[
https://issues.apache.org/jira/browse/MBUILDCACHE-86?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17839400#comment-17839400
]
ASF GitHub Bot commented on MBUILDCACHE-86:
-------------------------------------------
kbuntrock commented on code in PR #104:
URL:
https://github.com/apache/maven-build-cache-extension/pull/104#discussion_r1573829035
##########
src/main/java/org/apache/maven/buildcache/CacheControllerImpl.java:
##########
@@ -112,13 +114,10 @@
@SuppressWarnings("unused")
public class CacheControllerImpl implements CacheController {
- public static final String FILE_SEPARATOR_SUBST = "_";
- /**
- * Prefix for generated sources stored as a separate artifact in cache
- */
- private static final String BUILD_PREFIX = "build" + FILE_SEPARATOR_SUBST;
-
private static final Logger LOGGER =
LoggerFactory.getLogger(CacheControllerImpl.class);
+ private static final String DEFAULT_FILE_GLOB = "*";
+ public static final String ERROR_MSG_RESTORATION_OUTSIDE_PROJECT =
+ "Blocked an attempt to restore files outside of a project
directory : ";
Review Comment:
Gosh, I should know, it is precisely the reason how I got a Apache Jira
account (and my very first contribution to the open source world 😋) :
https://issues.apache.org/jira/browse/CXF-7185
> Bugfix and enhancements with the restoration of outputs on disk
> ---------------------------------------------------------------
>
> Key: MBUILDCACHE-86
> URL: https://issues.apache.org/jira/browse/MBUILDCACHE-86
> Project: Maven Build Cache Extension
> Issue Type: Improvement
> Reporter: Kevin Buntrock
> Priority: Major
> Labels: pull-request-available
>
> *Fixes :*
> * Files containing an underscore in their name can't be restored in the
> cache directory correctly (not in the same directory location).
> * The cache is able to extract/restore files in locations outside the
> project. I guess the extraction part is not a vulnerability since someone
> with commit permissions can guess other ways to extract data. But the
> possibility of restoring at any place on the disk looks pretty dangerous to
> me if a remote cache server is compromised.
> *Enhancements :*
> * Possibility to restore artefacts on disk, with a dedicated property :
> maven.build.cache.restoreOnDiskArtefacts (default to true). Meaning in the
> project directory, as opposed to the cache directory.
> ** IDE integration and use of the cache locally in developement is way
> easier. It is now possible to retrieve a cached jar in the "target" directory.
> * Introduce "globs" to filter extra attached outputs by filenames.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
