On Fri, Dec 16, 2022 at 5:02 PM Aldrin Leal <ald...@leal.eng.br> wrote: > > Hello, > > Just a question I'd like to confirm with you guys: How "safe" is to run > `dependency:tree` on a given arbitrary pom? >
All that should do is load various XML files from possibly remote servers and parse them, so it's about as safe as doing that. It shouldn't trigger the running of any code not already in the maven dependency plugin and its dependencies. And that is all Java. If you could find a way to trigger bad behavior by feeding an arbitrary byte stream into the XML parser in the JDK or the maven-dependency-plugin and its dependencies, then there could be an issue. I'd guess that it might be possible to crash or hang Maven by sending sufficiently ugly malformed XML down the pipe. I'd be surprised if you could get as far as executing arbitrary code. That would probably require finding a serious JDK bug. It's possible there is such a bug waiting to be discovered, but I don't know of any. -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
