Message-ID: <gh-pgjdbc-pgjdbc-3750-c3160666440@github.com>
From: "vlsi (@vlsi)" <noreply+vlsi@github.com>
To: "pgjdbc/pgjdbc" <noreply+pgjdbc-pgjdbc@github.com>
Date: Wed, 06 Aug 2025 15:37:57 +0000
Subject: Re: [pgjdbc/pgjdbc] PR #3750: Use `BufferedInputStream` with `FileInputStream`
In-Reply-To: <gh-pgjdbc-pgjdbc-3750@github.com>
References: <gh-pgjdbc-pgjdbc-3750@github.com>
List-Id: <gh-pgjdbc-pgjdbc.github.com>
X-GitHub-Author-Login: vlsi
X-GitHub-Comment-Id: 3160666440
X-GitHub-Comment-Type: issue_comment
X-GitHub-Issue: 3750
X-GitHub-Repo: pgjdbc/pgjdbc
X-GitHub-Type: comment
X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/3750#issuecomment-3160666440
Content-Type: text/plain; charset=utf-8

I've an idea how we could prevent similar issues in the future:

1) Create `org.postgresql.util.internal.IoUtil` class with `BufferedInputStream newBufferedInputStream(File)` method
2) Make sure we use the method whenever we need `new FileInputStream(...)`
3) Add `java.io.FileInputStream#FileInputStream(java.io.File)` and `FileInputStream(String name)` constructors to `forbidden-api.txt`:https://github.com/pgjdbc/pgjdbc/blob/de6023d9b90c0f5d66ed4efb9169cda56b352601/config/forbidden-apis/forbidden-apis.txt#L1
4) Exclude `org.postgresql.util.internal.IoUtil` from forbidden-apis check: https://github.com/pgjdbc/pgjdbc/blob/de6023d9b90c0f5d66ed4efb9169cda56b352601/build-logic/verification/src/main/kotlin/build-logic.forbidden-apis.gradle.kts#L23

Then the build would prevent `new FileInputStream` entering to the source code.

WDYT?