This is a repost of my post on the CloudBees Developers blog
TL;DR Source control injection attacks are a bigger worry than build tool injection attacks, and if you cannot trust your local filesystem, then you cannot trust anything.
A few exchanges on twitter have prompted me to write a fuller blog post on the subject of Cross-Build Injection (XBI) Attacks.
The idea of XBI is that you trick the developer and replace parts of their code with your code, thereby getting your code to be trusted by the developer.
Hamlet: … for there is nothing either good or bad, but thinking makes it so.
— Hamlet Act 2, scene 2, 239–251, William Shakespeare
The Apache Software Foundation is a meritocracy. By this we mean that you gain status based on the merit of your work and actions. In fact the status that you gain is a recognition of the merit of your work and actions.
Maven is an Apache project, that means that we have to follow the Apache rules and way. One of those rules is that we cannot hand out commit access to anyone who asks for it.
The following quick and dirty bash script will take a pom and a jar and fake a maven build based on the source files for that that can be found in the current directory.
Really useful when running mvn dependency:analyze on a project you are validating POMs for.
#!/bin/bash
if [ "A$3" == "A" ]
then
echo "Syntax: $0 pomfile jarfile dir"
return
fi
rm -rvf "$3/src"
mkdir -p "$3/src/main/java"
cp -f "$1" "$3/pom.xml"
for name in $(jar -tf "$2" | sed -n -e "/\\$/d;s/\\.class/.java/p")
do
echo -n "Looking for $name ... "
loc="$(find . | fgrep $name | head -n 1)"
if [ "A$loc" == "A" ]
then
echo "NOT FOUND"
else
echo "$loc"
mkdir -p "$3/src/main/java/$(dirname $name)"
cp "$loc" "$3/src/main/java/$name"
fi
done
#!/bin/bash
URL="$(svn info | sed -n -e '/^URL:/{s/URL: *//p}')"
ROOT="$(svn info | sed -n -e "/^Repository Root:/{s/Repository Root: *//p}")"
NEW_PATH="${URL#$ROOT}"
OLD_URL="$(sed -n '/< *scm *>/,/< *\/scm *>/p' pom.xml | sed -n '/< *connection *>/,/< *\/ *connection *>/{s/.*connection *> *scm:svn:\([^ <]*\)[ <].*/\1/p}')"
OLD_PATH="${OLD_URL#$ROOT}"
echo "OLD URL: $OLD_URL"
echo "NEW URL: $URL"
echo "ROOT: $ROOT"
echo "OLD PATH: $OLD_PATH"
echo "NEW PATH: $NEW_PATH"
sed -i '/< *scm *>/,/< *\/scm *>/{s/'${OLD_PATH//\//\\\/}'/'${NEW_PATH//\//\\\/}'/}' pom.xml
Works on *nix
find ~/.m2/repository -type d -name \*-SNAPSHOT -exec rm -rvf {} \;
By searching for the directories we should catch the -YYYYMMDD.HHMMSS format of snapshots also
I’ve been meaning to blog about getting transaction management working with OpenEjb and Jetty using jetty:run… it’s still an on-going story… but the following might get you going…
First off, in your pom.xml you need to add the configuration for maven-jetty-plugin… we need to dance around the various activemq/activeio versions and ensure that we get the correct version of ant…
<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.apache.openejb.examples</groupId>
<artifactId>jetty-openejb</artifactId>
<packaging>war</packaging>
<version>1.0-SNAPSHOT</version>
<name>jetty-openejb Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<finalName>${project.artifactId}</finalName>
<plugins>
<plugin>
<groupId>org.mortbay.jetty</groupId>
<artifactId>maven-jetty-plugin</artifactId>
<version>6.1.22</version>
<dependencies>
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-core</artifactId>
<version>4.1.1</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.activemq</groupId>
<artifactId>activeio-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-ra</artifactId>
<version>4.1.1</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.activemq</groupId>
<artifactId>activeio-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activeio-core</artifactId>
<version>3.1.2</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.openejb</groupId>
<artifactId>openejb-core</artifactId>
<version>3.1.2</version>
<exclusions>
<exclusion>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-ra</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.activemq</groupId>
<artifactId>activeio-core</artifactId>
</exclusion>
<exclusion>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- in order to use the latest version of openejb, we need to exclude
the dependencies provided in jsp-2.1-jetty -->
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jsp-2.1-jetty</artifactId>
<version>6.1.22</version>
<exclusions>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<configuration>
<jettyConfig>${basedir}/src/main/jetty/jetty.xml</jettyConfig>
</configuration>
</plugin>
</plugins>
</build>
</project>
Next we need to configure a src/main/jetty/jetty.xml to bind the UserTransaction instance into jetty…
Note to self, for later reading
http://technology.amis.nl/blog/?p=2610
Not sure why netbeans is essential on this!
Not perfect, but enough to get you going.
To build with this pom:
You will need to grab the sources from http://downloads.sourceforge.net/jsf-comp/chartcreator-1.2.0.source.zip and extract into src/main/java
You will need to grab the jar and extract the three files in the META-INF (not MANIFEST.MF) into src/main/resources/META-INF
Then you can install away to your hearts content.
<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.jsf-comp</groupId>
<artifactId>chartcreator</artifactId>
<version>1.2.0-mavenized</version>
<packaging>jar</packaging>
<name>ChartCreator</name>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.4</source>
<target>1.4</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>jsf-api</artifactId>
<version>1.2-b19</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>jsf-impl</artifactId>
<version>1.2-b19</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.sun.facelets</groupId>
<artifactId>jsf-facelets</artifactId>
<version>1.1.11</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.portlet</groupId>
<artifactId>portlet-api</artifactId>
<version>1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>jfree</groupId>
<artifactId>jfreechart</artifactId>
<version>1.0.5</version>
</dependency>
</dependencies>
</project>
Spent ages trying to get close to this… gave up looking at what others had done, here is my version from scratch:
<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>....</groupId>
<artifactId>....</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<name>....</name>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.5</source>
<target>1.5</target>
</configuration>
</plugin>
<plugin>
<groupId>org.mortbay.jetty</groupId>
<artifactId>maven-jetty-plugin</artifactId>
<version>6.1H.5-beta</version>
<configuration>
<contextPath>/</contextPath>
<scanIntervalSeconds>10</scanIntervalSeconds>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>jsf-api</artifactId>
<version>1.2-b19</version>
</dependency>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>jsf-impl</artifactId>
<version>1.2-b19</version>
</dependency>
<dependency>
<groupId>com.sun.facelets</groupId>
<artifactId>jsf-facelets</artifactId>
<version>1.1.11</version>
</dependency>
<dependency>
<groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId>
<version>1.7</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.7.0</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.1.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
</dependencies>
</project>