Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[maven plugin] fix security issues #8795

Merged
merged 2 commits into from
Feb 24, 2021
Merged

[maven plugin] fix security issues #8795

merged 2 commits into from
Feb 24, 2021

Conversation

wing328
Copy link
Member

@wing328 wing328 commented Feb 22, 2021
edited
Loading

  • Use Files.createTempFile instead

cc @OpenAPITools/generator-core-team

PR checklist

  • Read the contribution guidelines.
  • Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
  • Run the following to build the project and update samples: 
    ./mvnw clean package 
./bin/generate-samples.sh
./bin/utils/export_docs_generators.sh
    Commit all changed files.
    This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
    These must match the expectations made by your contribution.
    You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
    For Windows users, please run the script in Git BASH.
  • File the PR against the correct branch: master, 5.1.x, 6.0.x
  • If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

@wing328 wing328 changed the title use Files.createTempFile in maven plugin to avoid security issues Use Files.createTempFile in maven plugin to avoid security issues Feb 22, 2021
@wing328 wing328 added this to the 5.1.0 milestone Feb 22, 2021
@wing328 wing328 changed the title Use Files.createTempFile in maven plugin to avoid security issues [maven plugin] fix security issues Feb 22, 2021
JLLeitschuh
JLLeitschuh reviewed Feb 22, 2021
View reviewed changes
...penapi-generator-maven-plugin/src/main/java/org/openapitools/codegen/plugin/CodeGenMojo.java
Comment on lines +761 to +764
if (!parent.mkdirs()) {
throw new RuntimeException("Failed to create the folder " + parent.getAbsolutePath() +
" to store the checksum of the input spec.");
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having a hard time spotting where the temporary directory comes from that could sink to this location. Can you point out the line?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change simply checks to ensure the directory is created successfully. This is not to say without these lines, there's a security issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense!

@wing328 wing328 marked this pull request as ready for review February 23, 2021 03:32
@wing328 wing328 requested a review from jimschubert as a code owner February 23, 2021 03:32
@wing328 wing328 removed the request for review from jimschubert February 23, 2021 16:34
spacether
spacether approved these changes Feb 23, 2021
View reviewed changes
Copy link
Contributor

@spacether spacether left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@wing328 wing328 merged commit 9180593 into master Feb 24, 2021
@wing328 wing328 deleted the fix-maven-plugin-tmp-file branch February 24, 2021 03:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JLLeitschuh JLLeitschuh JLLeitschuh left review comments

@spacether spacether spacether approved these changes

Assignees
No one assigned
Labels
Issue: Security OpenAPI Generator Maven Plugin
Projects
None yet
Milestone
5.1.0
Development

Successfully merging this pull request may close these issues.
3 participants
@wing328 @JLLeitschuh @spacether