On Mon, Jan 7, 2019 at 10:39 AM Alex Harui <aha...@adobe.com.invalid> wrote:
> Hi Greg,
>
> Thanks for the history. I agree with the general problem, however, for
> Royale, I think the problem is constrained, but I could be wrong. I don't
> think there are exploits from things like missing semicolons and other code
> exploits that can be executed against pom.xml files, so the Royale
> reviewers are first looking to see if bot changed any other files.
It's definitely not safe to assume that a change will not introduce
something malicious purely based on the files it touches.
Maybe Maven experts can tell us what kinds of exploit could be hacked into
> a pom.xml.
>
Given the array of plugins available, just about anything is possible:
...
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<version>1.6.0</version>
<executions>
<execution>
<phase>generate-sources</phase>
<goals>
<goal>exec</goal>
</goals>
<configuration>
<executable>echo</executable>
<commandlineArgs>something nefarious</commandlineArgs>
</configuration>
</execution>
</executions>
</plugin>
...
- Mike
