Skip to content

Ensure Path Traversal is fully addressed in MavenWrapperDownloader #363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
slawekjaranowski merged 1 commit into from
Sep 2, 2025
Merged

Ensure Path Traversal is fully addressed in MavenWrapperDownloader #363

slawekjaranowski merged 1 commit into from
Sep 2, 2025

Conversation

@hazendaz
Copy link
Contributor

@hazendaz hazendaz commented Aug 26, 2025

The original sanitizing patch is not enough to prevent path traversal. This approach more accurately deals with the security concern.

@slawekjaranowski
Copy link
Member

slawekjaranowski commented Aug 27, 2025

@hazendaz can you show a case where old method allow path traversal and new not
we cen extract it to simple method a use it in test

@slawekjaranowski
Copy link
Member

slawekjaranowski commented Aug 27, 2025

code is used to download

("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$wrapperUrl" "$wrapperJarPath") || rm -f "$wrapperJarPath"

and a variable wrapperJarPath is set in script by

wrapperJarPath="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar"

it looks as constant, so issue is not critical for me

@hazendaz
Copy link
Contributor Author

hazendaz commented Aug 30, 2025

Hi @slawekjaranowski I agree its not critical, in fact its silly and only point is to shut up static scanners that trip on this file. As I have an override on top of maven wrapper, I'm ok that this didn't make the cut. I'll work on testing aspect so maybe this makes it next time. Snyk is also complaining about SSRF as well but all attempts we have made to silence that haven't worked out yet. In either case, any hacker that has access to this would have to also make the wrapper even fall back to this and they would have all the files to change behavior anyways so its not really an issue in that regard other than statically on code it is.

slawekjaranowski
slawekjaranowski approved these changes Sep 2, 2025
View reviewed changes
Copy link
Member

@slawekjaranowski slawekjaranowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to make a static scanners happy it can be

@slawekjaranowski slawekjaranowski merged commit 366207f into apache:master Sep 2, 2025
21 checks passed
@github-actions github-actions bot added this to the 3.3.4 milestone Sep 2, 2025
@hazendaz hazendaz deleted the path-traversal-fix branch September 21, 2025 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slawekjaranowski slawekjaranowski slawekjaranowski approved these changes

Assignees

@slawekjaranowski slawekjaranowski

Labels

maintenance

Projects

None yet

Milestone

3.3.4

Development

Successfully merging this pull request may close these issues.

2 participants

@hazendaz @slawekjaranowski