Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
History is littered with hundreds of conflicts over the future of a community, group, location or business that were "resolved" when one of the parties stepped ahead and destroyed what was there. With the original point of contention destroyed, the debates would fall to the wayside. Archive Team believes that by duplicated condemned data, the conversation and debate can continue, as well as the richness and insight gained by keeping the materials. Our projects have ranged in size from a single volunteer downloading the data to a small-but-critical site, to over 100 volunteers stepping forward to acquire terabytes of user-created data to save for future generations.
The main site for Archive Team is at archiveteam.org and contains up to the date information on various projects, manifestos, plans and walkthroughs.
This collection contains the output of many Archive Team projects, both ongoing and completed. Thanks to the generous providing of disk space by the Internet Archive, multi-terabyte datasets can be made available, as well as in use by the Wayback Machine, providing a path back to lost websites and work.
Our collection has grown to the point of having sub-collections for the type of data we acquire. If you are seeking to browse the contents of these collections, the Wayback Machine is the best first stop. Otherwise, you are free to dig into the stacks to see what you may find.
The Archive Team Panic Downloads are full pulldowns of currently extant websites, meant to serve as emergency backups for needed sites that are in danger of closing, or which will be missed dearly if suddenly lost due to hard drive crashes or server failures.
Follow-up for some issues raised during the review of #6006.
Asymmetric array check in
existsFailFastCheck(#6006 (comment))The following lines should probably either both call
getArray():codeql/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
Lines 284 to 286 in 4a02505
Most likely it is however not needed to call
getArray()at all because the enclosing predicateexistsFailFastCheckis used as part of taint tracking and I assume the standard taint tracking already considers flow from an array to an access to one of its elements.False negatives for
finalvariables (#6006 (comment))The following line considers any
finalvariable to be likely a constant:codeql/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
Line 235 in 4a02505
This leads to false negatives because merely making a parameter or a local variable with a non-constant value
finalcauses the predicate to consider it constant. For example the following Java code1 is not flagged when the parameter is madefinal:The question is whether that
looksLikeConstantpredicate is really needed in the first place (@artem-smotrakov). While checking for hardcoded credentials is covered by a different query, checking for hardcoded credentials in a non-constant time way seems like an additional vulnerability because it might even allow extracting the hardcoded credential. If the intention was only to ignore Java test classes, then maybe those should be ignored by file path of the compilation unit or by checking if the enclosing class is a test class (similar to how other queries do that), or to rely on GitHub code scanning classifying the code as test code and not adding any checks (?).Footnotes
This is not actually realistic code because
new String(...)does not produce reasonable output in this situation. Instead it is more likely that user code converts the bytes to a hex string. Unfortunately taint does not seem to propagate through such manually written code properly, for example using ahexString(...)call with the following method instead of anew String(...)call does not seem to be detected:The text was updated successfully, but these errors were encountered: