Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if wrapper matches the version specified in properties #142

Open
hfhbd opened this issue Aug 20, 2023 · 1 comment
Open

Check if wrapper matches the version specified in properties #142

hfhbd opened this issue Aug 20, 2023 · 1 comment

Comments

@hfhbd
Copy link

hfhbd commented Aug 20, 2023

You could update the Gradle version in the properties but forget to update the wrapper too.

This could also be a (theoretically) security risk by checking-in a valid but outdated wrapper which could have vulnerabilities.
mikepenz added a commit to mikepenz/wrapper-validation-action that referenced this issue Aug 24, 2023
@mikepenz
- introduce new configuration to enable checksum validation only for …
c7f33a0 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES gradle#142

May enable gradle#35
@mikepenz mikepenz mentioned this issue Aug 24, 2023
Open
@Marcono1234
Copy link
Contributor

Marcono1234 commented Nov 7, 2023
edited

I assume this also has another security advantage: Currently the checksum is allowed to match any of the checksums of the 200+1 versions. This likely makes it easier (but it is still difficult) to create a malicious JAR which has a hash collision with any of the 200+ possible checksums, than causing a hash collision with a single checksum.

Footnotes

  1. Maybe that number is too high, since multiple versions might use the same wrapper version.

mikepenz added a commit to mikepenz/wrapper-validation-action that referenced this issue Jan 25, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
1f0a388 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES gradle#142

May enable gradle#35
mikepenz added a commit to mikepenz/wrapper-validation-action that referenced this issue Jan 30, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
f8ea516 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES gradle#142

May enable gradle#35
mikepenz added a commit to mikepenz/wrapper-validation-action that referenced this issue Jan 30, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
54f0bdf 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES gradle#142

May enable gradle#35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Marcono1234 @hfhbd and others