You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by GitBox <gi...@apache.org> on 2021/08/06 08:11:25 UTC

[GitHub] [maven-scripting-plugin] rmannibucau opened a new pull request #4: binding the session and servers helper in binding context

rmannibucau opened a new pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4


   Following this checklist to help us incorporate your 
   contribution quickly and easily:
   
    - [ ] Make sure there is a [JIRA issue](https://issues.apache.org/jira/browse/MSCRIPTING) filed 
          for the change (usually before you start working on it).  Trivial changes like typos do not 
          require a JIRA issue.  Your pull request should address just this issue, without 
          pulling in other changes.
    - [ ] Each commit in the pull request should have a meaningful subject line and body.
    - [ ] Format the pull request title like `[MSCRIPTING-XXX] - Fixes bug in ApproximateQuantiles`,
          where you replace `MSCRIPTING-XXX` with the appropriate JIRA issue. Best practice
          is to use the JIRA issue title in the pull request title and in the first line of the 
          commit message.
    - [ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
    - [ ] Run `mvn clean verify` to make sure basic checks pass. A more thorough check will 
          be performed on your pull request automatically.
    - [ ] You have run the integration tests successfully (`mvn -Prun-its clean verify`).
   
   If your pull request is about ~20 lines of code you don't need to sign an
   [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure
   please ask on the developers list.
   
   To make clear that you license your contribution under 
   the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
   you have to acknowledge this by using the following check-box.
   
    - [ ] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
   
    - [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-scripting-plugin] rfscholte commented on pull request #4: [MSCRIPTING-7] binding the session and servers helper in binding context

Posted by GitBox <gi...@apache.org>.

rfscholte commented on pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-894090842


   Don't forget to update https://github.com/apache/maven-scripting-plugin/blob/master/src/site/markdown/script-context.md


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-scripting-plugin] rfscholte commented on pull request #4: [MSCRIPTING-7] binding the session and servers helper in binding context

Posted by GitBox <gi...@apache.org>.

rfscholte commented on pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-903148622


   I'm going to close this one as I consider this a security vulnerabilty. The introduction of `servers` with exposed username/password means you can easily extract the credentials from the system it is running on.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-scripting-plugin] rfscholte commented on a change in pull request #4: [MSCRIPTING-7] binding the session and servers helper in binding context

Posted by GitBox <gi...@apache.org>.

rfscholte commented on a change in pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4#discussion_r684207177



##########
File path: src/main/java/org/apache/maven/plugins/scripting/EvalMojo.java
##########
@@ -73,8 +84,10 @@ public void execute()
          AbstractScriptEvaluator execute = constructExecute();
 
          Bindings bindings = new SimpleBindings();
+         bindings.put( "session", session );
          bindings.put( "project", project );
          bindings.put( "log", getLog() );
+         bindings.put( "servers", new Servers( session, settingsDecrypter ) );

Review comment:
       If I understand what you need and staying close to what Maven offers, I think you should focus on `session.getRepositorySession().getAuthenticationSelector().getAuthentication(RemoteRepository)`




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-scripting-plugin] rmannibucau commented on a change in pull request #4: [MSCRIPTING-7] binding the session and servers helper in binding context

Posted by GitBox <gi...@apache.org>.

rmannibucau commented on a change in pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4#discussion_r684363382



##########
File path: src/main/java/org/apache/maven/plugins/scripting/EvalMojo.java
##########
@@ -73,8 +84,10 @@ public void execute()
          AbstractScriptEvaluator execute = constructExecute();
 
          Bindings bindings = new SimpleBindings();
+         bindings.put( "session", session );
          bindings.put( "project", project );
          bindings.put( "log", getLog() );
+         bindings.put( "servers", new Servers( session, settingsDecrypter ) );

Review comment:
       What I want is a Server#password in clear but I don't want to decipher all servers upfront. From what I saw, getSettings() is NOT clear there so I would have to "clearify" it before binding it which I want to avoid so I thought using a lazy simple accessor is more script friendly than exposing the session and letting user use plexus container to do lookups to decipher values.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-scripting-plugin] rfscholte closed pull request #4: [MSCRIPTING-7] binding the session and servers helper in binding context

Posted by GitBox <gi...@apache.org>.

rfscholte closed pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-scripting-plugin] rmannibucau commented on pull request #4: [MSCRIPTING-7] binding the session and servers helper in binding context

Posted by GitBox <gi...@apache.org>.

rmannibucau commented on pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-903223816


   @rfscholte will you also prevent using any mojo? It is the same security level. Without that this plugin is not that helping in most cases IMHO (no easy website custo/generation), no CI/CD etc...
   Worked around this lack by using exec plugin and a custom maven deceypter - it is just 100LoC but the security point is clearly not accurate for any mojo since they all have access to it and they are all - script or not - part of the build. Preventing a script not in the project is a thing but not all other cases technically speaking.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-scripting-plugin] rfscholte commented on a change in pull request #4: [MSCRIPTING-7] binding the session and servers helper in binding context

Posted by GitBox <gi...@apache.org>.

rfscholte commented on a change in pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4#discussion_r684042106



##########
File path: src/main/java/org/apache/maven/plugins/scripting/EvalMojo.java
##########
@@ -73,8 +84,10 @@ public void execute()
          AbstractScriptEvaluator execute = constructExecute();
 
          Bindings bindings = new SimpleBindings();
+         bindings.put( "session", session );
          bindings.put( "project", project );
          bindings.put( "log", getLog() );
+         bindings.put( "servers", new Servers( session, settingsDecrypter ) );

Review comment:
       I have doubts about this one, `servers` has never been used as a variable. Better to stick to `settings` with resolved values.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-scripting-plugin] rmannibucau commented on a change in pull request #4: [MSCRIPTING-7] binding the session and servers helper in binding context

Posted by GitBox <gi...@apache.org>.

rmannibucau commented on a change in pull request #4:
URL: https://github.com/apache/maven-scripting-plugin/pull/4#discussion_r684098220



##########
File path: src/main/java/org/apache/maven/plugins/scripting/EvalMojo.java
##########
@@ -73,8 +84,10 @@ public void execute()
          AbstractScriptEvaluator execute = constructExecute();
 
          Bindings bindings = new SimpleBindings();
+         bindings.put( "session", session );
          bindings.put( "project", project );
          bindings.put( "log", getLog() );
+         bindings.put( "servers", new Servers( session, settingsDecrypter ) );

Review comment:
       Do we have it already? I would like to avoid to decipher the whole settings each time (this is done only when needed) because it can slow down the execution a loooot for nothing in practise.
   Happy to wrap it in a MavenScripting wrapper which would expose this kind of API (so script would use mavenScripting.servers.find(...))




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org