Hi Mike,
Thanks for the input. IMO, that exploit would be easily seen. The release
plugin should only be changing one-liners with version numbers. Can you think
of one-liner attacks? The attacker would also have to know when we are running
our artifact job, otherwise commits from bot would be seen as unexpected.
I think there is a way from Git to pull just changes from a person and we could
write tools to check the changes to further lower risk.
Thanks,
-Alex
On 1/7/19, 10:55 AM, "Mike Jumper" <mjum...@apache.org> wrote:
On Mon, Jan 7, 2019 at 10:39 AM Alex Harui <aha...@adobe.com.invalid> wrote:
> Hi Greg,
>
> Thanks for the history. I agree with the general problem, however, for
> Royale, I think the problem is constrained, but I could be wrong. I don't
> think there are exploits from things like missing semicolons and other
code
> exploits that can be executed against pom.xml files, so the Royale
> reviewers are first looking to see if bot changed any other files.
It's definitely not safe to assume that a change will not introduce
something malicious purely based on the files it touches.
Maybe Maven experts can tell us what kinds of exploit could be hacked into
> a pom.xml.
>
Given the array of plugins available, just about anything is possible:
...
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<version>1.6.0</version>
<executions>
<execution>
<phase>generate-sources</phase>
<goals>
<goal>exec</goal>
</goals>
<configuration>
<executable>echo</executable>
<commandlineArgs>something nefarious</commandlineArgs>
</configuration>
</execution>
</executions>
</plugin>
...
- Mike
