jmestwa-coder commented on PR #12410:
URL: https://github.com/apache/maven/pull/12410#issuecomment-4882027244
thanks for the review, went through each point:
- groupId traversal: the local repo layout maps groupId dots to path
separators (`groupId.replace('.', '/')`), so `org..evil` becomes `org//evil`,
an empty segment rather than a `..` component. since `.` is the delimiter, a
groupId can't produce a literal `..` path segment through that mapping, so
there's no separate per-segment gap to close. the raw-segment vectors are
artifactId and version (used verbatim as path components), and both are already
rejected. i did add a groupId `..` case to the tests to lock that behavior in.
- tests: added coverage for `.` as an artifactId and as a dependency
version, plus groupId `..`, alongside the existing `..` cases. impl is now 83
tests, compat 72, both green.
- ci: ran `mvn test` on both modules and `spotless:check` locally, all pass.
full `mvn verify` / core ITs will run on the branch.
- issue ref: recent commits here reference GitHub issues (`[#nnnn]`) rather
than MNG. happy to open a tracking issue and reference it in the commit, or
file under MNG instead if you prefer that for security fixes. let me know which
and i'll amend.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]