From d354fa78f211efb18fe91a0309ca5f43fec1469d Mon Sep 17 00:00:00 2001
From: Guus der Kinderen <guus.der.kinderen@gmail.com>
Date: Thu, 10 Nov 2022 09:53:54 +0100
Subject: [PATCH] Suppress LGTM alert for ZipSlip in PluginMonitor

ZipSlip is possible only when explicitly enabled by an administrator. No need to have a static analyzer alert for this particular case.
---
 .../org/jivesoftware/openfire/container/PluginMonitor.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginMonitor.java b/xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginMonitor.java
index 15905b6be7..412bc64c2d 100644
--- a/xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginMonitor.java
+++ b/xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginMonitor.java
@@ -479,7 +479,9 @@ private boolean unzipPlugin( String pluginName, Path file, Path dir )
                 for ( Enumeration e = zipFile.entries(); e.hasMoreElements(); )
                 {
                     JarEntry entry = (JarEntry) e.nextElement();
-                    Path entryFile = dir.resolve( entry.getName() ); // ignore possibility for zipslip as this is sanitized for if property is enabled lgtm [java/zipslip]
+                    Path entryFile = dir.resolve( entry.getName() ); /* lgtm[java/zipslip] */
+                    // The line above ignores LGTM alert for ZipSlip as this is sanitized for if property is enabled.
+
                     // Ignore any manifest.mf entries.
                     if ( entry.getName().toLowerCase().endsWith( "manifest.mf" ) )
                     {