From 3d1fbb2b9b59ac11c47286f218c8a7d8492ade88 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:25:06 +0200 Subject: [PATCH 01/12] Fix resource leak in MetsKitodoConverterTest.revertFile() Wrap Files.newOutputStream in try-with-resources to prevent CWE-404 resource leak when reverting testmetaOldFormat.xml. Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../java/org/kitodo/dataeditor/MetsKitodoConverterTest.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoConverterTest.java b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoConverterTest.java index d2353047787..88d9ff0aa34 100644 --- a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoConverterTest.java +++ b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoConverterTest.java @@ -15,6 +15,7 @@ import java.io.File; import java.io.IOException; +import java.io.OutputStream; import java.net.URI; import java.nio.file.Files; import java.nio.file.Paths; @@ -46,7 +47,9 @@ public void saveFile() throws IOException { @AfterEach public void revertFile() throws IOException { - IOUtils.write( testMetaOldFormat, Files.newOutputStream(Paths.get(pathOfOldMetaFormat))); + try (OutputStream out = Files.newOutputStream(Paths.get(pathOfOldMetaFormat))) { + IOUtils.write(testMetaOldFormat, out); + } } @Test From 1a92211d54f6b60ff57b9d22d2e792c3536cbf66 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:25:13 +0200 Subject: [PATCH 02/12] Fix resource leak in MetsXmlElementAccessIT.duplicateMetsFileDefinitionWithStrictFileIdCheck() Wrap MockedStatic in try-with-resources to prevent CWE-404 resource leak when mockedConfig goes out of scope. Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../access/MetsXmlElementAccessIT.java | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/Kitodo-DataFormat/src/test/java/org/kitodo/dataformat/access/MetsXmlElementAccessIT.java b/Kitodo-DataFormat/src/test/java/org/kitodo/dataformat/access/MetsXmlElementAccessIT.java index d0662885378..2332451bd4d 100644 --- a/Kitodo-DataFormat/src/test/java/org/kitodo/dataformat/access/MetsXmlElementAccessIT.java +++ b/Kitodo-DataFormat/src/test/java/org/kitodo/dataformat/access/MetsXmlElementAccessIT.java @@ -297,18 +297,19 @@ public void duplicateMetsFileDefinitionWithoutStrictFileIdCheck() throws IOExcep public void duplicateMetsFileDefinitionWithStrictFileIdCheck() { // mock access to KitodoConfig usage PropertiesConfiguration propertiesConfiguration = Mockito.mock(PropertiesConfiguration.class); - MockedStatic mockedConfig = Mockito.mockStatic(KitodoConfig.class); - mockedConfig.when(KitodoConfig::getConfig).thenReturn(propertiesConfiguration); - // mock getBoolean method call like in the main class - Mockito.when(propertiesConfiguration.getBoolean("useStrictMetsFileIdCheck", false)).thenReturn(true); - - Exception exception = assertThrows(IllegalArgumentException.class, - () -> new MetsXmlElementAccess().read( - new FileInputStream("src/test/resources/meta_duplicate_file.xml") - ) - ); - - assertEquals("Corrupt file: each METS file ID has to be unique but FILE_0001 is used multiple times!", exception.getMessage()); + try (MockedStatic mockedConfig = Mockito.mockStatic(KitodoConfig.class)) { + mockedConfig.when(KitodoConfig::getConfig).thenReturn(propertiesConfiguration); + // mock getBoolean method call like in the main class + Mockito.when(propertiesConfiguration.getBoolean("useStrictMetsFileIdCheck", false)).thenReturn(true); + + Exception exception = assertThrows(IllegalArgumentException.class, + () -> new MetsXmlElementAccess().read( + new FileInputStream("src/test/resources/meta_duplicate_file.xml") + ) + ); + + assertEquals("Corrupt file: each METS file ID has to be unique but FILE_0001 is used multiple times!", exception.getMessage()); + } } @Test From e17efa62cc59e636eb4e16548ad5704e9608ac6c Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:25:17 +0200 Subject: [PATCH 03/12] Fix resource leak in MetsKitodoValidatorTest.revertFile() Wrap Files.newOutputStream in try-with-resources to prevent CWE-404 resource leak when reverting testmetaOldFormat.xml. Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../java/org/kitodo/dataeditor/MetsKitodoValidatorTest.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoValidatorTest.java b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoValidatorTest.java index 2e27f84806e..537cf775263 100644 --- a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoValidatorTest.java +++ b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoValidatorTest.java @@ -16,6 +16,7 @@ import java.io.File; import java.io.IOException; +import java.io.OutputStream; import java.nio.file.Files; import java.nio.file.Paths; @@ -39,7 +40,9 @@ public void saveFile() throws IOException { @AfterEach public void revertFile() throws IOException { - IOUtils.write( testMetaOldFormat, Files.newOutputStream(Paths.get(pathOfOldMetaFormat))); + try (OutputStream out = Files.newOutputStream(Paths.get(pathOfOldMetaFormat))) { + IOUtils.write(testMetaOldFormat, out); + } } @Test From 3f63bce769d0141b1874a831401300f1c2fc77c6 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:25:21 +0200 Subject: [PATCH 04/12] Fix resource leak in KitodoServiceLoader Replace FileSystems.getDefault().getPath() with Paths.get() to avoid CWE-404 resource leak warning for the FileSystem returned by getDefault(). Both produce the same Path but Paths.get() avoids exposing the FileSystem resource. Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../java/org/kitodo/serviceloader/KitodoServiceLoader.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Kitodo-API/src/main/java/org/kitodo/serviceloader/KitodoServiceLoader.java b/Kitodo-API/src/main/java/org/kitodo/serviceloader/KitodoServiceLoader.java index 993c9a0ec63..ebd5de82e9c 100644 --- a/Kitodo-API/src/main/java/org/kitodo/serviceloader/KitodoServiceLoader.java +++ b/Kitodo-API/src/main/java/org/kitodo/serviceloader/KitodoServiceLoader.java @@ -80,8 +80,7 @@ public class KitodoServiceLoader { private static final String JAR = "*.jar"; private static final String ERROR = "Classpath could not be accessed"; - private static final Path SYSTEM_TEMP_FOLDER = FileSystems.getDefault() - .getPath(System.getProperty("java.io.tmpdir")); + private static final Path SYSTEM_TEMP_FOLDER = Paths.get(System.getProperty("java.io.tmpdir")); private static final Logger logger = LogManager.getLogger(KitodoServiceLoader.class); From ab17f718d7a3f5c0d847de94c17e7b3cba21bee3 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:25:27 +0200 Subject: [PATCH 05/12] Fix resource leak in DataEditorTest.revertFile() Wrap Files.newOutputStream in try-with-resources to prevent CWE-404 resource leaks when reverting testmetaOldFormat.xml and testmetaUnsupportedFormat.xml. Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../test/java/org/kitodo/dataeditor/DataEditorTest.java | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/DataEditorTest.java b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/DataEditorTest.java index 56937bfb6ad..777a1736127 100644 --- a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/DataEditorTest.java +++ b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/DataEditorTest.java @@ -16,6 +16,7 @@ import java.io.File; import java.io.IOException; +import java.io.OutputStream; import java.net.URI; import java.nio.file.Files; import java.nio.file.Paths; @@ -43,8 +44,12 @@ public void saveFile() throws IOException { @AfterEach public void revertFile() throws IOException { - IOUtils.write( testMetaOldFormat, Files.newOutputStream(Paths.get(pathOfOldMetaFormat))); - IOUtils.write( testmetaUnsupportedFormat, Files.newOutputStream(Paths.get("src/test/resources/testmetaUnsupportedFormat.xml"))); + try (OutputStream out1 = Files.newOutputStream(Paths.get(pathOfOldMetaFormat))) { + IOUtils.write(testMetaOldFormat, out1); + } + try (OutputStream out2 = Files.newOutputStream(Paths.get("src/test/resources/testmetaUnsupportedFormat.xml"))) { + IOUtils.write(testmetaUnsupportedFormat, out2); + } } @Test From d45bb4e808768ae1ab908799262db9b1b4e72dbd Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:25:33 +0200 Subject: [PATCH 06/12] Fix resource leak in MetsKitodoWrapperTest.revertFile() Wrap Files.newOutputStream in try-with-resources to prevent CWE-404 resource leak when the stream is not properly closed after writing. Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../java/org/kitodo/dataeditor/MetsKitodoWrapperTest.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoWrapperTest.java b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoWrapperTest.java index ef74623d6e0..bcc93021e41 100644 --- a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoWrapperTest.java +++ b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoWrapperTest.java @@ -17,6 +17,7 @@ import java.io.File; import java.io.IOException; +import java.io.OutputStream; import java.math.BigInteger; import java.net.URI; import java.nio.file.Files; @@ -65,7 +66,9 @@ public void saveFile() throws IOException { @AfterEach public void revertFile() throws IOException { - IOUtils.write( testMetaOldFormat, Files.newOutputStream(Paths.get(pathOfOldMetaFormat))); + try (OutputStream out = Files.newOutputStream(Paths.get(pathOfOldMetaFormat))) { + IOUtils.write(testMetaOldFormat, out); + } } @BeforeAll From 4754029821f174f58d3ee31ee8591116dfaba4a0 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:29:15 +0200 Subject: [PATCH 07/12] [CID: 415163] Fix resource leak in FileService.createMetaDirectory() Replace FileSystems.getDefault().getPath() with Paths.get() to avoid CWE-404 resource leak warning for the FileSystem returned by getDefault(). Both produce the same Path but Paths.get() avoids exposing the FileSystem resource. Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../java/org/kitodo/production/services/file/FileService.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Kitodo/src/main/java/org/kitodo/production/services/file/FileService.java b/Kitodo/src/main/java/org/kitodo/production/services/file/FileService.java index 08e92325042..172cb22058f 100644 --- a/Kitodo/src/main/java/org/kitodo/production/services/file/FileService.java +++ b/Kitodo/src/main/java/org/kitodo/production/services/file/FileService.java @@ -141,8 +141,7 @@ URI createMetaDirectory(URI parentFolderUri, String directoryName) throws IOExce logger.info("Metadata directory: {} already existed! No new directory was created", directoryName); } else { CommandService commandService = ServiceManager.getCommandService(); - String path = FileSystems.getDefault() - .getPath(ConfigCore.getKitodoDataDirectory(), parentFolderUri.getRawPath(), directoryName) + String path = Paths.get(ConfigCore.getKitodoDataDirectory(), parentFolderUri.getRawPath(), directoryName) .normalize().toAbsolutePath().toString(); List commandParameter = Collections.singletonList(path); File script = new File(ConfigCore.getParameter(ParameterCore.SCRIPT_CREATE_DIR_META)); From 61b4e4934cdf902c90f08e503a6a10e841e0311b Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:34:05 +0200 Subject: [PATCH 08/12] Fix resource leak in MetsKitodoWriterTest.revertFile() Wrap Files.newOutputStream in try-with-resources to prevent CWE-404 resource leak when the stream is not properly closed after writing. CID: 415123 Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../java/org/kitodo/dataeditor/MetsKitodoWriterTest.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoWriterTest.java b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoWriterTest.java index 0afe470acfa..c0517c16823 100644 --- a/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoWriterTest.java +++ b/Kitodo-DataEditor/src/test/java/org/kitodo/dataeditor/MetsKitodoWriterTest.java @@ -16,6 +16,7 @@ import java.io.File; import java.io.IOException; +import java.io.OutputStream; import java.net.URI; import java.nio.file.Files; import java.nio.file.Paths; @@ -49,7 +50,9 @@ public void saveFile() throws IOException { @AfterEach public void revertFile() throws IOException { - IOUtils.write( testMetaOldFormat, Files.newOutputStream(Paths.get(pathOfOldMetaFormat))); + try (OutputStream out = Files.newOutputStream(Paths.get(pathOfOldMetaFormat))) { + IOUtils.write(testMetaOldFormat, out); + } } @BeforeAll From f1897a599d71472ad2db1c52f9fed154197289f2 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:34:16 +0200 Subject: [PATCH 09/12] Fix resource leak in KitodoConfigTest.init() Capture MockedStatic in a static field and close it in @AfterAll method to prevent CWE-404 resource leak when mockedStatic goes out of scope. CID: 415151 Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../test/java/org/kitodo/config/KitodoConfigTest.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Kitodo-API/src/test/java/org/kitodo/config/KitodoConfigTest.java b/Kitodo-API/src/test/java/org/kitodo/config/KitodoConfigTest.java index 6ef8f926401..947f49b2493 100644 --- a/Kitodo-API/src/test/java/org/kitodo/config/KitodoConfigTest.java +++ b/Kitodo-API/src/test/java/org/kitodo/config/KitodoConfigTest.java @@ -22,13 +22,16 @@ import java.util.NoSuchElementException; +import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.kitodo.config.enums.ParameterAPI; +import org.mockito.MockedStatic; public class KitodoConfigTest { private static ParameterAPI NONE; + private static MockedStatic mockedParameterAPI; /** * Init once before tests. @@ -40,12 +43,17 @@ public static void init() { NONE = mock(ParameterAPI.class); doReturn(3).when(NONE).ordinal(); - mockStatic(ParameterAPI.class); + mockedParameterAPI = mockStatic(ParameterAPI.class); when(ParameterAPI.values()) .thenReturn(new ParameterAPI[] {ParameterAPI.DIR_MODULES, ParameterAPI.DIR_PROCESSES, ParameterAPI.DIR_XML_CONFIG, NONE }); } + @AfterAll + public static void tearDown() { + mockedParameterAPI.close(); + } + @Test public void shouldGetStringParameterWithoutDefault() { String param = KitodoConfig.getParameter(ParameterAPI.DIR_XML_CONFIG); From 1cc9a9fff4408085b2a990fd03f07e52988f59a0 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:34:23 +0200 Subject: [PATCH 10/12] Fix resource leaks in KitodoServiceLoader Replace FileSystems.getDefault().getPath() with Paths.get() to avoid CWE-404 resource leak warnings for the FileSystem returned by getDefault() in loadBeans(), loadFrontendFilesIntoCore(), and loadModulesIntoClasspath(). Also remove now-unused FileSystems import. CID: 415123 Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../java/org/kitodo/serviceloader/KitodoServiceLoader.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Kitodo-API/src/main/java/org/kitodo/serviceloader/KitodoServiceLoader.java b/Kitodo-API/src/main/java/org/kitodo/serviceloader/KitodoServiceLoader.java index ebd5de82e9c..9e99e64bc9e 100644 --- a/Kitodo-API/src/main/java/org/kitodo/serviceloader/KitodoServiceLoader.java +++ b/Kitodo-API/src/main/java/org/kitodo/serviceloader/KitodoServiceLoader.java @@ -20,7 +20,6 @@ import java.net.URL; import java.net.URLClassLoader; import java.nio.file.DirectoryStream; -import java.nio.file.FileSystems; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; @@ -141,7 +140,7 @@ public List loadModules() { * they can be used in all frontend files */ private void loadBeans() { - Path moduleFolder = FileSystems.getDefault().getPath(modulePath); + Path moduleFolder = Paths.get(modulePath); try (DirectoryStream stream = Files.newDirectoryStream(moduleFolder, JAR)) { for (Path f : stream) { try (JarFile jarFile = new JarFile(f.toString())) { @@ -196,7 +195,7 @@ private void loadBeans() { */ private void loadFrontendFilesIntoCore() { - Path moduleFolder = FileSystems.getDefault().getPath(modulePath); + Path moduleFolder = Paths.get(modulePath); try (DirectoryStream stream = Files.newDirectoryStream(moduleFolder, JAR)) { @@ -381,7 +380,7 @@ private File findFile(String name, File folder) throws FileNotFoundException { * earlier class loader created at an earlier time.

*/ private void loadModulesIntoClasspath() { - Path moduleFolder = FileSystems.getDefault().getPath(modulePath); + Path moduleFolder = Paths.get(modulePath); try (DirectoryStream stream = Files.newDirectoryStream(moduleFolder, JAR)) { From a2b53fccc4b9c8817a4ec903fce4def24788d0a8 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 06:36:59 +0200 Subject: [PATCH 11/12] Fix resource leak in DataEditorServiceTest.revertFile() Wrap Files.newOutputStream in try-with-resources to prevent CWE-404 resource leak when the stream is not properly closed after writing. CID: 415068 Signed-off-by: Stefan Weil Assisted-by: qwen3.6-36b (Alibaba) --- .../services/dataeditor/DataEditorServiceTest.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Kitodo/src/test/java/org/kitodo/production/services/dataeditor/DataEditorServiceTest.java b/Kitodo/src/test/java/org/kitodo/production/services/dataeditor/DataEditorServiceTest.java index 03aaab15c06..184a62d3efe 100644 --- a/Kitodo/src/test/java/org/kitodo/production/services/dataeditor/DataEditorServiceTest.java +++ b/Kitodo/src/test/java/org/kitodo/production/services/dataeditor/DataEditorServiceTest.java @@ -17,6 +17,7 @@ import java.io.File; import java.io.IOException; +import java.io.OutputStream; import java.nio.file.Files; import java.nio.file.Paths; @@ -45,7 +46,9 @@ public void saveFile() throws IOException { @AfterEach public void revertFile() throws IOException { - IOUtils.write( testMetaOldFormat, Files.newOutputStream(Paths.get(pathOfOldMetaFormat))); + try (OutputStream out = Files.newOutputStream(Paths.get(pathOfOldMetaFormat))) { + IOUtils.write(testMetaOldFormat, out); + } } @Test From e5a8ce9fa885ab8d1741fcfdc21906a48caaaefe Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Wed, 24 Jun 2026 09:29:56 +0200 Subject: [PATCH 12/12] Fix resource leak in MediaPartialFormTest.initTestClass() CID: 415099 Assisted-by: qwen3.6-36b (Alibaba) Signed-off-by: Stefan Weil --- .../forms/dataeditor/MediaPartialFormTest.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Kitodo/src/test/java/org/kitodo/production/forms/dataeditor/MediaPartialFormTest.java b/Kitodo/src/test/java/org/kitodo/production/forms/dataeditor/MediaPartialFormTest.java index 36c3c18fab6..567953f5e35 100644 --- a/Kitodo/src/test/java/org/kitodo/production/forms/dataeditor/MediaPartialFormTest.java +++ b/Kitodo/src/test/java/org/kitodo/production/forms/dataeditor/MediaPartialFormTest.java @@ -23,6 +23,7 @@ import java.util.LinkedList; import org.apache.commons.lang3.tuple.ImmutablePair; +import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -48,6 +49,7 @@ public class MediaPartialFormTest { PhysicalDivision physicalDivision; PhysicalDivision physicalStructure; + private static MockedStatic ajaxMockedStatic; /** * Initialize test class. @@ -55,12 +57,22 @@ public class MediaPartialFormTest { @BeforeAll public static void initTestClass() { // mock frontend update calls - Mockito.mockStatic(Ajax.class); + ajaxMockedStatic = Mockito.mockStatic(Ajax.class); PrimeFaces primeFaces = mock(PrimeFaces.class); MockedStatic primefacesSingleton = Mockito.mockStatic(PrimeFaces.class); primefacesSingleton.when(PrimeFaces::current).thenReturn(primeFaces); } + /** + * Clean up static mocks. + */ + @AfterAll + public static void cleanupTestClass() { + if (ajaxMockedStatic != null) { + ajaxMockedStatic.close(); + } + } + /** * Initialize test function. */