You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by us...@apache.org on 2021/11/03 16:19:33 UTC
[lucene] branch main updated: UCENE-10218: Extend
validateSourcePatterns task to scan for LTR/RTL unicode to catch "Trojan
Source" source code attacks (#425)
This is an automated email from the ASF dual-hosted git repository.
uschindler pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/lucene.git
The following commit(s) were added to refs/heads/main by this push:
new 1ae6b2a UCENE-10218: Extend validateSourcePatterns task to scan for LTR/RTL unicode to catch "Trojan Source" source code attacks (#425)
1ae6b2a is described below
commit 1ae6b2a6b9df69e26a94a295bd4b42bc0575b202
Author: Uwe Schindler <us...@apache.org>
AuthorDate: Wed Nov 3 17:19:24 2021 +0100
UCENE-10218: Extend validateSourcePatterns task to scan for LTR/RTL unicode to catch "Trojan Source" source code attacks (#425)
Co-authored-by: Dawid Weiss <da...@carrotsearch.com>
---
gradle/validation/validate-source-patterns.gradle | 55 +++++++++--------------
1 file changed, 21 insertions(+), 34 deletions(-)
diff --git a/gradle/validation/validate-source-patterns.gradle b/gradle/validation/validate-source-patterns.gradle
index 5b85190..cc01d37 100644
--- a/gradle/validation/validate-source-patterns.gradle
+++ b/gradle/validation/validate-source-patterns.gradle
@@ -61,8 +61,8 @@ def extensions = [
'xsl',
]
-// Create source validation task local for each project's files.
-subprojects {
+// Create source validation task local to each project
+allprojects {
task validateSourcePatterns(type: ValidateSourcePatternsTask) { task ->
group = 'Verification'
description = 'Validate Source Patterns'
@@ -78,16 +78,31 @@ subprojects {
}
// default excludes.
- exclude 'build/**'
+ exclude '**/build/**'
exclude '**/.idea/**'
- // ignore txt files in source resources and tests.
- exclude 'src/**/*.txt'
+ if (project == rootProject) {
+ // ourselves :-)
+ exclude 'gradle/validation/validate-source-patterns.gradle'
+
+ // gradle and idea folders.
+ exclude '.gradle/**'
+ exclude '.idea/**'
+ } else {
+ // ignore txt files in source resources and tests.
+ exclude 'src/**/*.txt'
+ }
}
}
// Add source validation to per-project checks as well.
check.dependsOn validateSourcePatterns
+
+ // Ensure validation runs prior to any compilation task. This also means
+ // no executable code can leak out to other modules.
+ tasks.withType(JavaCompile).configureEach {
+ mustRunAfter validateSourcePatterns
+ }
}
configure(project(':lucene:benchmark')) {
@@ -99,35 +114,6 @@ configure(project(':lucene:benchmark')) {
}
}
-configure(rootProject) {
- task validateSourcePatterns(type: ValidateSourcePatternsTask) { task ->
- group = 'Verification'
- description = 'Validate Source Patterns'
-
- sourceFiles = fileTree(projectDir) {
- extensions.each{
- include "**/*.${it}"
- }
-
- // Don't go into child projects (scanned separately).
- childProjects.keySet().each{
- exclude "${it}/**"
- }
-
- // default excludes.
- exclude '**/build/**'
-
- // ourselves :-)
- exclude 'gradle/validation/validate-source-patterns.gradle'
-
- // gradle and idea folders.
- exclude '.gradle/**'
- exclude '.idea/**'
- }
- }
-
- check.dependsOn validateSourcePatterns
-}
@CacheableTask
class ValidateSourcePatternsTask extends DefaultTask {
@@ -150,6 +136,7 @@ class ValidateSourcePatternsTask extends DefaultTask {
(~$/(?i)\bno(n|)commit\b/$) : 'nocommit',
(~$/\bTOOD:/$) : 'TOOD instead TODO',
(~$/\t/$) : 'tabs instead spaces',
+ (~$/[\u202A-\u202E\u2066-\u2069]/$) : 'misuse of RTL/LTR (https://trojansource.codes)',
(~$/\Q/**\E((?:\s)|(?:\*))*\Q{@inheritDoc}\E((?:\s)|(?:\*))*\Q*/\E/$) : '{@inheritDoc} on its own is unnecessary',
(~$/\$$(?:LastChanged)?Date\b/$) : 'svn keyword',
(~$/\$$(?:(?:LastChanged)?Revision|Rev)\b/$) : 'svn keyword',