This is an automated email from the ASF dual-hosted git repository.
gnodet pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven.git
The following commit(s) were added to refs/heads/master by this push:
new f101f3fc07 Fix #12086: filter transitive repos and deps with
uninterpolated expressions (#12088)
f101f3fc07 is described below
commit f101f3fc0787028d52e0927ed41dcba524d207c2
Author: Guillaume Nodet <[email protected]>
AuthorDate: Wed May 20 19:12:50 2026 +0200
Fix #12086: filter transitive repos and deps with uninterpolated
expressions (#12088)
After populateResult() in DefaultArtifactDescriptorReader, filter out
repositories with uninterpolated IDs/URLs and dependencies with
uninterpolated groupId/artifactId/version. This is defense-in-depth
on top of the mergeRepositories filter in DefaultModelBuilder
(commit 9332ad3d55), catching entries that reach the artifact
descriptor reader through any code path.
Co-authored-by: Claude Opus 4.6 <[email protected]>
---
.../resolver/DefaultArtifactDescriptorReader.java | 31 ++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git
a/impl/maven-impl/src/main/java/org/apache/maven/impl/resolver/DefaultArtifactDescriptorReader.java
b/impl/maven-impl/src/main/java/org/apache/maven/impl/resolver/DefaultArtifactDescriptorReader.java
index e584a0682a..4283cfceae 100644
---
a/impl/maven-impl/src/main/java/org/apache/maven/impl/resolver/DefaultArtifactDescriptorReader.java
+++
b/impl/maven-impl/src/main/java/org/apache/maven/impl/resolver/DefaultArtifactDescriptorReader.java
@@ -121,6 +121,7 @@ public ArtifactDescriptorResult readArtifactDescriptor(
Model model = loadPom(session, request, result);
if (model != null) {
populateResult(InternalSession.from(session), result, model);
+ filterUninterpolated(result);
}
return result;
@@ -436,6 +437,36 @@ private static boolean
hasUninterpolatedExpression(org.apache.maven.api.model.De
|| containsPlaceholder(dependency.getVersion());
}
+ private void filterUninterpolated(ArtifactDescriptorResult result) {
+ result.getRepositories().removeIf(repo -> {
+ if (containsPlaceholder(repo.getId()) ||
containsPlaceholder(repo.getUrl())) {
+ logger.debug("Filtered repository with uninterpolated
expression: {}", repo);
+ return true;
+ }
+ return false;
+ });
+ result.getDependencies().removeIf(dep -> {
+ if (hasUninterpolatedExpression(dep.getArtifact())) {
+ logger.debug("Filtered dependency with uninterpolated
expression: {}", dep);
+ return true;
+ }
+ return false;
+ });
+ result.getManagedDependencies().removeIf(dep -> {
+ if (hasUninterpolatedExpression(dep.getArtifact())) {
+ logger.debug("Filtered managed dependency with uninterpolated
expression: {}", dep);
+ return true;
+ }
+ return false;
+ });
+ }
+
+ private static boolean hasUninterpolatedExpression(Artifact artifact) {
+ return containsPlaceholder(artifact.getGroupId())
+ || containsPlaceholder(artifact.getArtifactId())
+ || containsPlaceholder(artifact.getVersion());
+ }
+
private static boolean containsPlaceholder(String value) {
return value != null && value.contains("${");
}
