From 70918eeb7b4a6552d8a736a786c0da0c1dde80a1 Mon Sep 17 00:00:00 2001 From: Adam Samalik Date: Thu, 29 Jun 2023 11:32:02 +0200 Subject: [PATCH] re-import sources as agreed with the maintainer --- .gitignore | 12 +- .maven-shared-utils.metadata | 1 + ...-POSIX-attributes-for-symbolic-links.patch | 28 -- 0002-Port-to-plexus-utils-3.0.10.patch | 25 -- ...single-quote-executable-and-argument.patch | 319 ++++++++++++++++++ ...-POSIX-attributes-for-symbolic-links.patch | 28 -- gating.yaml | 8 - maven-shared-utils.spec | 8 +- 8 files changed, 338 insertions(+), 91 deletions(-) create mode 100644 .maven-shared-utils.metadata delete mode 100644 0002-Avoid-setting-POSIX-attributes-for-symbolic-links.patch delete mode 100644 0002-Port-to-plexus-utils-3.0.10.patch create mode 100644 0002-Unconditionally-single-quote-executable-and-argument.patch delete mode 100644 0003-Avoid-setting-POSIX-attributes-for-symbolic-links.patch delete mode 100644 gating.yaml diff --git a/.gitignore b/.gitignore index d5877f8..4b22e99 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,12 @@ -SOURCES/maven-shared-utils-3.2.1-source-release.zip +/maven-shared-utils-0.2-source-release.zip +/maven-shared-utils-0.3-source-release.zip +/maven-shared-utils-0.4-source-release.zip +/maven-shared-utils-0.5-source-release.zip +/maven-shared-utils-0.6-source-release.zip +/maven-shared-utils-0.7-source-release.zip +/maven-shared-utils-0.8-source-release.zip +/maven-shared-utils-0.9-source-release.zip +/maven-shared-utils-3.0.0-source-release.zip +/maven-shared-utils-3.0.1-source-release.zip +/maven-shared-utils-3.1.0-source-release.zip /maven-shared-utils-3.2.1-source-release.zip diff --git a/.maven-shared-utils.metadata b/.maven-shared-utils.metadata new file mode 100644 index 0000000..c4eb42d --- /dev/null +++ b/.maven-shared-utils.metadata @@ -0,0 +1 @@ +015559e466938c7e9053603d37b96ef3e03b802b maven-shared-utils-3.2.1-source-release.zip diff --git a/0002-Avoid-setting-POSIX-attributes-for-symbolic-links.patch b/0002-Avoid-setting-POSIX-attributes-for-symbolic-links.patch deleted file mode 100644 index c82fcf4..0000000 --- a/0002-Avoid-setting-POSIX-attributes-for-symbolic-links.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 932f9b15bd62255f81c66b564f748fff6ec84c86 Mon Sep 17 00:00:00 2001 -From: Mikolaj Izdebski -Date: Thu, 24 Sep 2020 20:17:56 +0200 -Subject: [PATCH 3/3] Avoid setting POSIX attributes for symbolic links - ---- - src/main/java/org/apache/maven/shared/utils/io/FileUtils.java | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/main/java/org/apache/maven/shared/utils/io/FileUtils.java b/src/main/java/org/apache/maven/shared/utils/io/FileUtils.java -index a3be324..a396d99 100644 ---- a/src/main/java/org/apache/maven/shared/utils/io/FileUtils.java -+++ b/src/main/java/org/apache/maven/shared/utils/io/FileUtils.java -@@ -1973,9 +1973,9 @@ public class FileUtils - } - } - } -- } - -- copyFilePermissions( from, to ); -+ copyFilePermissions( from, to ); -+ } - } - - /** --- -2.26.2 - diff --git a/0002-Port-to-plexus-utils-3.0.10.patch b/0002-Port-to-plexus-utils-3.0.10.patch deleted file mode 100644 index 1445dff..0000000 --- a/0002-Port-to-plexus-utils-3.0.10.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3b87b36b85e365f32a1b9443a962e3149e2dfd64 Mon Sep 17 00:00:00 2001 -From: Marian Koncek -Date: Fri, 11 Sep 2020 11:02:29 +0200 -Subject: [PATCH 2/3] Port to plexus-utils 3.0.10 - ---- - .../java/org/apache/maven/shared/utils/io/FileUtilsTest.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/test/java/org/apache/maven/shared/utils/io/FileUtilsTest.java b/src/test/java/org/apache/maven/shared/utils/io/FileUtilsTest.java -index 9fa7c85..151bbc9 100644 ---- a/src/test/java/org/apache/maven/shared/utils/io/FileUtilsTest.java -+++ b/src/test/java/org/apache/maven/shared/utils/io/FileUtilsTest.java -@@ -655,7 +655,7 @@ public class FileUtilsTest - - private FileUtils.FilterWrapper[] wrappers( String key, String value ) - { -- final Map map = new HashMap<>(); -+ final Map map = new HashMap<>(); - map.put( key, value ); - return new FileUtils.FilterWrapper[] - { --- -2.26.2 - diff --git a/0002-Unconditionally-single-quote-executable-and-argument.patch b/0002-Unconditionally-single-quote-executable-and-argument.patch new file mode 100644 index 0000000..2093617 --- /dev/null +++ b/0002-Unconditionally-single-quote-executable-and-argument.patch @@ -0,0 +1,319 @@ +From c0b225b90d1056e29d681258a2008ae8aff2b508 Mon Sep 17 00:00:00 2001 +From: Marian Koncek +Date: Tue, 5 Apr 2022 13:56:20 +0200 +Subject: [PATCH] Unconditionally single quote executable and arguments + +Upstream: https://github.com/apache/maven-shared-utils/pull/40/commits +--- + .../shared/utils/cli/shell/BourneShell.java | 48 ++++++++----------- + .../maven/shared/utils/cli/shell/Shell.java | 39 ++++++++++----- + .../utils/cli/shell/BourneShellTest.java | 35 ++++++++++---- + 3 files changed, 72 insertions(+), 50 deletions(-) + +diff --git a/src/main/java/org/apache/maven/shared/utils/cli/shell/BourneShell.java b/src/main/java/org/apache/maven/shared/utils/cli/shell/BourneShell.java +index 11a447a..f0de631 100644 +--- a/src/main/java/org/apache/maven/shared/utils/cli/shell/BourneShell.java ++++ b/src/main/java/org/apache/maven/shared/utils/cli/shell/BourneShell.java +@@ -23,7 +23,6 @@ package org.apache.maven.shared.utils.cli.shell; + import java.util.ArrayList; + import java.util.List; + import org.apache.maven.shared.utils.Os; +-import org.apache.maven.shared.utils.StringUtils; + + /** + * @author Jason van Zyl +@@ -31,17 +30,15 @@ import org.apache.maven.shared.utils.StringUtils; + public class BourneShell + extends Shell + { +- private static final char[] BASH_QUOTING_TRIGGER_CHARS = +- { ' ', '$', ';', '&', '|', '<', '>', '*', '?', '(', ')', '[', ']', '{', '}', '`' }; +- + /** +- * Create instance of BournShell. ++ * Create instance of BourneShell. + */ + public BourneShell() + { ++ setUnconditionalQuoting( true ); + setShellCommand( "/bin/sh" ); + setArgumentQuoteDelimiter( '\'' ); +- setExecutableQuoteDelimiter( '\"' ); ++ setExecutableQuoteDelimiter( '\'' ); + setSingleQuotedArgumentEscaped( true ); + setSingleQuotedExecutableEscaped( false ); + setQuotedExecutableEnabled( true ); +@@ -57,7 +54,7 @@ public class BourneShell + return super.getExecutable(); + } + +- return unifyQuotes( super.getExecutable() ); ++ return quoteOneItem( super.getExecutable(), true ); + } + + /** {@inheritDoc} */ +@@ -110,47 +107,40 @@ public class BourneShell + StringBuilder sb = new StringBuilder(); + sb.append( "cd " ); + +- sb.append( unifyQuotes( dir ) ); ++ sb.append( quoteOneItem( dir, false ) ); + sb.append( " && " ); + + return sb.toString(); + } + +- /** {@inheritDoc} */ +- protected char[] getQuotingTriggerChars() +- { +- return BASH_QUOTING_TRIGGER_CHARS; +- } +- + /** + *

Unify quotes in a path for the Bourne Shell.

+ *

+ * 

+-     * BourneShell.unifyQuotes(null)                       = null
+-     * BourneShell.unifyQuotes("")                         = (empty)
+-     * BourneShell.unifyQuotes("/test/quotedpath'abc")     = /test/quotedpath\'abc
+-     * BourneShell.unifyQuotes("/test/quoted path'abc")    = "/test/quoted path'abc"
+-     * BourneShell.unifyQuotes("/test/quotedpath\"abc")    = "/test/quotedpath\"abc"
+-     * BourneShell.unifyQuotes("/test/quoted path\"abc")   = "/test/quoted path\"abc"
+-     * BourneShell.unifyQuotes("/test/quotedpath\"'abc")   = "/test/quotedpath\"'abc"
+-     * BourneShell.unifyQuotes("/test/quoted path\"'abc")  = "/test/quoted path\"'abc"
++     * BourneShell.quoteOneItem(null)                       = null
++     * BourneShell.quoteOneItem("")                         = ''
++     * BourneShell.quoteOneItem("/test/quotedpath'abc")     = '/test/quotedpath'"'"'abc'
++     * BourneShell.quoteOneItem("/test/quoted path'abc")    = '/test/quoted pat'"'"'habc'
++     * BourneShell.quoteOneItem("/test/quotedpath\"abc")    = '/test/quotedpath"abc'
++     * BourneShell.quoteOneItem("/test/quoted path\"abc")   = '/test/quoted path"abc'
++     * BourneShell.quoteOneItem("/test/quotedpath\"'abc")   = '/test/quotedpath"'"'"'abc'
++     * BourneShell.quoteOneItem("/test/quoted path\"'abc")  = '/test/quoted path"'"'"'abc'
+      *
+ * + * @param path not null path. + * @return the path unified correctly for the Bourne shell. + */ +- private static String unifyQuotes( String path ) ++ protected String quoteOneItem( String path, boolean isExecutable ) + { + if ( path == null ) + { + return null; + } + +- if ( path.indexOf( ' ' ) == -1 && path.indexOf( '\'' ) != -1 && path.indexOf( '"' ) == -1 ) +- { +- return StringUtils.escape( path ); +- } +- +- return StringUtils.quoteAndEscape( path, '\"', BASH_QUOTING_TRIGGER_CHARS ); ++ StringBuilder sb = new StringBuilder(); ++ sb.append( "'" ); ++ sb.append( path.replace( "'", "'\"'\"'" ) ); ++ sb.append( "'" ); ++ return sb.toString(); + } + } +diff --git a/src/main/java/org/apache/maven/shared/utils/cli/shell/Shell.java b/src/main/java/org/apache/maven/shared/utils/cli/shell/Shell.java +index 6fa2f73..96904cb 100644 +--- a/src/main/java/org/apache/maven/shared/utils/cli/shell/Shell.java ++++ b/src/main/java/org/apache/maven/shared/utils/cli/shell/Shell.java +@@ -50,6 +50,8 @@ public class Shell + + private boolean quotedArgumentsEnabled = true; + ++ private boolean unconditionalQuoting = false; ++ + private String executable; + + private String workingDir; +@@ -113,6 +115,19 @@ public class Shell + } + } + ++ protected String quoteOneItem( String inputString, boolean isExecutable ) ++ { ++ char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() ); ++ return StringUtils.quoteAndEscape( ++ inputString, ++ isExecutable ? getExecutableQuoteDelimiter() : getArgumentQuoteDelimiter(), ++ escapeChars, ++ getQuotingTriggerChars(), ++ '\\', ++ unconditionalQuoting ++ ); ++ } ++ + /** + * Get the command line for the provided executable and arguments in this shell + * +@@ -145,15 +160,11 @@ public class Shell + + if ( isQuotedExecutableEnabled() ) + { +- char[] escapeChars = +- getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() ); +- +- sb.append( StringUtils.quoteAndEscape( getExecutable(), getExecutableQuoteDelimiter(), escapeChars, +- getQuotingTriggerChars(), '\\', false ) ); ++ sb.append( quoteOneItem( executableParameter, true ) ); + } + else + { +- sb.append( getExecutable() ); ++ sb.append( executableParameter ); + } + } + for ( String argument : argumentsParameter ) +@@ -165,10 +176,7 @@ public class Shell + + if ( isQuotedArgumentsEnabled() ) + { +- char[] escapeChars = getEscapeChars( isSingleQuotedArgumentEscaped(), isDoubleQuotedArgumentEscaped() ); +- +- sb.append( StringUtils.quoteAndEscape( argument, getArgumentQuoteDelimiter(), escapeChars, +- getQuotingTriggerChars(), '\\', false ) ); ++ sb.append( quoteOneItem( argument, false ) ); + } + else + { +@@ -285,7 +293,7 @@ public class Shell + commandLine.addAll( getShellArgsList() ); + } + +- commandLine.addAll( getCommandLine( getExecutable(), arguments ) ); ++ commandLine.addAll( getCommandLine( executable, arguments ) ); + + return commandLine; + +@@ -398,4 +406,13 @@ public class Shell + this.singleQuotedExecutableEscaped = singleQuotedExecutableEscaped; + } + ++ public boolean isUnconditionalQuoting() ++ { ++ return unconditionalQuoting; ++ } ++ ++ public void setUnconditionalQuoting( boolean unconditionalQuoting ) ++ { ++ this.unconditionalQuoting = unconditionalQuoting; ++ } + } +diff --git a/src/test/java/org/apache/maven/shared/utils/cli/shell/BourneShellTest.java b/src/test/java/org/apache/maven/shared/utils/cli/shell/BourneShellTest.java +index b5f23d9..f5143c1 100644 +--- a/src/test/java/org/apache/maven/shared/utils/cli/shell/BourneShellTest.java ++++ b/src/test/java/org/apache/maven/shared/utils/cli/shell/BourneShellTest.java +@@ -44,7 +44,7 @@ public class BourneShellTest + + String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " ); + +- assertEquals( "/bin/sh -c cd /usr/local/bin && chmod", executable ); ++ assertEquals( "/bin/sh -c cd '/usr/local/bin' && 'chmod'", executable ); + } + + public void testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes() +@@ -56,7 +56,7 @@ public class BourneShellTest + + String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " ); + +- assertEquals( "/bin/sh -c cd \"/usr/local/\'something else\'\" && chmod", executable ); ++ assertEquals( "/bin/sh -c cd '/usr/local/'\"'\"'something else'\"'\"'' && 'chmod'", executable ); + } + + public void testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes_BackslashFileSep() +@@ -68,7 +68,7 @@ public class BourneShellTest + + String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " ); + +- assertEquals( "/bin/sh -c cd \"\\usr\\local\\\'something else\'\" && chmod", executable ); ++ assertEquals( "/bin/sh -c cd '\\usr\\local\\'\"'\"'something else'\"'\"'' && 'chmod'", executable ); + } + + public void testPreserveSingleQuotesOnArgument() +@@ -78,13 +78,13 @@ public class BourneShellTest + sh.setWorkingDirectory( "/usr/bin" ); + sh.setExecutable( "chmod" ); + +- String[] args = { "\'some arg with spaces\'" }; ++ String[] args = { "\"some arg with spaces\"" }; + + List shellCommandLine = sh.getShellCommandLine( args ); + + String cli = StringUtils.join( shellCommandLine.iterator(), " " ); + System.out.println( cli ); +- assertTrue( cli.endsWith( args[0] ) ); ++ assertTrue( cli.endsWith( "'\"some arg with spaces\"'" ) ); + } + + public void testAddSingleQuotesOnArgumentWithSpaces() +@@ -100,7 +100,21 @@ public class BourneShellTest + + String cli = StringUtils.join( shellCommandLine.iterator(), " " ); + System.out.println( cli ); +- assertTrue( cli.endsWith( "\'" + args[0] + "\'" ) ); ++ assertTrue( cli.endsWith("'some arg with spaces'")); ++ } ++ ++ public void testAddArgumentWithSingleQuote() ++ { ++ Shell sh = newShell(); ++ ++ sh.setWorkingDirectory( "/usr/bin" ); ++ sh.setExecutable( "chmod" ); ++ ++ String[] args = { "arg'withquote" }; ++ ++ List shellCommandLine = sh.getShellCommandLine( args ); ++ ++ assertEquals("cd '/usr/bin' && 'chmod' 'arg'\"'\"'withquote'", shellCommandLine.get(shellCommandLine.size() - 1)); + } + + public void testArgumentsWithsemicolon() +@@ -119,7 +133,7 @@ public class BourneShellTest + + String cli = StringUtils.join( shellCommandLine.iterator(), " " ); + System.out.println( cli ); +- assertTrue( cli.endsWith( "\'" + args[0] + "\'" ) ); ++ assertTrue( cli.endsWith( "';some&argwithunix$chars'" ) ); + + Commandline commandline = new Commandline( newShell() ); + commandline.setExecutable( "chmod" ); +@@ -132,7 +146,7 @@ public class BourneShellTest + + assertEquals( "/bin/sh", lines.get( 0 ) ); + assertEquals( "-c", lines.get( 1 ) ); +- assertEquals( "chmod --password ';password'", lines.get( 2 ) ); ++ assertEquals( "'chmod' '--password' ';password'", lines.get( 2 ) ); + + commandline = new Commandline( newShell() ); + commandline.setExecutable( "chmod" ); +@@ -144,7 +158,7 @@ public class BourneShellTest + + assertEquals( "/bin/sh", lines.get( 0) ); + assertEquals( "-c", lines.get( 1 ) ); +- assertEquals( "chmod --password ';password'", lines.get( 2 ) ); ++ assertEquals( "'chmod' '--password' ';password'", lines.get( 2 ) ); + + commandline = new Commandline( new CmdShell() ); + commandline.getShell().setQuotedArgumentsEnabled( true ); +@@ -186,13 +200,14 @@ public class BourneShellTest + commandline.createArg().setValue( "{" ); + commandline.createArg().setValue( "}" ); + commandline.createArg().setValue( "`" ); ++ commandline.createArg().setValue( "#" ); + + List lines = commandline.getShell().getShellCommandLine( commandline.getArguments() ); + System.out.println( lines ); + + assertEquals( "/bin/sh", lines.get( 0 ) ); + assertEquals( "-c", lines.get( 1 ) ); +- assertEquals( "chmod ' ' '|' '&&' '||' ';' ';;' '&' '()' '<' '<<' '>' '>>' '*' '?' '[' ']' '{' '}' '`'", ++ assertEquals( "'chmod' ' ' '|' '&&' '||' ';' ';;' '&' '()' '<' '<<' '>' '>>' '*' '?' '[' ']' '{' '}' '`' '#'", + lines.get( 2 ) ); + } + +-- +2.35.1 + diff --git a/0003-Avoid-setting-POSIX-attributes-for-symbolic-links.patch b/0003-Avoid-setting-POSIX-attributes-for-symbolic-links.patch deleted file mode 100644 index 7783723..0000000 --- a/0003-Avoid-setting-POSIX-attributes-for-symbolic-links.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 932f9b15bd62255f81c66b564f748fff6ec84c86 Mon Sep 17 00:00:00 2001 -From: Mikolaj Izdebski -Date: Thu, 24 Sep 2020 20:17:56 +0200 -Subject: [PATCH 3/3] Avoid setting POSIX attributes for symbolic links - ---- - src/main/java/org/apache/maven/shared/utils/io/FileUtils.java | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/main/java/org/apache/maven/shared/utils/io/FileUtils.java b/src/main/java/org/apache/maven/shared/utils/io/FileUtils.java -index a3be324..a396d99 100644 ---- a/src/main/java/org/apache/maven/shared/utils/io/FileUtils.java -+++ b/src/main/java/org/apache/maven/shared/utils/io/FileUtils.java -@@ -1973,9 +1973,9 @@ public class FileUtils - } - } - } -- } - -- copyFilePermissions( from, to ); -+ copyFilePermissions( from, to ); -+ } - } - - /** --- -2.26.2 - diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index d6b7694..0000000 --- a/gating.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- !Policy -product_versions: - - rhel-9 -decision_contexts: - - osci_compose_gate -rules: - # https://docs.engineering.redhat.com/display/RHELPLAN/Maven+Bootstrap+manual+gating+test - - !PassingTestCaseRule {test_case_name: manual.sst_cs_apps.maven.bootstrap} diff --git a/maven-shared-utils.spec b/maven-shared-utils.spec index 54fa643..7c0a549 100644 --- a/maven-shared-utils.spec +++ b/maven-shared-utils.spec @@ -1,6 +1,6 @@ Name: maven-shared-utils Version: 3.2.1 -Release: 0.1%{?dist} +Release: 0.2%{?dist} Summary: Maven shared utility classes License: ASL 2.0 URL: http://maven.apache.org/shared/maven-shared-utils @@ -9,6 +9,7 @@ BuildArch: noarch Source0: http://repo1.maven.org/maven2/org/apache/maven/shared/%{name}/%{version}/%{name}-%{version}-source-release.zip # XXX temporary for maven upgrade Patch0: 0001-Restore-compatibility-with-current-maven.patch +Patch1: 0002-Unconditionally-single-quote-executable-and-argument.patch BuildRequires: maven-local BuildRequires: mvn(com.google.code.findbugs:jsr305) @@ -39,6 +40,7 @@ API documentation for %{name}. %setup -q %patch0 -p1 +%patch1 -p1 %pom_remove_plugin org.codehaus.mojo:findbugs-maven-plugin @@ -55,6 +57,10 @@ API documentation for %{name}. %license LICENSE NOTICE %changelog +* Tue Apr 05 2022 Marián Konček - 3.2.1-0.2 +- Fix commandline injection vulnerability +- Resolves: CVE-2022-29599 + * Mon Feb 26 2018 Michael Simacek - 3.2.1-0.1 - Update to upstream version 3.2.1 (patched temporary)