard.
2026-06-11 23:42:04 +07:00
aleister1102
2dc2a5feea fix(java): reject decoder push length exceeding input buffer capacity
DecoderJNI.Wrapper.push(int length) validated only length < 0. nativePush() stored input_length without an upper bound, and DecoderHandle did not retain the input buffer's allocation size, so new DecoderJNI.Wrapper(1).push(32) made BrotliDecoderDecompressStream read past the one-byte input allocation (heap out-of-bounds read).

Add an upper-bound check in Wrapper.push(), and as defense in depth store the allocation size in DecoderHandle and reject oversized input_length in nativePush(). Add DecoderJNITest covering rejection and a valid round trip.
2026-06-07 00:20:09 +07:00
Copybara-Service
f0328d1544 Merge pull request #1395 from mmorel-35:bcr
PiperOrigin-RevId: 925175633
2026-06-02 00:55:12 -07:00
Eugene Kliuchnikov
dc14914ed7 Merge branch 'master' into bcr 2026-06-02 08:48:51 +02:00
Copybara-Service
b9a3377bef Merge pull request #1406 from mannewalis:fix/emscripten-detection
PiperOrigin-RevId: 924674243
2026-06-01 06:32:44 -07:00
Eugene Kliuchnikov
ec8d979d39 Merge branch 'master' into bcr 2026-06-01 15:27:40 +02:00
Copybara-Service
bfd14e0767 Merge pull request #1487 from google:dependabot/github_actions/step-security/harden-runner-2.19.4
PiperOrigin-RevId: 924665869
2026-06-01 06:10:33 -07:00
Eugene Kliuchnikov
b915d37a47 Merge branch 'master' into dependabot/github_actions/step-security/harden-runner-2.19.4 2026-06-01 15:05:27 +02:00
Eugene Kliuchnikov
fe97583df2 Merge branch 'master' into fix/emscripten-detection 2026-06-01 14:57:49 +02:00
Copybara-Service
3907ece8db Merge pull request #1490 from google:eustas-patch-1
PiperOrigin-RevId: 924650836
2026-06-01 05:32:12 -07:00
Eugene Kliuchnikov
65d95f8aa1 Merge branch 'master' into eustas-patch-1 2026-06-01 14:28:00 +02:00
Evgenii Kliuchnikov
7941b467b2 Fix Bazel build
PiperOrigin-RevId: 924648497
2026-06-01 05:25:26 -07:00
dependabot[bot]
c2d0fd3ac9 Bump step-security/harden-runner from 2.17.0 to 2.19.4
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.17.0 to 2.19.4.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](f808768d15...9af89fc715)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-01 12:04:30 +00:00
Copybara-Service
174ac8058b Merge pull request #1486 from google:dependabot/github_actions/github/codeql-action-4.36.0
PiperOrigin-RevId: 924639598
2026-06-01 05:02:19 -07:00
Eugene Kliuchnikov
922fc3c504 Configure Dependabot to group updates
Add grouping for Dependabot updates to combine into a single PR.
2026-06-01 13:26:30 +02:00
dependabot[bot]
e35f83fc36 Bump github/codeql-action from 4.35.1 to 4.36.0
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.36.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c10b8064de...7211b7c807)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-01 10:24:40 +00:00
Copybara-Service
aa150a1847 Merge pull request #1466 from google:dependabot/github_actions/actions/setup-node-6.4.0
PiperOrigin-RevId: 924598585
2026-06-01 03:22:21 -07:00
Eugene Kliuchnikov
31d450013d Merge branch 'master' into dependabot/github_actions/actions/setup-node-6.4.0 2026-06-01 12:17:58 +02:00
Evgenii Kliuchnikov
6312ee24ce revert API change
PiperOrigin-RevId: 915873630
2026-05-15 01:46:21 -07:00
Evgenii Kliuchnikov
73ba6a2322 make narrowing conversion explicit
PiperOrigin-RevId: 915286311
2026-05-14 01:09:52 -07:00
Evgenii Kliuchnikov
1736fe1d50 Clarify RAW dictionary size limits.
Make decoder addon (chunked dictionary) fields unsigned.
Add comments about expected value ranges.

PiperOrigin-RevId: 914736171
2026-05-13 02:22:01 -07:00
Brotli
af041f55e7 Automated Code Change
PiperOrigin-RevId: 910740603
2026-05-05 09:37:27 -07:00
Copybara-Service
db4dfda9e1 Merge pull request #1463 from parasol-aser:fix/copystat-toctou-1461
PiperOrigin-RevId: 909898919
2026-05-04 02:31:46 -07:00
parasol-aser
7d9d520712 Convert CopyStat regression tests to Python suite 2026-04-30 17:19:28 +00:00
parasol-aser
da05ef838c Fix CopyStat TOCTOU in brotli CLI by using fd-based syscalls
CloseFiles() previously called fclose(context->fout) before invoking
CopyStat() on the output pathname. CopyStat() then used path-based
chmod() and chown(), which gave an attacker with write access to the
output directory a window to replace the path with a symlink between
the close and the metadata syscalls, redirecting the chmod/chown to an
arbitrary target.

Close the race by doing the metadata copy while the output file is
still open and by switching to fd-based syscalls on fileno(fout):

- CopyStat() now takes FILE* fout and calls fchmod()/fchown() on the
  underlying fd.
- CopyTimeStat() uses futimens(fd, ...) in the HAVE_UTIMENSAT branch;
  the legacy utime() fallback is preserved for platforms without it.
- CloseFiles() invokes CopyStat() before fclose() and skips it when
  current_output_path is NULL (stdout), matching the issue's guidance.
- Windows no-op shims updated from chmod/chown to fchmod/fchown.

Adds deterministic regression coverage under tests/regression/t01/:
an LD_PRELOAD fclose() swap reproduces the pre-fix behavior, and a
negative-assertion wrapper confirms the attack no longer succeeds
after the patch. Additional scripts cover mode/timestamp propagation,
the -n (no-copy-stat) flag, stdin input, stdout output, mode mask, and
roundtrip correctness.

Refs google/brotli#1461
2026-04-30 17:19:28 +00:00
dependabot[bot]
81d3468a1a Bump actions/setup-node from 6.3.0 to 6.4.0
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](53b83947a5...48b55a011b)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-21 08:23:51 +00:00
Copybara-Service
ab685df834 Merge pull request #1458 from rbri:java_code_cleanup
PiperOrigin-RevId: 900612609
2026-04-16 02:49:59 -07:00
Ronald Brill
0b30317d4a use try-with-resources 2026-04-15 12:53:05 +02:00
Copybara-Service
737ae47a02 Merge pull request #1453 from 0xazanul:fix/cli-comment-verification-return
PiperOrigin-RevId: 900007299
2026-04-15 01:12:13 -07:00
Eugene Kliuchnikov
66e47ccf02 Merge branch 'master' into fix/cli-comment-verification-return 2026-04-14 14:54:37 +02:00
Copybara-Service
b3dc9ccd61 Merge pull request #1457 from google:dependabot/github_actions/actions/cache-5.0.5
PiperOrigin-RevId: 899533563
2026-04-14 05:46:06 -07:00
Eugene Kliuchnikov
ba70577a2b Merge branch 'master' into fix/cli-comment-verification-return 2026-04-14 14:28:26 +02:00
dependabot[bot]
fa0e46159b Bump actions/cache from 5.0.4 to 5.0.5 (#1457)
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](668228422a...27d5ce7f10)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-14 14:27:51 +02:00
Eugene Kliuchnikov
7783fe7ff3 Merge branch 'master' into dependabot/github_actions/actions/cache-5.0.5 2026-04-14 14:14:50 +02:00
dependabot[bot]
f9f3a8cbf9 Bump mymindstorm/setup-emsdk from 15 to 16 (#1456)
Bumps [mymindstorm/setup-emsdk](https://github.com/mymindstorm/setup-emsdk) from 15 to 16.
- [Release notes](https://github.com/mymindstorm/setup-emsdk/releases)
- [Commits](667eb33f24...4528d102f7)

---
updated-dependencies:
- dependency-name: mymindstorm/setup-emsdk
  dependency-version: '16'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-14 14:14:29 +02:00
dependabot[bot]
9b01217df4 Bump actions/cache from 5.0.4 to 5.0.5
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](668228422a...27d5ce7f10)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 11:07:10 +00:00
dependabot[bot]
092429c5d4 Bump step-security/harden-runner from 2.16.1 to 2.17.0 (#1455)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.16.1 to 2.17.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](fe10465874...f808768d15)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-14 13:06:07 +02:00
Copybara-Service
1dd49e190f Merge pull request #1444 from robinwatts:master
PiperOrigin-RevId: 899489367
2026-04-14 03:50:27 -07:00
dependabot[bot]
4236b85879 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1454)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](bbbca2ddaa...043fb46d1a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-14 12:07:36 +02:00
Eugene Kliuchnikov
ea0e8289c9 Merge branch 'master' into bcr 2026-04-13 10:52:34 +02:00
Eugene Kliuchnikov
789eaf2fa8 Merge branch 'master' into fix/cli-comment-verification-return 2026-04-13 10:47:50 +02:00
Eugene Kliuchnikov
b7d03391c9 Merge branch 'master' into master 2026-04-13 10:09:36 +02:00
Copybara-Service
37fd9c5c77 Merge pull request #1440 from google:dependabot/github_actions/github/codeql-action-4.35.1
PiperOrigin-RevId: 898835966
2026-04-13 01:08:57 -07:00
Eugene Kliuchnikov
b1e421fdc7 Merge branch 'master' into master 2026-04-13 10:08:41 +02:00