Check if wrapper matches the version specified in properties

gradle / actions

A collection of GitHub Actions to accelerate your Gradle Builds on GitHub

https://github.com/marketplace/actions/build-with-gradle

MIT License

147 stars 38 forks source link

Check if wrapper matches the version specified in properties #282

Open hfhbd opened 1 year ago

hfhbd commented 1 year ago

You could update the Gradle version in the properties but forget to update the wrapper too.

This could also be a (theoretically) security risk by checking-in a valid but outdated wrapper which could have vulnerabilities.

Marcono1234 commented 10 months ago

I assume this also has another security advantage: Currently the checksum is allowed to match any of the checksums of the 200+[^1] versions. This likely makes it easier (but it is still difficult) to create a malicious JAR which has a hash collision with any of the 200+ possible checksums, than causing a hash collision with a single checksum.

[^1]: Maybe that number is too high, since multiple versions might use the same wrapper version.