-
Notifications
You must be signed in to change notification settings - Fork 199
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fail the build when an insecure XML parser is detected (#827)
* Fail the build when an insecure XML parser is detected As described in a prior release and in (gradle/gradle#26672, the insecure parser causes confusing build errors. Thanks @hvisser for the idea to check upfront to give users a clearer error message and point them towards a fix. * resolve lint warnings
- Loading branch information
Showing
3 changed files
with
42 additions
and
11 deletions.
There are no files selected for viewing
41 changes: 36 additions & 5 deletions
41
gradle-versions-plugin/src/main/kotlin/com/github/benmanes/gradle/versions/VersionsPlugin.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,55 @@ | ||
package com.github.benmanes.gradle.versions | ||
|
||
import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask | ||
import org.gradle.api.GradleException | ||
import org.gradle.api.Plugin | ||
import org.gradle.api.Project | ||
import org.gradle.util.GradleVersion | ||
import org.xml.sax.SAXException | ||
import javax.xml.parsers.SAXParserFactory | ||
|
||
/** | ||
* Registers the plugin's tasks. | ||
*/ | ||
class VersionsPlugin : Plugin<Project> { | ||
override fun apply(project: Project) { | ||
if (GradleVersion.current() < GradleVersion.version("5.0")) { | ||
project.logger | ||
.error("Gradle 5.0 or greater is required to apply the com.github.ben-manes.versions plugin.") | ||
return | ||
} | ||
requireMinimumGradleVersion() | ||
requireSupportedSaxParser() | ||
|
||
val tasks = project.tasks | ||
if (!tasks.getNames().contains("dependencyUpdates")) { | ||
tasks.register("dependencyUpdates", DependencyUpdatesTask::class.java) | ||
} | ||
} | ||
|
||
private fun requireMinimumGradleVersion() { | ||
if (GradleVersion.current() < GradleVersion.version("5.0")) { | ||
throw GradleException("Gradle 5.0 or greater is required to apply the com.github.ben-manes.versions plugin.") | ||
} | ||
} | ||
|
||
private fun requireSupportedSaxParser() { | ||
val isRestrictedInPatch = GradleVersion.current() >= GradleVersion.version("7.6.3") && | ||
GradleVersion.current() <= GradleVersion.version("8.0") | ||
val isRestrictedInMajor = GradleVersion.current() >= GradleVersion.version("8.4") | ||
|
||
if (isRestrictedInPatch || isRestrictedInMajor) { | ||
try { | ||
val factory = SAXParserFactory.newInstance() | ||
factory.newSAXParser().setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "") | ||
} catch (ex: SAXException) { | ||
throw GradleException( | ||
"""A plugin or custom build logic has included an insecure XML parser, which is not compatible for | ||
|dependency resolution with this version of Gradle. You can work around this issue by specifying | ||
|the SAXParserFactory to use or by updating any plugin that depends on an old XML parser version. | ||
| | ||
|Use ./gradlew buildEnvironment to check your build's plugin dependencies. | ||
| | ||
|For more details and a workaround see, | ||
|https://docs.gradle.org/8.4/userguide/upgrading_version_8.html#changes_8.4 | ||
|""".trimMargin() | ||
) | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters