You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Aldrin Leal <al...@leal.eng.br> on 2022/12/16 17:02:02 UTC
How secure is invoking a single mojo?
Hello,
Just a question I'd like to confirm with you guys: How "safe" is to run
`dependency:tree` on a given arbitrary pom?
I mean, whats the likelihood of that pom.xml triggering some "unsafe" code?
And how would you do this in (listing all the required runtime jar files
for a given project) the most secure way if you were given this task?
Thank you
--
-- Aldrin Leal, <al...@leal.eng.br> / https://aldrinleal.link
Re: How secure is invoking a single mojo?
Posted by Tamás Cservenák <ta...@cservenak.net>.
Howdy,
just an interesting fact:
if we remain in "java realm", kinda are afraid of "arbitrary Java code
execution",
I'd convert the plugin to Takari Incremental plugin
https://github.com/takari/io.takari.incrementalbuild
Its runtime "cages" the Mojos and allows them to read from and write to
only controlled locations...
https://github.com/takari/io.takari.incrementalbuild/tree/master/takari-builder-enforcer
Sadly, it uses SecurityManager to achieve this, which has been deprecated
in the latest Java versions...
T
On Fri, Dec 16, 2022 at 10:33 PM Elliotte Rusty Harold <el...@ibiblio.org>
wrote:
> On Fri, Dec 16, 2022 at 5:02 PM Aldrin Leal <al...@leal.eng.br> wrote:
> >
> > Hello,
> >
> > Just a question I'd like to confirm with you guys: How "safe" is to run
> > `dependency:tree` on a given arbitrary pom?
> >
>
> All that should do is load various XML files from possibly remote
> servers and parse them, so it's about as safe as doing that. It
> shouldn't trigger the running of any code not already in the maven
> dependency plugin and its dependencies. And that is all Java. If you
> could find a way to trigger bad behavior by feeding an arbitrary byte
> stream into the XML parser in the JDK or the maven-dependency-plugin
> and its dependencies, then there could be an issue. I'd guess that it
> might be possible to crash or hang Maven by sending sufficiently ugly
> malformed XML down the pipe. I'd be surprised if you could get as far
> as executing arbitrary code. That would probably require finding a
> serious JDK bug. It's possible there is such a bug waiting to be
> discovered, but I don't know of any.
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Re: How secure is invoking a single mojo?
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
On Fri, Dec 16, 2022 at 5:02 PM Aldrin Leal <al...@leal.eng.br> wrote:
>
> Hello,
>
> Just a question I'd like to confirm with you guys: How "safe" is to run
> `dependency:tree` on a given arbitrary pom?
>
All that should do is load various XML files from possibly remote
servers and parse them, so it's about as safe as doing that. It
shouldn't trigger the running of any code not already in the maven
dependency plugin and its dependencies. And that is all Java. If you
could find a way to trigger bad behavior by feeding an arbitrary byte
stream into the XML parser in the JDK or the maven-dependency-plugin
and its dependencies, then there could be an issue. I'd guess that it
might be possible to crash or hang Maven by sending sufficiently ugly
malformed XML down the pipe. I'd be surprised if you could get as far
as executing arbitrary code. That would probably require finding a
serious JDK bug. It's possible there is such a bug waiting to be
discovered, but I don't know of any.
--
Elliotte Rusty Harold
elharo@ibiblio.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: How secure is invoking a single mojo?
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi Aldrin,
Maybe DefaultModelReader from maen-model-builder module but depends if you
want the pom resolved or just the raw pom too.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Le mer. 28 déc. 2022 à 22:10, Aldrin Leal <al...@leal.eng.br> a écrit :
> Tamas,
>
> Thanks for your idea. If I wanted to resolve from reading a pom file from
> scratch, where you'd point me at (thinking MavenXpp3Reader and friends
> perhaps?).
>
> --
> -- Aldrin Leal, <al...@leal.eng.br> / https://aldrinleal.link
>
>
> On Fri, Dec 16, 2022 at 4:17 PM Tamás Cservenák <ta...@cservenak.net>
> wrote:
>
> > You can write a simple app, using resolver. There are demo that perform
> > fully functional things, for example
> >
> >
> >
> https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java
> >
> > Hth
> > T
> >
> > On Fri, Dec 16, 2022, 22:12 Aldrin Leal <al...@leal.eng.br> wrote:
> >
> > > Thanks Michael, indeed this can be better worded What about?
> > >
> > > How to programatically list a poms dependencies (incl transitive)
> without
> > > the risk of running untrusted/unauthorized code?
> > >
> > > --
> > > -- Aldrin Leal, <al...@leal.eng.br> / https://aldrinleal.link
> > >
> > >
> > > On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov <mi...@apache.org>
> > > wrote:
> > >
> > > > Am 2022-12-16 um 18:02 schrieb Aldrin Leal:
> > > > > Hello,
> > > > >
> > > > > Just a question I'd like to confirm with you guys: How "safe" is to
> > run
> > > > > `dependency:tree` on a given arbitrary pom?
> > > > >
> > > > > I mean, whats the likelihood of that pom.xml triggering some
> "unsafe"
> > > > code?
> > > > >
> > > > > And how would you do this in (listing all the required runtime jar
> > > files
> > > > > for a given project) the most secure way if you were given this
> task?
> > > >
> > > > Safety and security are two different things. What are you striving
> > for?
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > > For additional commands, e-mail: dev-help@maven.apache.org
> > > >
> > > >
> > >
> >
>
Re: How secure is invoking a single mojo?
Posted by Aldrin Leal <al...@leal.eng.br>.
Tamas,
Thanks for your idea. If I wanted to resolve from reading a pom file from
scratch, where you'd point me at (thinking MavenXpp3Reader and friends
perhaps?).
--
-- Aldrin Leal, <al...@leal.eng.br> / https://aldrinleal.link
On Fri, Dec 16, 2022 at 4:17 PM Tamás Cservenák <ta...@cservenak.net> wrote:
> You can write a simple app, using resolver. There are demo that perform
> fully functional things, for example
>
>
> https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java
>
> Hth
> T
>
> On Fri, Dec 16, 2022, 22:12 Aldrin Leal <al...@leal.eng.br> wrote:
>
> > Thanks Michael, indeed this can be better worded What about?
> >
> > How to programatically list a poms dependencies (incl transitive) without
> > the risk of running untrusted/unauthorized code?
> >
> > --
> > -- Aldrin Leal, <al...@leal.eng.br> / https://aldrinleal.link
> >
> >
> > On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov <mi...@apache.org>
> > wrote:
> >
> > > Am 2022-12-16 um 18:02 schrieb Aldrin Leal:
> > > > Hello,
> > > >
> > > > Just a question I'd like to confirm with you guys: How "safe" is to
> run
> > > > `dependency:tree` on a given arbitrary pom?
> > > >
> > > > I mean, whats the likelihood of that pom.xml triggering some "unsafe"
> > > code?
> > > >
> > > > And how would you do this in (listing all the required runtime jar
> > files
> > > > for a given project) the most secure way if you were given this task?
> > >
> > > Safety and security are two different things. What are you striving
> for?
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > For additional commands, e-mail: dev-help@maven.apache.org
> > >
> > >
> >
>
Re: How secure is invoking a single mojo?
Posted by Tamás Cservenák <ta...@cservenak.net>.
You can write a simple app, using resolver. There are demo that perform
fully functional things, for example
https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java
Hth
T
On Fri, Dec 16, 2022, 22:12 Aldrin Leal <al...@leal.eng.br> wrote:
> Thanks Michael, indeed this can be better worded What about?
>
> How to programatically list a poms dependencies (incl transitive) without
> the risk of running untrusted/unauthorized code?
>
> --
> -- Aldrin Leal, <al...@leal.eng.br> / https://aldrinleal.link
>
>
> On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov <mi...@apache.org>
> wrote:
>
> > Am 2022-12-16 um 18:02 schrieb Aldrin Leal:
> > > Hello,
> > >
> > > Just a question I'd like to confirm with you guys: How "safe" is to run
> > > `dependency:tree` on a given arbitrary pom?
> > >
> > > I mean, whats the likelihood of that pom.xml triggering some "unsafe"
> > code?
> > >
> > > And how would you do this in (listing all the required runtime jar
> files
> > > for a given project) the most secure way if you were given this task?
> >
> > Safety and security are two different things. What are you striving for?
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
> >
>
Re: How secure is invoking a single mojo?
Posted by Aldrin Leal <al...@leal.eng.br>.
Thanks Michael, indeed this can be better worded What about?
How to programatically list a poms dependencies (incl transitive) without
the risk of running untrusted/unauthorized code?
--
-- Aldrin Leal, <al...@leal.eng.br> / https://aldrinleal.link
On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov <mi...@apache.org> wrote:
> Am 2022-12-16 um 18:02 schrieb Aldrin Leal:
> > Hello,
> >
> > Just a question I'd like to confirm with you guys: How "safe" is to run
> > `dependency:tree` on a given arbitrary pom?
> >
> > I mean, whats the likelihood of that pom.xml triggering some "unsafe"
> code?
> >
> > And how would you do this in (listing all the required runtime jar files
> > for a given project) the most secure way if you were given this task?
>
> Safety and security are two different things. What are you striving for?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Re: How secure is invoking a single mojo?
Posted by Michael Osipov <mi...@apache.org>.
Am 2022-12-16 um 18:02 schrieb Aldrin Leal:
> Hello,
>
> Just a question I'd like to confirm with you guys: How "safe" is to run
> `dependency:tree` on a given arbitrary pom?
>
> I mean, whats the likelihood of that pom.xml triggering some "unsafe" code?
>
> And how would you do this in (listing all the required runtime jar files
> for a given project) the most secure way if you were given this task?
Safety and security are two different things. What are you striving for?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org