Open di72nn opened 4 years ago
That doesn't always really work. Some organizations modify their gradlew scripts when updating them in order to, for example, increase the memory the wrapper is given. When doing that, the checksum can't be validated.
That's a fair point, but I still think that there should be an option (or another step in the workflow) to check the scripts for those who don't need to modify them.
@eskatos how difficult would it be to also generate SHA checksums for the gradlew
and gradle.bat
files?
One problem that you'd also run into here is that, unless you had your .gitattributes
(for example) file setup correctly, depending upon the OS that created the repository, you may have different line endings (windows vs unix line endings) in the file, thus causing the SHA checksums to be different.
@JLLeitschuh it shouldn't be difficult. But it'll require work to automate generating the hashes, publishing them where appropriate etc.. You could have a look at how the wrapper jar hashes are handled, it should be similar both in where and how it's done. Then we could update this action to consume them for more validation.
As said above, I wonder what the signal/noise ratio would be given the line endings potential problem and the fact it is intended that people modify it if they need to e.g. change the Gradle client VM options.
I would vote for an opt-out of the additional check (in the sense of security first).
As said above, I wonder what the signal/noise ratio would be given the line endings potential problem and the fact it is intended that people modify it if they need to e.g. change the Gradle client VM options.
1) The verifier could normalize line endings (gradlew
to LF
and gradlew.bat
to CRLF
) before doing the comparison (it might make sense to normalize to LF
always).
2) Frankly speaking, I have not seen a case when users customized gradlew
scripts. I assume an opt-out would really help here: the extra skip-gradlew-scripts-validation: true
would make it explicit that the files are augmented on purpose.
I also agree. While some users may modify their scripts, I have not personally seen it before. It would be incredibly nice to have in order to verify the integrity of the scripts. An opt out is a fine solution in my opinion. And I think normalization of line endings would be the way to go as already mentioned.
If I were to think like an attacker looking to plant some backdoors or whatever, I may need to choose between:
so my chances of being successful seem to be much higher if I go for the script
Also validate
gradlew
andgradlew.bat
scripts. These are not blobs so it is harder to overlook something, but I think these should be checked too.