[
https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574562#comment-17574562
]
ASF GitHub Bot commented on MWRAPPER-75:
----------------------------------------
michael-o commented on code in PR #58:
URL: https://github.com/apache/maven-wrapper/pull/58#discussion_r936336907
##########
maven-wrapper-distribution/src/resources/mvnw:
##########
@@ -247,6 +247,21 @@ fi
# End of extension
##########################################################################################
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read key value; do
+ case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+ esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+ if ! echo "$wrapperSha256Sum $wrapperJarPath" | shasum -a 256 -c >
/dev/null 2>&1; then
+ echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper
might be compromised." >&2
Review Comment:
I don't like this wording because this implies some security aspect.
##########
maven-wrapper-distribution/src/resources/mvnw.cmd:
##########
@@ -153,6 +153,24 @@ if exist %WRAPPER_JAR% (
)
@REM End of extension
+@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
+SET WRAPPER_SHA_256_SUM=""
+FOR /F "usebackq tokens=1,2 delims==" %%A IN
("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+ IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
+)
+IF NOT %WRAPPER_SHA_256_SUM%=="" (
+ FOR /F "usebackq tokens=*" %%A in ('certUtil -hashfile "%WRAPPER_JAR%"
SHA256') do (
+ echo %%A | findstr /C:"hash" 1>nul || (
+ IF NOT %%A==%WRAPPER_SHA_256_SUM% (
+ echo Error: Failed to validate Maven wrapper SHA-256, your
Maven wrapper might be compromised. >&2
Review Comment:
ditto
##########
maven-wrapper-distribution/src/resources/mvnw:
##########
@@ -247,6 +247,21 @@ fi
# End of extension
##########################################################################################
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read key value; do
+ case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+ esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+ if ! echo "$wrapperSha256Sum $wrapperJarPath" | shasum -a 256 -c >
/dev/null 2>&1; then
Review Comment:
You should check whether `shasum` is available.
##########
maven-wrapper-distribution/src/resources/mvnw:
##########
@@ -247,6 +247,21 @@ fi
# End of extension
##########################################################################################
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read key value; do
+ case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+ esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
Review Comment:
Are you certain that this is POSIX compliant?
> Allow for sha256 checksum verification of downloaded artifacts.
> ---------------------------------------------------------------
>
> Key: MWRAPPER-75
> URL: https://issues.apache.org/jira/browse/MWRAPPER-75
> Project: Maven Wrapper
> Issue Type: Improvement
> Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper
> Scripts
> Reporter: Rafael Winterhalter
> Priority: Normal
>
> Maven Wrapper is downloading binary artifacts that are later executed. To
> prevent from an attack where a vulnerable repository could distribute
> malicious Maven (wrapper) artifacts, the downloaded artifacts should be
> verified against a secure checksum. If the expected checksum does not match,
> execution could be aborted before the potentially compromised artifact is
> executed.
> In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still
> impossible to replicate with a corrupted binary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
