Warning when artifacts are downloaded over an insecure channel

Fri, 07 Oct 2016 14:31:51 -0700 

Hi

I would like to propose that maven issues a warning when an artifacts
gets downloaded over http instead of https.

The current security model kind of relies on that noone MITM's the
download and replaces the artifact and checksums with something
malicious. That becomes impossible to guarantee when run over a
transport layer that lacks security.

I have attached a very crude patch that implements this behaviour, but
I'm sure it needs to be reworked before it's ready to be merged.

Do people agree that it would be good to issue those warnings?

best regards
Alexander Kjäll

diff --git a/maven-embedder/src/main/java/org/apache/maven/cli/transfer/AbstractMavenTransferListener.java b/maven-embedder/src/main/java/org/apache/maven/cli/transfer/AbstractMavenTransferListener.java
index e72aa47..32a95a7 100644
--- a/maven-embedder/src/main/java/org/apache/maven/cli/transfer/AbstractMavenTransferListener.java
+++ b/maven-embedder/src/main/java/org/apache/maven/cli/transfer/AbstractMavenTransferListener.java
@@ -19,20 +19,24 @@
  * under the License.
  */
 
-import java.io.PrintStream;
-import java.text.DecimalFormat;
-import java.text.DecimalFormatSymbols;
-import java.util.Locale;
-
 import org.apache.commons.lang3.Validate;
+import org.codehaus.plexus.logging.Logger;
+import org.codehaus.plexus.logging.console.ConsoleLogger;
 import org.eclipse.aether.transfer.AbstractTransferListener;
 import org.eclipse.aether.transfer.TransferCancelledException;
 import org.eclipse.aether.transfer.TransferEvent;
 import org.eclipse.aether.transfer.TransferResource;
 
+import java.io.PrintStream;
+import java.text.DecimalFormat;
+import java.text.DecimalFormatSymbols;
+import java.util.Locale;
+
 public abstract class AbstractMavenTransferListener
     extends AbstractTransferListener
 {
+    private Logger logger = new ConsoleLogger();
+
 
     // CHECKSTYLE_OFF: LineLength
     /**
@@ -219,6 +223,10 @@ public void transferInitiated( TransferEvent event )
         String type = event.getRequestType() == TransferEvent.RequestType.PUT ? "Uploading" : "Downloading";
 
         TransferResource resource = event.getResource();
+        if ( resource.getRepositoryUrl() != null && resource.getRepositoryUrl().startsWith( "http://"; ) )
+        {
+            logger.warn( "downloading over insecure transport layer, please use https instead of http." );
+        }
         out.println( type + ": " + resource.getRepositoryUrl() + resource.getResourceName() );
     }
 
@@ -227,8 +235,8 @@ public void transferCorrupted( TransferEvent event )
         throws TransferCancelledException
     {
         TransferResource resource = event.getResource();
-        out.println( "[WARNING] " + event.getException().getMessage() + " for " + resource.getRepositoryUrl()
-            + resource.getResourceName() );
+        logger.warn( event.getException().getMessage() + " for " + resource.getRepositoryUrl()
+                + resource.getResourceName() );
     }
 
     @Override

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Reply via email to