This is an automated email from the ASF dual-hosted git repository. gnodet pushed a commit to branch opaque-earth in repository https://gitbox.apache.org/repos/asf/maven.git
commit a5fd3896ff9a2f3eb790d34707505a44b14e6c31 Author: Guillaume Nodet <[email protected]> AuthorDate: Mon May 18 22:56:05 2026 +0200 Fix #12086: filter transitive repos and deps with uninterpolated expressions After populateResult() in DefaultArtifactDescriptorReader, filter out repositories with uninterpolated IDs/URLs and dependencies with uninterpolated groupId/artifactId/version. This is defense-in-depth on top of the mergeRepositories filter in DefaultModelBuilder (commit 9332ad3d55), catching entries that reach the artifact descriptor reader through any code path. Co-Authored-By: Claude Opus 4.6 <[email protected]> --- .../resolver/DefaultArtifactDescriptorReader.java | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/impl/maven-impl/src/main/java/org/apache/maven/impl/resolver/DefaultArtifactDescriptorReader.java b/impl/maven-impl/src/main/java/org/apache/maven/impl/resolver/DefaultArtifactDescriptorReader.java index 4d0b65c594..34a88c6edd 100644 --- a/impl/maven-impl/src/main/java/org/apache/maven/impl/resolver/DefaultArtifactDescriptorReader.java +++ b/impl/maven-impl/src/main/java/org/apache/maven/impl/resolver/DefaultArtifactDescriptorReader.java @@ -121,6 +121,7 @@ public ArtifactDescriptorResult readArtifactDescriptor( Model model = loadPom(session, request, result); if (model != null) { populateResult(InternalSession.from(session), result, model); + filterUninterpolated(result); } return result; @@ -422,6 +423,40 @@ private Exclusion convert(org.apache.maven.api.model.Exclusion exclusion) { return new Exclusion(exclusion.getGroupId(), exclusion.getArtifactId(), "*", "*"); } + private void filterUninterpolated(ArtifactDescriptorResult result) { + result.getRepositories().removeIf(repo -> { + if (containsPlaceholder(repo.getId()) || containsPlaceholder(repo.getUrl())) { + logger.debug("Filtered repository with uninterpolated expression: {}", repo); + return true; + } + return false; + }); + result.getDependencies().removeIf(dep -> { + if (hasUninterpolatedExpression(dep.getArtifact())) { + logger.debug("Filtered dependency with uninterpolated expression: {}", dep); + return true; + } + return false; + }); + result.getManagedDependencies().removeIf(dep -> { + if (hasUninterpolatedExpression(dep.getArtifact())) { + logger.debug("Filtered managed dependency with uninterpolated expression: {}", dep); + return true; + } + return false; + }); + } + + private static boolean hasUninterpolatedExpression(Artifact artifact) { + return containsPlaceholder(artifact.getGroupId()) + || containsPlaceholder(artifact.getArtifactId()) + || containsPlaceholder(artifact.getVersion()); + } + + private static boolean containsPlaceholder(String value) { + return value != null && value.contains("${"); + } + private void setArtifactProperties(ArtifactDescriptorResult result, Model model) { DistributionManagement distributionManagement = model.getDistributionManagement(); if (distributionManagement != null) {
