Evgenii Kliuchnikov
4e6d8fbfa3
Retain source data for prepared dictionary.
...
Unlike pure-java prepared dictionary, in native prepared dictionaries source data is not copied, but referenced.
Likely because of copy-paste, `raw_data` field was not populated.
PiperOrigin-RevId: 944339020
2026-07-08 01:14:10 -07:00
Copybara-Service
362f43adef
Merge pull request #1502 from eustas:zizmor
...
PiperOrigin-RevId: 943118404
2026-07-06 01:24:25 -07:00
Evgenii Kliuchnikov
73ffe712a4
Add zizmor audit
...
And fix findings.
Drive-by: fix windows build
2026-07-03 15:14:08 +00:00
Copybara-Service
27cc9fe9a4
Merge pull request #1500 from google:dependabot/github_actions/everything-0a43ab5142
...
PiperOrigin-RevId: 942121953
2026-07-03 06:51:37 -07:00
dependabot[bot]
2e0b1dc6e1
Bump the everything group across 1 directory with 7 updates
...
Bumps the everything group with 7 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout ) | `6.0.2` | `7.0.0` |
| [actions/setup-python](https://github.com/actions/setup-python ) | `6.2.0` | `6.3.0` |
| [github/codeql-action/init](https://github.com/github/codeql-action ) | `4.36.0` | `4.36.2` |
| [github/codeql-action/autobuild](https://github.com/github/codeql-action ) | `4.36.0` | `4.36.2` |
| [github/codeql-action/analyze](https://github.com/github/codeql-action ) | `4.36.0` | `4.36.2` |
| [actions/cache](https://github.com/actions/cache ) | `5.0.5` | `6.1.0` |
| [github/codeql-action/upload-sarif](https://github.com/github/codeql-action ) | `4.36.0` | `4.36.2` |
Updates `actions/checkout` from 6.0.2 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](de0fac2e45...9c091bb21b )
Updates `actions/setup-python` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](a309ff8b42...ece7cb06ca )
Updates `github/codeql-action/init` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](7211b7c807...8aad20d150 )
Updates `github/codeql-action/autobuild` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](7211b7c807...8aad20d150 )
Updates `github/codeql-action/analyze` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](7211b7c807...8aad20d150 )
Updates `actions/cache` from 5.0.5 to 6.1.0
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](27d5ce7f10...55cc834586 )
Updates `github/codeql-action/upload-sarif` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](7211b7c807...8aad20d150 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: everything
- dependency-name: actions/setup-python
dependency-version: 6.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: everything
- dependency-name: github/codeql-action/init
dependency-version: 4.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: everything
- dependency-name: github/codeql-action/autobuild
dependency-version: 4.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: everything
- dependency-name: github/codeql-action/analyze
dependency-version: 4.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: everything
- dependency-name: actions/cache
dependency-version: 6.1.0
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: everything
- dependency-name: github/codeql-action/upload-sarif
dependency-version: 4.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: everything
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-06-30 08:14:10 +00:00
Copybara-Service
83fe766bc8
Merge pull request #1494 from aleister1102:fix/decoder-jni-push-bounds-check
...
PiperOrigin-RevId: 932949831
2026-06-16 01:42:51 -07:00
aleister1102
183d03c36c
fix(java): validate decoder push length in Wrapper only
...
Per review feedback, keep the input length upper-bound check in
DecoderJNI.Wrapper.push() and remove the redundant native guard.
2026-06-11 23:42:04 +07:00
aleister1102
2dc2a5feea
fix(java): reject decoder push length exceeding input buffer capacity
...
DecoderJNI.Wrapper.push(int length) validated only length < 0. nativePush() stored input_length without an upper bound, and DecoderHandle did not retain the input buffer's allocation size, so new DecoderJNI.Wrapper(1).push(32) made BrotliDecoderDecompressStream read past the one-byte input allocation (heap out-of-bounds read).
Add an upper-bound check in Wrapper.push(), and as defense in depth store the allocation size in DecoderHandle and reject oversized input_length in nativePush(). Add DecoderJNITest covering rejection and a valid round trip.
2026-06-07 00:20:09 +07:00
Copybara-Service
f0328d1544
Merge pull request #1395 from mmorel-35:bcr
...
PiperOrigin-RevId: 925175633
2026-06-02 00:55:12 -07:00
Eugene Kliuchnikov
dc14914ed7
Merge branch 'master' into bcr
2026-06-02 08:48:51 +02:00
Copybara-Service
b9a3377bef
Merge pull request #1406 from mannewalis:fix/emscripten-detection
...
PiperOrigin-RevId: 924674243
2026-06-01 06:32:44 -07:00
Eugene Kliuchnikov
ec8d979d39
Merge branch 'master' into bcr
2026-06-01 15:27:40 +02:00
Copybara-Service
bfd14e0767
Merge pull request #1487 from google:dependabot/github_actions/step-security/harden-runner-2.19.4
...
PiperOrigin-RevId: 924665869
2026-06-01 06:10:33 -07:00
Eugene Kliuchnikov
b915d37a47
Merge branch 'master' into dependabot/github_actions/step-security/harden-runner-2.19.4
2026-06-01 15:05:27 +02:00
Eugene Kliuchnikov
fe97583df2
Merge branch 'master' into fix/emscripten-detection
2026-06-01 14:57:49 +02:00
Copybara-Service
3907ece8db
Merge pull request #1490 from google:eustas-patch-1
...
PiperOrigin-RevId: 924650836
2026-06-01 05:32:12 -07:00
Eugene Kliuchnikov
65d95f8aa1
Merge branch 'master' into eustas-patch-1
2026-06-01 14:28:00 +02:00
Evgenii Kliuchnikov
7941b467b2
Fix Bazel build
...
PiperOrigin-RevId: 924648497
2026-06-01 05:25:26 -07:00
dependabot[bot]
c2d0fd3ac9
Bump step-security/harden-runner from 2.17.0 to 2.19.4
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.17.0 to 2.19.4.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](f808768d15...9af89fc715 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.19.4
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-06-01 12:04:30 +00:00
Copybara-Service
174ac8058b
Merge pull request #1486 from google:dependabot/github_actions/github/codeql-action-4.36.0
...
PiperOrigin-RevId: 924639598
2026-06-01 05:02:19 -07:00
Eugene Kliuchnikov
922fc3c504
Configure Dependabot to group updates
...
Add grouping for Dependabot updates to combine into a single PR.
2026-06-01 13:26:30 +02:00
dependabot[bot]
e35f83fc36
Bump github/codeql-action from 4.35.1 to 4.36.0
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.35.1 to 4.36.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c10b8064de...7211b7c807 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-06-01 10:24:40 +00:00
Copybara-Service
aa150a1847
Merge pull request #1466 from google:dependabot/github_actions/actions/setup-node-6.4.0
...
PiperOrigin-RevId: 924598585
2026-06-01 03:22:21 -07:00
Eugene Kliuchnikov
31d450013d
Merge branch 'master' into dependabot/github_actions/actions/setup-node-6.4.0
2026-06-01 12:17:58 +02:00
Evgenii Kliuchnikov
6312ee24ce
revert API change
...
PiperOrigin-RevId: 915873630
2026-05-15 01:46:21 -07:00
Evgenii Kliuchnikov
73ba6a2322
make narrowing conversion explicit
...
PiperOrigin-RevId: 915286311
2026-05-14 01:09:52 -07:00
Evgenii Kliuchnikov
1736fe1d50
Clarify RAW dictionary size limits.
...
Make decoder addon (chunked dictionary) fields unsigned.
Add comments about expected value ranges.
PiperOrigin-RevId: 914736171
2026-05-13 02:22:01 -07:00
Brotli
af041f55e7
Automated Code Change
...
PiperOrigin-RevId: 910740603
2026-05-05 09:37:27 -07:00
Copybara-Service
db4dfda9e1
Merge pull request #1463 from parasol-aser:fix/copystat-toctou-1461
...
PiperOrigin-RevId: 909898919
2026-05-04 02:31:46 -07:00
parasol-aser
7d9d520712
Convert CopyStat regression tests to Python suite
2026-04-30 17:19:28 +00:00
parasol-aser
da05ef838c
Fix CopyStat TOCTOU in brotli CLI by using fd-based syscalls
...
CloseFiles() previously called fclose(context->fout) before invoking
CopyStat() on the output pathname. CopyStat() then used path-based
chmod() and chown(), which gave an attacker with write access to the
output directory a window to replace the path with a symlink between
the close and the metadata syscalls, redirecting the chmod/chown to an
arbitrary target.
Close the race by doing the metadata copy while the output file is
still open and by switching to fd-based syscalls on fileno(fout):
- CopyStat() now takes FILE* fout and calls fchmod()/fchown() on the
underlying fd.
- CopyTimeStat() uses futimens(fd, ...) in the HAVE_UTIMENSAT branch;
the legacy utime() fallback is preserved for platforms without it.
- CloseFiles() invokes CopyStat() before fclose() and skips it when
current_output_path is NULL (stdout), matching the issue's guidance.
- Windows no-op shims updated from chmod/chown to fchmod/fchown.
Adds deterministic regression coverage under tests/regression/t01/:
an LD_PRELOAD fclose() swap reproduces the pre-fix behavior, and a
negative-assertion wrapper confirms the attack no longer succeeds
after the patch. Additional scripts cover mode/timestamp propagation,
the -n (no-copy-stat) flag, stdin input, stdout output, mode mask, and
roundtrip correctness.
Refs google/brotli#1461
2026-04-30 17:19:28 +00:00
dependabot[bot]
81d3468a1a
Bump actions/setup-node from 6.3.0 to 6.4.0
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](53b83947a5...48b55a011b )
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.4.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-21 08:23:51 +00:00
Copybara-Service
ab685df834
Merge pull request #1458 from rbri:java_code_cleanup
...
PiperOrigin-RevId: 900612609
2026-04-16 02:49:59 -07:00
Ronald Brill
0b30317d4a
use try-with-resources
2026-04-15 12:53:05 +02:00
Copybara-Service
737ae47a02
Merge pull request #1453 from 0xazanul:fix/cli-comment-verification-return
...
PiperOrigin-RevId: 900007299
2026-04-15 01:12:13 -07:00
Eugene Kliuchnikov
66e47ccf02
Merge branch 'master' into fix/cli-comment-verification-return
2026-04-14 14:54:37 +02:00
Copybara-Service
b3dc9ccd61
Merge pull request #1457 from google:dependabot/github_actions/actions/cache-5.0.5
...
PiperOrigin-RevId: 899533563
2026-04-14 05:46:06 -07:00
Eugene Kliuchnikov
ba70577a2b
Merge branch 'master' into fix/cli-comment-verification-return
2026-04-14 14:28:26 +02:00
dependabot[bot]
fa0e46159b
Bump actions/cache from 5.0.4 to 5.0.5 ( #1457 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](668228422a...27d5ce7f10 )
---
updated-dependencies:
- dependency-name: actions/cache
dependency-version: 5.0.5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-14 14:27:51 +02:00
Eugene Kliuchnikov
7783fe7ff3
Merge branch 'master' into dependabot/github_actions/actions/cache-5.0.5
2026-04-14 14:14:50 +02:00
dependabot[bot]
f9f3a8cbf9
Bump mymindstorm/setup-emsdk from 15 to 16 ( #1456 )
...
Bumps [mymindstorm/setup-emsdk](https://github.com/mymindstorm/setup-emsdk ) from 15 to 16.
- [Release notes](https://github.com/mymindstorm/setup-emsdk/releases )
- [Commits](667eb33f24...4528d102f7 )
---
updated-dependencies:
- dependency-name: mymindstorm/setup-emsdk
dependency-version: '16'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-14 14:14:29 +02:00
dependabot[bot]
9b01217df4
Bump actions/cache from 5.0.4 to 5.0.5
...
Bumps [actions/cache](https://github.com/actions/cache ) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](668228422a...27d5ce7f10 )
---
updated-dependencies:
- dependency-name: actions/cache
dependency-version: 5.0.5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-14 11:07:10 +00:00
dependabot[bot]
092429c5d4
Bump step-security/harden-runner from 2.16.1 to 2.17.0 ( #1455 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.16.1 to 2.17.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](fe10465874...f808768d15 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.17.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-14 13:06:07 +02:00
Copybara-Service
1dd49e190f
Merge pull request #1444 from robinwatts:master
...
PiperOrigin-RevId: 899489367
2026-04-14 03:50:27 -07:00
dependabot[bot]
4236b85879
Bump actions/upload-artifact from 7.0.0 to 7.0.1 ( #1454 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](bbbca2ddaa...043fb46d1a )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: 7.0.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-14 12:07:36 +02:00
Eugene Kliuchnikov
ea0e8289c9
Merge branch 'master' into bcr
2026-04-13 10:52:34 +02:00
Eugene Kliuchnikov
789eaf2fa8
Merge branch 'master' into fix/cli-comment-verification-return
2026-04-13 10:47:50 +02:00
Eugene Kliuchnikov
b7d03391c9
Merge branch 'master' into master
2026-04-13 10:09:36 +02:00
Copybara-Service
37fd9c5c77
Merge pull request #1440 from google:dependabot/github_actions/github/codeql-action-4.35.1
...
PiperOrigin-RevId: 898835966
2026-04-13 01:08:57 -07:00
Eugene Kliuchnikov
b1e421fdc7
Merge branch 'master' into master
2026-04-13 10:08:41 +02:00