Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maven local #127

Closed
wants to merge 10 commits into from
Closed

Maven local #127

wants to merge 10 commits into from

Conversation

tiagobento
Copy link
Owner

WIP

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 26, 2024
View reviewed changes
packages/maven-config-setup-helper/index.js
`.trim();

const DEFAULT_LOCAL_REPO = String(
execSync(`mvn help:evaluate -Dexpression=settings.localRepository -q -DforceStdout -f ${EMPTY_POM_XML_PATH}`, [], {

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
packages/maven-config-setup-helper/index.js
installMvnw: () => {
console.info(`[maven-config-setup-helper] Installing mvnw...`);
console.time(`[maven-config-setup-helper] Installing mvnw...`);
execSync(`mvn -e org.apache.maven.plugins:maven-wrapper-plugin:${MVNW_VERSION}:wrapper ${BOOTSTRAP_CLI_ARGS}`, {

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
packages/maven-config-setup-helper/index.js
* @param tail A list of paths representing additional Maven repository directories, to be concatenated the default one (I.e, `maven.repo.local`)
* */
prepareM2FromTail: (tmpM2Dir, tail) => {
const resolvedTmpM2Dir = path.resolve(tmpM2Dir);

Check warning

Code scanning / CodeQL

Unsafe shell command constructed from library input Medium

This path concatenation which depends on
library input
Loading
is later used in a
shell command
Loading
.
This path concatenation which depends on
library input
Loading
is later used in a
shell command
Loading
.
packages/maven-config-setup-helper/index.js
fs.mkdirSync(resolvedTmpM2Dir);

// head
execSync(`cp -nal ${DEFAULT_LOCAL_REPO}/* ${resolvedTmpM2Dir}`, { stdio: "inherit" });

Check warning

Code scanning / CodeQL

Unsafe shell command constructed from library input Medium

This string concatenation which depends on
library input
Loading
is later used in a
shell command
Loading
.
packages/maven-config-setup-helper/index.js
fs.mkdirSync(resolvedTmpM2Dir);

// head
execSync(`cp -nal ${DEFAULT_LOCAL_REPO}/* ${resolvedTmpM2Dir}`, { stdio: "inherit" });

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
packages/maven-config-setup-helper/index.js

// tail
for (const t of tail) {
execSync(`cp -nal ${path.resolve(t)}/* ${resolvedTmpM2Dir}`, { stdio: "inherit" });

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
packages/maven-config-setup-helper/index.js

// tail
for (const t of tail) {
execSync(`cp -nal ${path.resolve(t)}/* ${resolvedTmpM2Dir}`, { stdio: "inherit" });

Check warning

Code scanning / CodeQL

Unsafe shell command constructed from library input Medium

This path concatenation which depends on
library input
Loading
is later used in a
shell command
Loading
.

Copilot Autofix AI 3 months ago

To fix the problem, we should avoid directly embedding user-controlled input into shell commands. Instead, we can use the child_process.execFile function, which allows us to pass arguments as an array, thus avoiding shell interpretation. For cases where we need to use shell features like wildcards, we can use the shell-quote library to safely escape the input.

  1. Replace the execSync calls with execFileSync where possible.
  2. For commands that require shell interpretation, use the shell-quote library to escape the input.
Suggested changeset 2
packages/maven-config-setup-helper/index.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/maven-config-setup-helper/index.js b/packages/maven-config-setup-helper/index.js
--- a/packages/maven-config-setup-helper/index.js
+++ b/packages/maven-config-setup-helper/index.js
@@ -1,4 +1,4 @@
+const shellQuote = require("shell-quote");
 /*
  * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
@@ -19,3 +19,3 @@
 
-const { execSync } = require("child_process");
+const { execSync, execFileSync } = require("child_process");
 const fs = require("fs");
@@ -40,3 +40,3 @@
 const DEFAULT_LOCAL_REPO = String(
-  execSync(`mvn help:evaluate -Dexpression=settings.localRepository -q -DforceStdout -f ${EMPTY_POM_XML_PATH}`, [], {
+  execFileSync("mvn", ["help:evaluate", "-Dexpression=settings.localRepository", "-q", "-DforceStdout", "-f", EMPTY_POM_XML_PATH], {
     stdio: "pipe",
@@ -101,3 +101,3 @@
     // head
-    execSync(`cp -nal ${DEFAULT_LOCAL_REPO}/* ${resolvedTmpM2Dir}`, { stdio: "inherit" });
+    execFileSync("cp", ["-nal", `${DEFAULT_LOCAL_REPO}/*`, resolvedTmpM2Dir], { stdio: "inherit" });
 
@@ -105,3 +105,3 @@
     for (const t of tail) {
-      execSync(`cp -nal ${path.resolve(t)}/* ${resolvedTmpM2Dir}`, { stdio: "inherit" });
+      execFileSync("cp", ["-nal", `${path.resolve(t)}/*`, resolvedTmpM2Dir], { stdio: "inherit" });
     }
EOF
@@ -1,4 +1,4 @@
const shellQuote = require("shell-quote");
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -19,3 +19,3 @@

const { execSync } = require("child_process");
const { execSync, execFileSync } = require("child_process");
const fs = require("fs");
@@ -40,3 +40,3 @@
const DEFAULT_LOCAL_REPO = String(
execSync(`mvn help:evaluate -Dexpression=settings.localRepository -q -DforceStdout -f ${EMPTY_POM_XML_PATH}`, [], {
execFileSync("mvn", ["help:evaluate", "-Dexpression=settings.localRepository", "-q", "-DforceStdout", "-f", EMPTY_POM_XML_PATH], {
stdio: "pipe",
@@ -101,3 +101,3 @@
// head
execSync(`cp -nal ${DEFAULT_LOCAL_REPO}/* ${resolvedTmpM2Dir}`, { stdio: "inherit" });
execFileSync("cp", ["-nal", `${DEFAULT_LOCAL_REPO}/*`, resolvedTmpM2Dir], { stdio: "inherit" });

@@ -105,3 +105,3 @@
for (const t of tail) {
execSync(`cp -nal ${path.resolve(t)}/* ${resolvedTmpM2Dir}`, { stdio: "inherit" });
execFileSync("cp", ["-nal", `${path.resolve(t)}/*`, resolvedTmpM2Dir], { stdio: "inherit" });
}
packages/maven-config-setup-helper/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/maven-config-setup-helper/package.json b/packages/maven-config-setup-helper/package.json
--- a/packages/maven-config-setup-helper/package.json
+++ b/packages/maven-config-setup-helper/package.json
@@ -19,3 +19,6 @@
   "scripts": {},
-  "devDependencies": {}
+  "devDependencies": {},
+  "dependencies": {
+    "shell-quote": "^1.8.1"
+  }
 }
EOF
@@ -19,3 +19,6 @@
"scripts": {},
"devDependencies": {}
"devDependencies": {},
"dependencies": {
"shell-quote": "^1.8.1"
}
}
This fix introduces these dependencies
Package Version Security advisories
shell-quote (npm) 1.8.1 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/maven-config-setup-helper/index.js
console.info(`[maven-config-setup-helper] Setting property '${key}' with value '${value}'...`);
console.time(`[maven-config-setup-helper] Setting property '${key}' with value '${value}'...`);

const cmd = `mvn versions:set-property -Dproperty=${key} -DnewVersion=${value} -DgenerateBackupPoms=false ${BOOTSTRAP_CLI_ARGS}`;

Check warning

Code scanning / CodeQL

Unsafe shell command constructed from library input Medium

This string concatenation which depends on
library input
Loading
is later used in a
shell command
Loading
.
This string concatenation which depends on
library input
Loading
is later used in a
shell command
Loading
.

Copilot Autofix AI 3 months ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

packages/maven-config-setup-helper/index.js
stdio: "inherit",
shell: "powershell.exe",
});
execSync(cmd.replaceAll(" -", " `-"), { stdio: "inherit", shell: "powershell.exe" });

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
packages/maven-config-setup-helper/index.js
execSync(`mvn versions:set-property -Dproperty=${key} -DnewVersion=${value} -DgenerateBackupPoms=false`, {
stdio: "inherit",
});
execSync(cmd, { stdio: "inherit" });

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
@tiagobento tiagobento closed this Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tiagobento