[jira] [Commented] (MWRAPPER-50) Verify checksum when downloading maven-wrapper.jar  

Fri, 07 Jan 2022 14:41:37 -0800 


    [ 
https://issues.apache.org/jira/browse/MWRAPPER-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470928#comment-17470928
 ] 

Premek Vyhnal commented on MWRAPPER-50:
---------------------------------------

[https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207]

Here I'd change the if from (pseudo code)
{code:java}
if command wget
  use wget
elif command curl
  use curl
else
  compile and use java
fi{code}
to 
{code:java}
if command wget && command sha1sum
  use wget
  if not sha1sum matches then delete the downloaded file
elif command curl && command sha1sum
  use curl
  if not sha1sum matches then delete the downloaded file
else
  compile and use java
fi {code}
The java code would also check the checksum

Will this work on mac?

In the windows script there is only one way to download and the checksum may be 
verified using something like 
{code:java}
# Windows CMD:
C:\> CertUtil -hashfile C:\file.img MD5 | findstr /v "hash"

# Windows PowerShell:
PS C:\> $(CertUtil -hashfile C:\file.img MD5)[1] -replace " ","" {code}
 

We can use sha256sum but sha1 is being published (to see it's the same): 
[https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar.sha1]

 

In {{mvnw}} script there is {{@project.version@}} replaced (how?) and I suppose 
the checksum value should get there in the same way. Same with 
{{{}MavenWrapperDownloader.java{}}}.

I just have to figure out how to get the correct checksum value during build. 
Is it maven-wrapper-distribution that should get the already packaged jar and 
that fills in the version (and newly the checksum) in the bash script and the 
java file?

 

 

 

> Verify checksum when downloading maven-wrapper.jar  
> ----------------------------------------------------
>
>                 Key: MWRAPPER-50
>                 URL: https://issues.apache.org/jira/browse/MWRAPPER-50
>             Project: Maven Wrapper
>          Issue Type: Bug
>            Reporter: Premek Vyhnal
>            Priority: Major
>
> Hi,
> Sorry if I just cannot find it
> but it seems the checksum is not checked of the `maven-wrapper.jar` 
> downloaded here:
> [https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207]
>  
> Checksum of the downloaded file should be checked before executing it to 
> avoid a remote code execution attack on the developer machine.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to