From e39d92f447ae78611fdc7a8d48054751693c6055 Mon Sep 17 00:00:00 2001
From: Snjezana Peco <snjezana.peco@redhat.com>
Date: Wed, 13 May 2020 21:59:54 +0200
Subject: [PATCH] Check gradle-wrapper.jar

Signed-off-by: Snjezana Peco <snjezana.peco@redhat.com>
---
 README.md        |  1 +
 package.json     | 26 ++++++++++++++++++++++++++
 src/extension.ts |  9 ++++++++-
 src/settings.ts  | 45 +++++++++++++++++++++++++++++++++++++++++++--
 4 files changed, 78 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 6b2baea67..6543d0907 100644
--- a/README.md
+++ b/README.md
@@ -165,6 +165,7 @@ New in 0.62.0:
   - `autoApply`: Always automatically update the imports and package declarations.
   - `preview`: Always preview the changes before applying.
   - `prompt`: Ask user to confirm whether to bypass refactor preview.
+* `java.imports.gradle.wrapper.checksums`: Defines allowed/disallowed SHA-256 checksums of Gradle Wrappers.
 
 Semantic Highlighting
 ===============
diff --git a/package.json b/package.json
index 3cb65138e..07d200e62 100644
--- a/package.json
+++ b/package.json
@@ -557,6 +557,32 @@
           "description": "Specifies whether to update imports and package declarations when renaming files from File Explorer.",
           "default": "prompt",
           "scope": "window"
+        },
+        "java.imports.gradle.wrapper.checksums": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "default": {},
+            "required": [
+              "sha256"
+            ],
+            "properties": {
+              "sha256": {
+                "type": "string",
+                "label": "SHA-256 checksum."
+              },
+              "allowed": {
+                "type": "boolean",
+                "default": true,
+                "label": "Is allowed?"
+              }
+            },
+            "additionalProperties": false,
+            "uniqueItems": true
+          },
+          "description": "Defines allowed/disallowed SHA-256 checksums of Gradle Wrappers",
+          "default": null,
+          "scope": "application"
         }
       }
     },
diff --git a/src/extension.ts b/src/extension.ts
index 428475b50..c3bc8e07b 100644
--- a/src/extension.ts
+++ b/src/extension.ts
@@ -23,7 +23,7 @@ import * as refactorAction from './refactorAction';
 import * as pasteAction from './pasteAction';
 import * as net from 'net';
 import { getJavaConfiguration, deleteDirectory } from './utils';
-import { onConfigurationChange, excludeProjectSettingsFiles, getJavaServerMode, ServerMode } from './settings';
+import { onConfigurationChange, excludeProjectSettingsFiles, getJavaServerMode, ServerMode, setGradleWrapperChecksum } from './settings';
 import { logger, initializeLogFile } from './log';
 import glob = require('glob');
 import { SnippetCompletionProvider } from './snippetCompletionProvider';
@@ -132,6 +132,7 @@ export function activate(context: ExtensionContext): Promise<ExtensionAPI> {
 
 	enableJavadocSymbols();
 
+	const GRADLE_CHECKSUM = "gradle/checksum/prompt";
 	return requirements.resolveRequirements(context).catch(error => {
 		// show error
 		window.showErrorMessage(error.message, error.label).then((selection) => {
@@ -181,6 +182,7 @@ export function activate(context: ExtensionContext): Promise<ExtensionAPI> {
 						moveRefactoringSupport: true,
 						clientHoverProvider: true,
 						clientDocumentSymbolProvider: true,
+						gradleChecksumWrapperPromptSupport: true
 					},
 					triggerFiles,
 				},
@@ -373,6 +375,10 @@ export function activate(context: ExtensionContext): Promise<ExtensionAPI> {
 						commands.executeCommand(params.command, ...params.arguments);
 					});
 
+					context.subscriptions.push(commands.registerCommand(GRADLE_CHECKSUM, (wrapper: string, sha256: string) => {
+						setGradleWrapperChecksum(wrapper, sha256);
+					}));
+
 					context.subscriptions.push(commands.registerCommand(Commands.SHOW_JAVA_REFERENCES, (uri: string, position: LSPosition, locations: LSLocation[]) => {
 						commands.executeCommand(Commands.SHOW_REFERENCES, Uri.parse(uri), languageClient.protocol2CodeConverter.asPosition(position), locations.map(languageClient.protocol2CodeConverter.asLocation));
 					}));
@@ -631,6 +637,7 @@ function setProjectConfigurationUpdate(languageClient: LanguageClient, uri: Uri,
 		projectConfigurationUpdate(languageClient, uri);
 	}
 }
+
 function isJavaConfigFile(path: String) {
 	return path.endsWith('pom.xml') || path.endsWith('.gradle');
 }
diff --git a/src/settings.ts b/src/settings.ts
index ef684fb37..90f604242 100644
--- a/src/settings.ts
+++ b/src/settings.ts
@@ -21,6 +21,7 @@ const EXCLUDE_FILE_CONFIG = 'configuration.checkProjectSettingsExclusions';
 export const ORGANIZE_IMPORTS_ON_PASTE = 'actionsOnPaste.organizeImports'; // java.actionsOnPaste.organizeImports
 
 let oldConfig: WorkspaceConfiguration = getJavaConfiguration();
+const gradleWrapperPromptDialogs = [];
 
 export function onConfigurationChange(languageClient: LanguageClient, context: ExtensionContext) {
 	return workspace.onDidChangeConfiguration(params => {
@@ -123,13 +124,13 @@ export function getJavaEncoding(): string {
 }
 
 export async function checkJavaPreferences(context: ExtensionContext) {
+	const allow = 'Allow';
+	const disallow = 'Disallow';
 	let javaHome = workspace.getConfiguration().inspect<string>('java.home').workspaceValue;
 	let isVerified = javaHome === undefined || javaHome === null;
 	if (isVerified) {
 		javaHome = getJavaConfiguration().get('home');
 	}
-	const allow = 'Allow';
-	const disallow = 'Disallow';
 	const key = getKey(IS_WORKSPACE_JDK_ALLOWED, context.storagePath, javaHome);
 	const globalState = context.globalState;
 	if (!isVerified) {
@@ -204,3 +205,43 @@ export function getJavaServerMode(): ServerMode {
 	return workspace.getConfiguration().get('java.server.launchMode')
 		|| ServerMode.HYBRID;
 }
+
+export function setGradleWrapperChecksum(wrapper: string, sha256?: string) {
+	const opened = gradleWrapperPromptDialogs.filter(v => (v === sha256));
+	if (opened !== null && opened.length > 0) {
+		return;
+	}
+	gradleWrapperPromptDialogs.push(sha256);
+	const allow = 'Trust';
+	const disallow = 'Do not trust';
+	window.showErrorMessage(`"Security Warning! The gradle wrapper '${wrapper}'" [sha256 '${sha256}'] [could be malicious](https://github.com/redhat-developer/vscode-java/wiki/Gradle-Support#suspicious.wrapper). Should it be trusted?";`, disallow, allow)
+		.then(async selection => {
+			let allowed;
+			if (selection === allow) {
+				allowed = true;
+			} else if (selection === disallow) {
+				allowed = false;
+			} else {
+				unregisterGradleWrapperPromptDialog(sha256);
+				return false;
+			}
+			const key = "java.imports.gradle.wrapper.checksums";
+			let property: any = workspace.getConfiguration().inspect<string>(key).globalValue;
+			if (!Array.isArray(property)) {
+				property = [];
+			}
+			const entry = property.filter(p => (p.sha256 === sha256));
+			if (entry === null || entry.length === 0) {
+				property.push({ sha256: sha256, allowed: allowed });
+				workspace.getConfiguration().update(key, property, ConfigurationTarget.Global);
+			}
+			unregisterGradleWrapperPromptDialog(sha256);
+		});
+}
+
+function unregisterGradleWrapperPromptDialog(sha256: string) {
+	const index = gradleWrapperPromptDialogs.indexOf(sha256);
+	if (index > -1) {
+		gradleWrapperPromptDialogs.splice(index, 1);
+	}
+}