[
https://issues.apache.org/jira/browse/MBUILDCACHE-86?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17853585#comment-17853585
]
ASF GitHub Bot commented on MBUILDCACHE-86:
-------------------------------------------
kbuntrock commented on PR #104:
URL:
https://github.com/apache/maven-build-cache-extension/pull/104#issuecomment-2157707829
> The change to "Forbid the possibility to extract/restore data in a
directory outside the project" is a breaking change for some of my projects.
>
> In my case, I have several multi-module projects with child POMs
configured to use ../target/${project.artifactId} as their build directory in
order to have a single target dir in the parent rather than N children target
directories.
>
> Would you consider adding an opt-out option ? @kbuntrock
Hello @julien-pcd
I'm sorry to ear that. I see 3 options :
1. An opt-out parameter allowing to disable the security
2. A configuration parameter allowing a specific path for extract/restore.
By default it is `project.basedir` (the current hardcoded value)
3. Automatic detection of a wider allowed extract/restore area, based on
parents location resolution. But since you can specify relative path for
parents, I'm expecting a lot of edge cases.
My favourite solution is by far the number 2.
Could I have your opinion @AlexanderAshitkin and @olamy ?
And I wish a good day yo all of you! 😊
> Bugfix and enhancements with the restoration of outputs on disk
> ---------------------------------------------------------------
>
> Key: MBUILDCACHE-86
> URL: https://issues.apache.org/jira/browse/MBUILDCACHE-86
> Project: Maven Build Cache Extension
> Issue Type: Improvement
> Reporter: Kevin Buntrock
> Assignee: Olivier Lamy
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.2.0
>
>
> *Fixes :*
> * Files containing an underscore in their name can't be restored in the
> cache directory correctly (not in the same directory location).
> * The cache is able to extract/restore files in locations outside the
> project. I guess the extraction part is not a vulnerability since someone
> with commit permissions can guess other ways to extract data. But the
> possibility of restoring at any place on the disk looks pretty dangerous to
> me if a remote cache server is compromised.
> *Enhancements :*
> * Possibility to restore artefacts on disk, with a dedicated property :
> maven.build.cache.restoreOnDiskArtefacts (default to true). Meaning in the
> project directory, as opposed to the cache directory.
> ** IDE integration and use of the cache locally in developement is way
> easier. It is now possible to retrieve a cached jar in the "target" directory.
> * Introduce "globs" to filter extra attached outputs by filenames.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
