jmestwa-coder opened a new pull request, #12410:
URL: https://github.com/apache/maven/pull/12410

   Coordinate ids and versions equal to `.` or `..` pass model validation but 
land as raw directory segments when an artifact is mapped to its local 
repository path (`groupId/artifactId/version/...`):
   
   - `isValidCoordinatesId`/`isValidId` accept them because every character is 
individually allowed, so an artifactId of `..` is a path-traversal segment
   - `validateVersion` only bans the filesystem metacharacters, so a dependency 
version of `..` slips through the same way
   - same gap in the compat maven-model-builder validator and in the 
wildcard-id variant
   
   Reject `.` and `..` at each check. Regression test added in both modules; it 
fails on the unpatched validators and passes after.
   
   - [x] Your pull request should address just one issue, without pulling in 
other changes.
   - [x] Write a pull request description that is detailed enough to understand 
what the pull request does, how, and why.
   - [x] Each commit in the pull request should have a meaningful subject line 
and body.
   - [x] Write unit tests that match behavioral changes, where the tests fail 
if the changes to the runtime are not applied.
   - [ ] Run `mvn verify` to make sure basic checks pass.
   - [ ] You have run the Core IT successfully.
   - [x] I hereby declare this contribution to be licenced under the [Apache 
License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to