[ https://issues.apache.org/jira/browse/MBUILDCACHE-86?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17839400#comment-17839400 ]
ASF GitHub Bot commented on MBUILDCACHE-86: ------------------------------------------- kbuntrock commented on code in PR #104: URL: https://github.com/apache/maven-build-cache-extension/pull/104#discussion_r1573829035 ########## src/main/java/org/apache/maven/buildcache/CacheControllerImpl.java: ########## @@ -112,13 +114,10 @@ @SuppressWarnings("unused") public class CacheControllerImpl implements CacheController { - public static final String FILE_SEPARATOR_SUBST = "_"; - /** - * Prefix for generated sources stored as a separate artifact in cache - */ - private static final String BUILD_PREFIX = "build" + FILE_SEPARATOR_SUBST; - private static final Logger LOGGER = LoggerFactory.getLogger(CacheControllerImpl.class); + private static final String DEFAULT_FILE_GLOB = "*"; + public static final String ERROR_MSG_RESTORATION_OUTSIDE_PROJECT = + "Blocked an attempt to restore files outside of a project directory : "; Review Comment: Gosh, I should know, it is precisely the reason how I got a Apache Jira account (and my very first contribution to the open source world 😋) : https://issues.apache.org/jira/browse/CXF-7185 > Bugfix and enhancements with the restoration of outputs on disk > --------------------------------------------------------------- > > Key: MBUILDCACHE-86 > URL: https://issues.apache.org/jira/browse/MBUILDCACHE-86 > Project: Maven Build Cache Extension > Issue Type: Improvement > Reporter: Kevin Buntrock > Priority: Major > Labels: pull-request-available > > *Fixes :* > * Files containing an underscore in their name can't be restored in the > cache directory correctly (not in the same directory location). > * The cache is able to extract/restore files in locations outside the > project. I guess the extraction part is not a vulnerability since someone > with commit permissions can guess other ways to extract data. But the > possibility of restoring at any place on the disk looks pretty dangerous to > me if a remote cache server is compromised. > *Enhancements :* > * Possibility to restore artefacts on disk, with a dedicated property : > maven.build.cache.restoreOnDiskArtefacts (default to true). Meaning in the > project directory, as opposed to the cache directory. > ** IDE integration and use of the cache locally in developement is way > easier. It is now possible to retrieve a cached jar in the "target" directory. > * Introduce "globs" to filter extra attached outputs by filenames. -- This message was sent by Atlassian Jira (v8.20.10#820010)