This is an automated email from the ASF dual-hosted git repository. jochen pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-lang.git
The following commit(s) were added to refs/heads/master by this push: new 9980cf11e Undoing 3322d974876b8d4f934d3544967103ebbcaef726 9980cf11e is described below commit 9980cf11e36ee58bf8556188bf252946f290b6c8 Author: Jochen Wiedmann <jochen.wiedm...@gmail.com> AuthorDate: Wed May 22 20:00:10 2024 +0200 Undoing 3322d974876b8d4f934d3544967103ebbcaef726 --- src/changes/changes.xml | 1 - .../apache/commons/lang3/annotations/Insecure.java | 48 ----------------- .../org/apache/commons/lang3/annotations/Safe.java | 61 ---------------------- .../commons/lang3/annotations/package-info.java | 37 ------------- 4 files changed, 147 deletions(-) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index b69e1f8a2..34841687a 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -140,7 +140,6 @@ The <action> type attribute can be add,update,fix,remove. <action type="update" dev="ggregory" due-to="Dependabot">Bump org.apache.commons:commons-text from 1.11.0 to 1.12.0 #1200.</action> <!-- REMOVE --> <action type="remove" dev="ggregory" due-to="Paranoïd User">Drop obsolete JDK 13 Maven profile #1142.</action> - <action type="add" dev="jochen">Added the annotations package, including the Insecure, and Safe annotations.</action> </release> <release version="3.14.0" date="2023-11-18" description="New features and bug fixes (Java 8 or above)."> <!-- FIX --> diff --git a/src/main/java/org/apache/commons/lang3/annotations/Insecure.java b/src/main/java/org/apache/commons/lang3/annotations/Insecure.java deleted file mode 100644 index 2802f1189..000000000 --- a/src/main/java/org/apache/commons/lang3/annotations/Insecure.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.commons.lang3.annotations; - -import java.lang.annotation.Documented; -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -/** - * This annotation is used to indicate, that a constructor, or method - * is insecure to use, unless the input parameters contain safe ("trusted") - * values. - * - * For example, consider a method like <pre> - * {@literal @Insecure} - * public void runCommand(String pCmdLine) { - * } - * </pre> - * - * The example method would invoke {@code /bin/sh} (Linux, Unix, or MacOS), or - * {@code cmd} (Windows) to run an external command, as given by the parameter - * {@code pCmdLine}. Obviously, depending on the value of the parameter, - * this can be dangerous, unless the API user (downstream developer) - * <em>knows</em>, that the parameter value is safe (for example, because it - * is hard coded, or because it has been compared to a white list of - * permissible values). - */ -@Retention(RetentionPolicy.RUNTIME) -@Target({ElementType.CONSTRUCTOR, ElementType.METHOD}) -@Documented -public @interface Insecure { -} diff --git a/src/main/java/org/apache/commons/lang3/annotations/Safe.java b/src/main/java/org/apache/commons/lang3/annotations/Safe.java deleted file mode 100644 index c3a710cf2..000000000 --- a/src/main/java/org/apache/commons/lang3/annotations/Safe.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.commons.lang3.annotations; - -import java.lang.annotation.Documented; -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -/** - * This annotation is used to indicate, that a variable, field, or parameter - * contains a safe value. If so, the annotated element may be used in an - * invocation of a constructor, or method, which is annotated with - * {@code @Insecure}. - * - * For example, suggest the following method declaration: - * <pre> - * {@literal @Insecure} - * public void runCommand(String pCmdLine) { - * } - * </pre> - * - * Based on the example, this piece of source code would be invalid: - * <pre>{@code - * String cmdLine = "echo" + " " + "okay"; - * // It is unknown, whether the {@code cmdLine} variable contains a safe value. - * // Thus, the following should be considered dangerous: - * runCommand(cmdLine); - * }</pre> - * - * In the following example, however, the value of {@code cmdLine} is - * supposed to be safe, so it may be used when invoking the {@code runCommand} - * method. - * <pre> - * {@literal @Safe} String cmdLine = "echo" + " " + "okay"; - * // It is unknown, whether the {@code cmdLine} variable contains a safe value. - * // Thus, the following should be considered dangerous: - * runCommand(cmdLine); - * </pre> - */ -@Retention(RetentionPolicy.RUNTIME) -@Target({ElementType.LOCAL_VARIABLE, ElementType.FIELD, ElementType.PARAMETER}) -@Documented -public @interface Safe { - -} diff --git a/src/main/java/org/apache/commons/lang3/annotations/package-info.java b/src/main/java/org/apache/commons/lang3/annotations/package-info.java deleted file mode 100644 index 720d61069..000000000 --- a/src/main/java/org/apache/commons/lang3/annotations/package-info.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * Provides annotations, that are designed to aim in static code analysis, - * and other areas of self-describing code. As of this writing, the following - * annotations are available: - * <dl> - * <dt>{@link Insecure}</dt> - * <dd>Indicates, that a constructor, method, or parameter should only - * take input, that can be considered as <em>safe</em>. - * The API user (the downstream developer) is supposed to ensure, by - * whatever means, that the input is safe, and doesn't trigger any - * security related issues.</dd> - * <dt>{@link Safe}</dt> - * <dd>By annotating a variable with {@code @Safe}, the API user - * declares, that the variable contains trusted input, that can be - * used as a parameter in an invocation of a constructor, or method, - * that is annotated with {@code @Insecure}.</dd> - * </dl> - * @since 3.15 - */ -package org.apache.commons.lang3.annotations;