Howdy, just an interesting fact: if we remain in "java realm", kinda are afraid of "arbitrary Java code execution", I'd convert the plugin to Takari Incremental plugin https://github.com/takari/io.takari.incrementalbuild
Its runtime "cages" the Mojos and allows them to read from and write to only controlled locations... https://github.com/takari/io.takari.incrementalbuild/tree/master/takari-builder-enforcer Sadly, it uses SecurityManager to achieve this, which has been deprecated in the latest Java versions... T On Fri, Dec 16, 2022 at 10:33 PM Elliotte Rusty Harold <[email protected]> wrote: > On Fri, Dec 16, 2022 at 5:02 PM Aldrin Leal <[email protected]> wrote: > > > > Hello, > > > > Just a question I'd like to confirm with you guys: How "safe" is to run > > `dependency:tree` on a given arbitrary pom? > > > > All that should do is load various XML files from possibly remote > servers and parse them, so it's about as safe as doing that. It > shouldn't trigger the running of any code not already in the maven > dependency plugin and its dependencies. And that is all Java. If you > could find a way to trigger bad behavior by feeding an arbitrary byte > stream into the XML parser in the JDK or the maven-dependency-plugin > and its dependencies, then there could be an issue. I'd guess that it > might be possible to crash or hang Maven by sending sufficiently ugly > malformed XML down the pipe. I'd be surprised if you could get as far > as executing arbitrary code. That would probably require finding a > serious JDK bug. It's possible there is such a bug waiting to be > discovered, but I don't know of any. > > -- > Elliotte Rusty Harold > [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
