# Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
        language: ['java']
        # Learn more...
        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.

            // TODO use kryo.register for security
            // SECURITY WARNING: setRegistrationRequired(false) allows deserialization of arbitrary classes
            // which could potentially lead to remote code execution vulnerabilities.
            // This should be replaced with explicit class registration using kryo.register()
            // for all classes that need to be serialized/deserialized.
            kryo.setRegistrationRequired(false);

     * in the data store plugin directory and extracts component class names.
     *
     * <p>The method uses secure XML parsing features to prevent XXE attacks and
     * other XML-based vulnerabilities. Component class names are extracted from
     * the 'class' attribute of 'component' elements in the XML files.</p>
     *
     * @return sorted list of data store class simple names discovered from plugins
     */

import java.util.regex.Pattern;

/**
 * Comprehensive input validation utility for SMB protocol implementation.
 * Provides validation methods to prevent buffer overflows, injection attacks,
 * and other security vulnerabilities.
 */
public final class InputValidator {

    private InputValidator() {
        // Utility class
    }

    // Maximum sizes for various SMB fields (based on protocol specifications)

     * <p>
     * WARNING: Use this only when you completely trust the data source and have
     * other security measures in place. Unrestricted deserialization can lead to
     * remote code execution vulnerabilities.
     * </p>
     *
     * @return an ObjectInputFilter that allows all classes
     */
    public static ObjectInputFilter createPermissiveFilter() {

   * delete the file and create a directory in its place, but this leads a race condition which can
   * be exploited to create security vulnerabilities, especially when executable files are to be
   * written into the directory.
   *
   * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,

   * delete the file and create a directory in its place, but this leads a race condition which can
   * be exploited to create security vulnerabilities, especially when executable files are to be
   * written into the directory.
   *
   * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,

## Changelog since v1.27.15

## Important Security Information

This release contains changes that address the following vulnerabilities:

### CVE-2024-5321: Incorrect permissions on Windows containers logs

A security issue was discovered in Kubernetes clusters with Windows nodes
where BUILTIN\Users may be able to read container logs and NT

## Changelog since v1.29.12

## Important Security Information

This release contains changes that address the following vulnerabilities:

### CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API

A security vulnerability has been discovered in Kubernetes windows nodes

     * </ul>
     *
     * <p><strong>Security Note:</strong> This method MUST be called on all user-supplied
     * input before using it in LDAP search filters to prevent LDAP injection vulnerabilities.
     *
     * @param filter the LDAP search filter to escape (null is treated as empty string)
     * @return the escaped filter string safe for use in LDAP queries (empty string if filter is null)