-
Notifications
You must be signed in to change notification settings - Fork 150
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #954 from eclipsesource/compliance-check
feat: add publisher agreement compliance check
- Loading branch information
Showing
13 changed files
with
190 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
...java/org/eclipse/openvsx/migration/CheckPotentiallyMaliciousExtensionVersionsService.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
/******************************************************************************** | ||
* Copyright (c) 2024 STMicroelectronics and others | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Eclipse Public License v. 2.0 which is available at | ||
* http://www.eclipse.org/legal/epl-2.0. | ||
* | ||
* SPDX-License-Identifier: EPL-2.0 | ||
********************************************************************************/ | ||
package org.eclipse.openvsx.migration; | ||
|
||
import io.micrometer.observation.ObservationRegistry; | ||
import jakarta.persistence.EntityManager; | ||
import jakarta.transaction.Transactional; | ||
import org.jobrunr.jobs.context.JobRunrDashboardLogger; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
import org.eclipse.openvsx.ExtensionProcessor; | ||
import org.eclipse.openvsx.entities.ExtensionVersion; | ||
import org.eclipse.openvsx.util.NamingUtil; | ||
import org.eclipse.openvsx.util.TempFile; | ||
import org.springframework.stereotype.Component; | ||
|
||
@Component | ||
public class CheckPotentiallyMaliciousExtensionVersionsService { | ||
|
||
protected final Logger logger = new JobRunrDashboardLogger(LoggerFactory.getLogger(PotentiallyMaliciousJobRequestHandler.class)); | ||
|
||
private final EntityManager entityManager; | ||
|
||
public CheckPotentiallyMaliciousExtensionVersionsService(EntityManager entityManager) { | ||
this.entityManager = entityManager; | ||
} | ||
|
||
@Transactional | ||
public void checkPotentiallyMaliciousExtensionVersion(ExtensionVersion extVersion, TempFile extensionFile) { | ||
try(var extProcessor = new ExtensionProcessor(extensionFile, ObservationRegistry.NOOP)) { | ||
boolean isMalicious = extProcessor.isPotentiallyMalicious(); | ||
extVersion.setPotentiallyMalicious(isMalicious); | ||
if (isMalicious) { | ||
logger.warn("Extension version is potentially malicious: {}", NamingUtil.toLogFormat(extVersion)); | ||
} | ||
} | ||
entityManager.merge(extVersion); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
...er/src/main/java/org/eclipse/openvsx/migration/PotentiallyMaliciousJobRequestHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
/******************************************************************************** | ||
* Copyright (c) 2024 STMicroelectronics and others | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Eclipse Public License v. 2.0 which is available at | ||
* http://www.eclipse.org/legal/epl-2.0. | ||
* | ||
* SPDX-License-Identifier: EPL-2.0 | ||
********************************************************************************/ | ||
package org.eclipse.openvsx.migration; | ||
|
||
import org.eclipse.openvsx.util.NamingUtil; | ||
import org.jobrunr.jobs.annotations.Job; | ||
import org.jobrunr.jobs.context.JobRunrDashboardLogger; | ||
import org.jobrunr.jobs.lambdas.JobRequestHandler; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
import org.springframework.stereotype.Component; | ||
|
||
import java.nio.file.Files; | ||
import java.util.AbstractMap; | ||
|
||
@Component | ||
public class PotentiallyMaliciousJobRequestHandler implements JobRequestHandler<MigrationJobRequest> { | ||
|
||
protected final Logger logger = new JobRunrDashboardLogger(LoggerFactory.getLogger(PotentiallyMaliciousJobRequestHandler.class)); | ||
|
||
private final MigrationService migrations; | ||
private final CheckPotentiallyMaliciousExtensionVersionsService service; | ||
|
||
public PotentiallyMaliciousJobRequestHandler(MigrationService migrations, CheckPotentiallyMaliciousExtensionVersionsService service) { | ||
this.migrations = migrations; | ||
this.service = service; | ||
} | ||
|
||
@Override | ||
@Job(name = "Check published extensions for potentially malicious vsix file", retries = 3) | ||
public void run(MigrationJobRequest jobRequest) throws Exception { | ||
var download = migrations.getResource(jobRequest); | ||
var extVersion = download.getExtension(); | ||
logger.info("Checking extension version for potentially malicious vsix file: {}", NamingUtil.toLogFormat(extVersion)); | ||
|
||
var content = migrations.getContent(download); | ||
var entry = new AbstractMap.SimpleEntry<>(download, content); | ||
try(var extensionFile = migrations.getExtensionFile(entry)) { | ||
if(Files.size(extensionFile.getPath()) == 0) { | ||
logger.info("Extension file is empty, skipping: {}", download.getName()); | ||
return; | ||
} | ||
|
||
logger.info("Checking vsix file for potentially malicious metadata: {}", download.getName()); | ||
service.checkPotentiallyMaliciousExtensionVersion(extVersion, extensionFile); | ||
} | ||
|
||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 5 additions & 0 deletions
5
server/src/main/jooq-gen/org/eclipse/openvsx/jooq/tables/ExtensionVersion.java
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
19 changes: 18 additions & 1 deletion
19
server/src/main/jooq-gen/org/eclipse/openvsx/jooq/tables/records/ExtensionVersionRecord.java
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
11 changes: 11 additions & 0 deletions
11
server/src/main/resources/db/migration/V1_46__ExtensionVersion_PotentiallyMalicious.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
ALTER TABLE extension_version ADD COLUMN potentially_malicious BOOLEAN; | ||
UPDATE extension_version SET potentially_malicious = FALSE; | ||
|
||
|
||
INSERT INTO migration_item(id, migration_script, entity_id, migration_scheduled) | ||
SELECT nextval('hibernate_sequence'), 'V1_46__ExtensionVersion_PotentiallyMalicious.sql', fr.id, FALSE | ||
FROM file_resource fr | ||
JOIN extension_version ev ON ev.id = fr.extension_id | ||
JOIN extension e ON e.id = ev.extension_id | ||
WHERE fr.type = 'download' | ||
ORDER BY e.download_count DESC; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters