This is a repost of my post on the CloudBees Developers blog
TL;DR Source control injection attacks are a bigger worry than build tool injection attacks, and if you cannot trust your local filesystem, then you cannot trust anything.
A few exchanges on twitter have prompted me to write a fuller blog post on the subject of Cross-Build Injection (XBI) Attacks.
The idea of XBI is that you trick the developer and replace parts of their code with your code, thereby getting your code to be trusted by the developer.
Hamlet: … for there is nothing either good or bad, but thinking makes it so.
Hamlet Act 2, scene 2, 239–251
William Shakespeare
The Apache Software Foundation is a meritocracy. By this we mean that you gain status based on the merit of your work and actions. In fact the status that you gain is a recognition of the merit of your work and actions.
Maven is an Apache project, that means that we have to follow the Apache rules and way. One of those rules is that we cannot hand out commit access to anyone who asks for it.
The following quick and dirty bash script will take a pom and a jar and fake a maven build based on the source files for that that can be found in the current directory.
Really useful when running mvn dependency:analyze on a project you are validating POMs for.
#!/bin/bash
if [ “A$3” == “A” ]
then
echo “Syntax: $0 pomfile jarfile dir”
return
fi
rm -rvf “$3/src”
mkdir -p “$3/src/main/java”
cp -f “$1” “$3/pom.xml”
#!/bin/bash
URL="$(svn info | sed -n -e ‘/^URL:/{s/URL: *//p}’)"
ROOT="$(svn info | sed -n -e “/^Repository Root:/{s/Repository Root: *//p}”)"
NEW_PATH="${URL#$ROOT}"
OLD_URL="$(sed -n ‘/< *scm *>/,/< */scm *>/p’ pom.xml | sed -n ‘/< *connection *>/,/< */ *connection *>/{s/.*connection > scm:svn:([^ <])[ <]./\1/p}’)"
OLD_PATH="${OLD_URL#$ROOT}"
echo “OLD URL: $OLD_URL”
echo “NEW URL: $URL”
echo “ROOT: $ROOT”
echo “OLD PATH: $OLD_PATH”
echo “NEW PATH: $NEW_PATH”
sed -i ‘/< *scm *>/,/< */scm *>/{s/’${OLD_PATH////\/}’/’${NEW_PATH////\/}’/}’ pom.xml
Works on *nixfind ~/.m2/repository -type d -name *-SNAPSHOT -exec rm -rvf {} ;By searching for the directories we should catch the -YYYYMMDD.HHMMSS format of snapshots also
I’ve been meaning to blog about getting transaction management working with OpenEjb and Jetty using jetty:run… it’s still an on-going story… but the following might get you going…First off, in your pom.xml you need to add the configuration for maven-jetty-plugin… we need to dance around the various activemq/activeio versions and ensure that we get the correct version of ant… <project xmlns=“http://maven.apache.org/POM/4.0.0" xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=“http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> 4.0.0 org.apache.openejb.examples jetty-openejb war 1.0-SNAPSHOT jetty-openejb Maven Webapp http://maven.apache.org junit junit 3.8.1 test ${project.artifactId} org.mortbay.jetty maven-jetty-plugin 6.1.22 org.apache.activemq activemq-core 4.1.1 commons-logging commons-logging commons-logging commons-logging-api org.apache.activemq activeio-core org.apache.activemq activemq-ra 4.1.1 commons-logging commons-logging commons-logging commons-logging-api org.apache.activemq activeio-core org.apache.activemq activeio-core 3.1.2 commons-logging commons-logging commons-logging commons-logging-api org.apache.openejb openejb-core 3.1.2 org.apache.activemq activemq-core org.apache.activemq activemq-ra org.apache.activemq activeio-core junit junit org.mortbay.jetty jsp-2.1-jetty 6.1.22 ant ant ${basedir}/src/main/jetty/jetty.xml Next we need to configure a src/main/jetty/jetty.xml to bind the UserTransaction instance into jetty… java.naming.factory.initial org.apache.openejb.client.LocalInitialContextFactory openejb:TransactionManager And presto-chango, now jetty has a transaction manager provided by openejb. (Note: if we don’t mind storing that in a jetty-env in /WEB-INF, you can put the same config in WEB-INF/jetty-env.xml) OK, so here are the issues:Reloading does not work (because org.apache.openejb.core.ivm.naming.IvmContext does not support the destroySubcontext(Context) methodWe are using jetty’s JNDI provider in the web-app and openejb’s JNDI provider for the EJBs… this is because When jetty binds names to JNDI (using org.mortbay.jetty.plus.naming.Resource or org.mortbay.jetty.plus.naming.Transaction) it binds the object to JNDIName and it also binds a NamingEnrtry for the object to __/JNDIName Unfortunately, openejb’s JNDI implementation seems to be somewhat strange in this regard… if we add the SystemProperties to jetty to have it use openejb’s JNDI implementation, e.g. add the following to /project/build/plugins/plugin[maven-jetty-plugin]/configuration/systemProperties java.naming.factory.initial org.apache.openejb.client.LocalInitialContextFactory Then when we bind /UserTransaction it gets bound to openejb:/UserTransaction but when we lookup /UserTransaction openejb looks up openejb:local//UserTransaction And that is just for starters… there seems to be a whole host of other JNDI strangeness between jetty’s side and openejb’s sideThe side effect of all this is that if you want resource refs to work correctly, you need to fish them out of openejb’s JNDI context and push them into jetty’s JNDI context In any case this is at least a start!
Note to self, for later reading
http://technology.amis.nl/blog/?p=2610
Not sure why netbeans is essential on this!
Not perfect, but enough to get you going.
To build with this pom:
You will need to grab the sources from http://downloads.sourceforge.net/jsf-comp/chartcreator-1.2.0.source.zip and extract into src/main/java
You will need to grab the jar and extract the three files in the META-INF (not MANIFEST.MF) into src/main/resources/META-INF
Then you can install away to your hearts content.
<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.jsf-comp</groupId>
<artifactId>chartcreator</artifactId>
<version>1.2.0-mavenized</version>
<packaging>jar</packaging>
<name>ChartCreator</name>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.4</source>
<target>1.4</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>jsf-api</artifactId>
<version>1.2-b19</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>jsf-impl</artifactId>
<version>1.2-b19</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.sun.facelets</groupId>
<artifactId>jsf-facelets</artifactId>
<version>1.1.11</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.portlet</groupId>
<artifactId>portlet-api</artifactId>
<version>1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>jfree</groupId>
<artifactId>jfreechart</artifactId>
<version>1.0.5</version>
</dependency>
</dependencies>
</project>
Spent ages trying to get close to this… gave up looking at what others had done, here is my version from scratch:
<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>....</groupId>
<artifactId>....</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<name>....</name>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.5</source>
<target>1.5</target>
</configuration>
</plugin>
<plugin>
<groupId>org.mortbay.jetty</groupId>
<artifactId>maven-jetty-plugin</artifactId>
<version>6.1H.5-beta</version>
<configuration>
<contextPath>/</contextPath>
<scanIntervalSeconds>10</scanIntervalSeconds>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>jsf-api</artifactId>
<version>1.2-b19</version>
</dependency>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>jsf-impl</artifactId>
<version>1.2-b19</version>
</dependency>
<dependency>
<groupId>com.sun.facelets</groupId>
<artifactId>jsf-facelets</artifactId>
<version>1.1.11</version>
</dependency>
<dependency>
<groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId>
<version>1.7</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.7.0</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.1.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
</dependencies>
</project>