You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by us...@apache.org on 2021/11/03 16:30:05 UTC
[solr] branch main updated: SOLR-15764 (based on LUCENE-10218):
Extend validateSourcePatterns task to scan for LTR/RTL unicode to catch
"Trojan Source" source code attacks
This is an automated email from the ASF dual-hosted git repository.
uschindler pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new 23b07ef SOLR-15764 (based on LUCENE-10218): Extend validateSourcePatterns task to scan for LTR/RTL unicode to catch "Trojan Source" source code attacks
23b07ef is described below
commit 23b07efc12202922eb8ffc48fd69f60aee0c918a
Author: Uwe Schindler <us...@apache.org>
AuthorDate: Wed Nov 3 17:29:56 2021 +0100
SOLR-15764 (based on LUCENE-10218): Extend validateSourcePatterns task to scan for LTR/RTL unicode to catch "Trojan Source" source code attacks
Co-authored-by: Dawid Weiss <da...@carrotsearch.com>
---
gradle/validation/validate-source-patterns.gradle | 52 +++++++++--------------
1 file changed, 21 insertions(+), 31 deletions(-)
diff --git a/gradle/validation/validate-source-patterns.gradle b/gradle/validation/validate-source-patterns.gradle
index 13795c6..d1744c1 100644
--- a/gradle/validation/validate-source-patterns.gradle
+++ b/gradle/validation/validate-source-patterns.gradle
@@ -61,8 +61,8 @@ def extensions = [
'xsl',
]
-// Create source validation task local for each project's files.
-subprojects {
+// Create source validation task local to each project
+allprojects {
task validateSourcePatterns(type: ValidateSourcePatternsTask) { task ->
group = 'Verification'
description = 'Validate Source Patterns'
@@ -78,16 +78,31 @@ subprojects {
}
// default excludes.
- exclude 'build/**'
+ exclude '**/build/**'
exclude '**/.idea/**'
- // ignore txt files in source resources and tests.
- exclude 'src/**/*.txt'
+ if (project == rootProject) {
+ // ourselves :-)
+ exclude 'gradle/validation/validate-source-patterns.gradle'
+
+ // gradle and idea folders.
+ exclude '.gradle/**'
+ exclude '.idea/**'
+ } else {
+ // ignore txt files in source resources and tests.
+ exclude 'src/**/*.txt'
+ }
}
}
// Add source validation to per-project checks as well.
check.dependsOn validateSourcePatterns
+
+ // Ensure validation runs prior to any compilation task. This also means
+ // no executable code can leak out to other modules.
+ tasks.withType(JavaCompile).configureEach {
+ mustRunAfter validateSourcePatterns
+ }
}
configure(project(':solr:core')) {
@@ -103,32 +118,6 @@ configure(project(':solr:server')) {
}
}
-configure(rootProject) {
- task validateSourcePatterns(type: ValidateSourcePatternsTask) { task ->
- group = 'Verification'
- description = 'Validate Source Patterns'
-
- sourceFiles = fileTree(projectDir) {
- extensions.each{
- include "**/*.${it}"
- }
-
- // Don't go into child projects (scanned separately).
- childProjects.keySet().each{
- exclude "${it}/**"
- }
-
- // default excludes.
- exclude '**/build/**'
- exclude '**/.idea/**'
-
- // ourselves :-)
- exclude 'gradle/validation/validate-source-patterns.gradle'
- }
- }
-
- check.dependsOn validateSourcePatterns
-}
class ValidateSourcePatternsTask extends DefaultTask {
private ProgressLoggerFactory progressLoggerFactory
@@ -148,6 +137,7 @@ class ValidateSourcePatternsTask extends DefaultTask {
(~$/(?i)\bno(n|)commit\b/$) : 'nocommit',
(~$/\bTOOD:/$) : 'TOOD instead TODO',
(~$/\t/$) : 'tabs instead spaces',
+ (~$/[\u202A-\u202E\u2066-\u2069]/$) : 'misuse of RTL/LTR (https://trojansource.codes)',
(~$/\Q/**\E((?:\s)|(?:\*))*\Q{@inheritDoc}\E((?:\s)|(?:\*))*\Q*/\E/$) : '{@inheritDoc} on its own is unnecessary',
(~$/\$$(?:LastChanged)?Date\b/$) : 'svn keyword',
(~$/\$$(?:(?:LastChanged)?Revision|Rev)\b/$) : 'svn keyword',