File gradle-CVE-2019-15052.patch of Package gradle.35463
--- gradle-4.4.1/subprojects/build-cache-http/src/main/java/org/gradle/caching/http/internal/DefaultHttpBuildCacheServiceFactory.java 2024-03-26 07:40:41.413892314 +0100
+++ gradle-4.4.1/subprojects/build-cache-http/src/main/java/org/gradle/caching/http/internal/DefaultHttpBuildCacheServiceFactory.java 2024-03-26 08:16:01.318058239 +0100
@@ -64,6 +64,7 @@
if (credentialsPresent(credentials)) {
DefaultBasicAuthentication basicAuthentication = new DefaultBasicAuthentication("basic");
basicAuthentication.setCredentials(credentials);
+ basicAuthentication.addHost(url.getHost(), url.getPort());
authentications = Collections.<Authentication>singleton(basicAuthentication);
}
--- gradle-4.4.1/subprojects/core/src/main/java/org/gradle/internal/authentication/AbstractAuthentication.java 2024-03-26 07:40:40.987222689 +0100
+++ gradle-4.4.1/subprojects/core/src/main/java/org/gradle/internal/authentication/AbstractAuthentication.java 2024-03-26 08:11:51.403094079 +0100
@@ -16,9 +16,14 @@
package org.gradle.internal.authentication;
+import com.google.common.collect.Sets;
import org.gradle.api.credentials.Credentials;
import org.gradle.authentication.Authentication;
+import java.util.Collection;
+import java.util.Objects;
+import java.util.Set;
+
public abstract class AbstractAuthentication implements AuthenticationInternal {
private final String name;
private final Class<? extends Credentials> supportedCredentialType;
@@ -23,18 +28,20 @@
private final String name;
private final Class<? extends Credentials> supportedCredentialType;
private final Class<? extends Authentication> type;
+
private Credentials credentials;
+ private final Set<HostAndPort> hosts;
+
public AbstractAuthentication(String name, Class<? extends Authentication> type) {
- this.name = name;
- this.supportedCredentialType = null;
- this.type = type;
+ this(name, type, null);
}
public AbstractAuthentication(String name, Class<? extends Authentication> type, Class<? extends Credentials> supportedCredential) {
this.name = name;
this.supportedCredentialType = supportedCredential;
this.type = type;
+ this.hosts = Sets.newHashSet();
}
@Override
@@ -66,4 +73,54 @@
public String toString() {
return String.format("'%s'(%s)", getName(), getType().getSimpleName());
}
+
+
+ @Override
+ public Collection<HostAndPort> getHostsForAuthentication() {
+ return hosts;
+ }
+
+
+ @Override
+ public void addHost(String host, int port) {
+ hosts.add(new DefaultHostAndPort(host, port));
+ }
+
+ private static class DefaultHostAndPort implements HostAndPort {
+ private final String host;
+ private final int port;
+
+ DefaultHostAndPort(String host, int port) {
+ this.host = host;
+ this.port = port;
+ }
+
+ @Override
+ public String getHost() {
+ return host;
+ }
+
+ @Override
+ public int getPort() {
+ return port;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ DefaultHostAndPort that = (DefaultHostAndPort) o;
+ return getPort() == that.getPort() &&
+ Objects.equals(getHost(), that.getHost());
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(getHost(), getPort());
+ }
+ }
}
--- gradle-4.4.1/subprojects/core/src/main/java/org/gradle/internal/authentication/AuthenticationInternal.java 2024-03-26 07:40:40.987222689 +0100
+++ gradle-4.4.1/subprojects/core/src/main/java/org/gradle/internal/authentication/AuthenticationInternal.java 2024-03-26 08:11:51.403094079 +0100
@@ -20,6 +20,8 @@
import org.gradle.api.credentials.Credentials;
import org.gradle.authentication.Authentication;
+import java.util.Collection;
+
@NonExtensible
public interface AuthenticationInternal extends Authentication {
boolean supports(Credentials credentials);
@@ -31,4 +33,25 @@
Class<? extends Authentication> getType();
boolean requiresCredentials();
+
+ void addHost(String host, int port);
+
+ Collection<HostAndPort> getHostsForAuthentication();
+
+ interface HostAndPort {
+
+ /**
+ * The hostname that the credentials are required for.
+ *
+ * null means "any host"
+ */
+ String getHost();
+
+ /**
+ * The port that the credentials are required for
+ *
+ * -1 means "any port"
+ */
+ int getPort();
+ }
}
--- gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/AbstractAuthenticationSupportedRepository.java 2024-03-26 07:40:40.453885657 +0100
+++ gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/AbstractAuthenticationSupportedRepository.java 2024-03-26 09:28:23.666252731 +0100
@@ -21,10 +21,13 @@
import org.gradle.api.credentials.Credentials;
import org.gradle.authentication.Authentication;
import org.gradle.internal.artifacts.repositories.AuthenticationSupportedInternal;
+import org.gradle.internal.authentication.AuthenticationInternal;
import org.gradle.internal.reflect.Instantiator;
import javax.annotation.Nullable;
+import java.net.URI;
import java.util.Collection;
+import java.util.Collections;
public abstract class AbstractAuthenticationSupportedRepository extends AbstractArtifactRepository implements AuthenticationSupportedInternal {
private final AuthenticationSupporter delegate;
@@ -76,6 +79,21 @@
@Override
public Collection<Authentication> getConfiguredAuthentication() {
- return delegate.getConfiguredAuthentication();
+ Collection<Authentication> configuredAuthentication = delegate.getConfiguredAuthentication();
+
+ for (Authentication authentication : configuredAuthentication) {
+ AuthenticationInternal authenticationInternal = (AuthenticationInternal) authentication;
+ for (URI repositoryUrl : getRepositoryUrls()) {
+ // only care about HTTP hosts right now
+ if (repositoryUrl.getScheme().startsWith("http")) {
+ authenticationInternal.addHost(repositoryUrl.getHost(), repositoryUrl.getPort());
+ }
+ }
+ }
+ return configuredAuthentication;
+ }
+
+ protected Collection<URI> getRepositoryUrls() {
+ return Collections.emptyList();
}
}
--- gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/DefaultIvyArtifactRepository.java 2024-03-26 07:40:40.453885657 +0100
+++ gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/DefaultIvyArtifactRepository.java 2024-03-26 09:32:04.764408347 +0100
@@ -15,6 +15,7 @@
*/
package org.gradle.api.internal.artifacts.repositories;
+import com.google.common.collect.ImmutableList;
import groovy.lang.Closure;
import org.gradle.api.Action;
import org.gradle.api.ActionConfiguration;
@@ -54,6 +55,7 @@
import org.gradle.util.ConfigureUtil;
import java.net.URI;
+import java.util.Collection;
import java.util.LinkedHashSet;
import java.util.Set;
@@ -189,6 +191,31 @@
return baseUrl == null ? null : fileResolver.resolveUri(baseUrl);
}
+
+ @Override
+ protected Collection<URI> getRepositoryUrls() {
+ // Ivy can resolve files from multiple hosts, so we need to look at all
+ // of the possible URLs used by the Ivy resolver to identify all of the repositories
+ ImmutableList.Builder<URI> builder = ImmutableList.builder();
+ URI root = getUrl();
+ if (root != null) {
+ builder.add(root);
+ }
+ for (String pattern : additionalPatternsLayout.artifactPatterns) {
+ URI baseUri = new ResolvedPattern(pattern, fileResolver).baseUri;
+ if (baseUri!=null) {
+ builder.add(baseUri);
+ }
+ }
+ for (String pattern : additionalPatternsLayout.ivyPatterns) {
+ URI baseUri = new ResolvedPattern(pattern, fileResolver).baseUri;
+ if (baseUri!=null) {
+ builder.add(baseUri);
+ }
+ }
+ return builder.build();
+ }
+
@Override
public void setUrl(URI url) {
baseUrl = url;
--- gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/DefaultMavenArtifactRepository.java 2024-03-26 07:40:40.453885657 +0100
+++ gradle-4.4.1/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/DefaultMavenArtifactRepository.java 2024-03-26 09:31:17.924088427 +0100
@@ -15,12 +15,14 @@
*/
package org.gradle.api.internal.artifacts.repositories;
+import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import org.gradle.api.InvalidUserDataException;
import org.gradle.api.Transformer;
import org.gradle.api.artifacts.repositories.AuthenticationContainer;
import org.gradle.api.artifacts.repositories.MavenArtifactRepository;
import org.gradle.api.internal.ExperimentalFeatures;
+import org.gradle.api.internal.InstantiatorFactory;
import org.gradle.api.internal.artifacts.ImmutableModuleIdentifierFactory;
import org.gradle.api.internal.artifacts.ModuleVersionPublisher;
import org.gradle.api.internal.artifacts.ivyservice.ivyresolve.ConfiguredModuleComponentRepository;
@@ -40,6 +42,7 @@
import java.net.URI;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
@@ -152,6 +155,18 @@
return createRealResolver();
}
+ @Override
+ protected Collection<URI> getRepositoryUrls() {
+ // In a similar way to Ivy, Maven may use other hosts for additional artifacts, but not POMs
+ ImmutableList.Builder<URI> builder = ImmutableList.builder();
+ URI root = getUrl();
+ if (root != null) {
+ builder.add(root);
+ }
+ builder.addAll(getArtifactUrls());
+ return builder.build();
+ }
+
protected MavenResolver createRealResolver() {
URI rootUri = getUrl();
if (rootUri == null) {
--- gradle-4.4.1/subprojects/resources-http/src/main/java/org/gradle/internal/resource/transport/http/HttpClientConfigurer.java 2024-03-26 07:40:41.393892176 +0100
+++ gradle-4.4.1/subprojects/resources-http/src/main/java/org/gradle/internal/resource/transport/http/HttpClientConfigurer.java 2024-03-26 09:15:06.421058834 +0100
@@ -117,7 +117,7 @@
private void configureCredentials(HttpClientBuilder builder, CredentialsProvider credentialsProvider, Collection<Authentication> authentications) {
if(authentications.size() > 0) {
- useCredentials(credentialsProvider, AuthScope.ANY_HOST, AuthScope.ANY_PORT, authentications);
+ useCredentials(credentialsProvider, authentications);
// Use preemptive authorisation if no other authorisation has been established
builder.addInterceptorFirst(new PreemptiveAuth(new BasicScheme(), isPreemptiveEnabled(authentications)));
@@ -131,31 +131,49 @@
for (HttpProxySettings.HttpProxy proxy : Lists.newArrayList(httpProxy, httpsProxy)) {
if (proxy != null) {
if (proxy.credentials != null) {
- useCredentials(credentialsProvider, proxy.host, proxy.port, Collections.singleton(new AllSchemesAuthentication(proxy.credentials)));
+ AllSchemesAuthentication authentication = new AllSchemesAuthentication(proxy.credentials);
+ authentication.addHost(proxy.host, proxy.port);
+ useCredentials(credentialsProvider, Collections.singleton(authentication));
}
}
}
builder.setRoutePlanner(new SystemDefaultRoutePlanner(ProxySelector.getDefault()));
}
- private void useCredentials(CredentialsProvider credentialsProvider, String host, int port, Collection<? extends Authentication> authentications) {
- Credentials httpCredentials;
-
+ private void useCredentials(CredentialsProvider credentialsProvider, Collection<? extends Authentication> authentications) {
for (Authentication authentication : authentications) {
+ AuthenticationInternal authenticationInternal = (AuthenticationInternal) authentication;
+
String scheme = getAuthScheme(authentication);
- PasswordCredentials credentials = getPasswordCredentials(authentication);
+ org.gradle.api.credentials.Credentials credentials = authenticationInternal.getCredentials();
+
+ Collection<AuthenticationInternal.HostAndPort> hostsForAuthentication = authenticationInternal.getHostsForAuthentication();
+ assert !hostsForAuthentication.isEmpty() : "Credentials and authentication required for a HTTP repository, but no hosts were defined for the authentication?";
+
+ for (AuthenticationInternal.HostAndPort hostAndPort : hostsForAuthentication) {
+ String host = hostAndPort.getHost();
+ int port = hostAndPort.getPort();
+
+ assert host != null : "HTTP credentials and authentication require a host scope to be defined as well";
+
+ if (credentials instanceof PasswordCredentials) {
+ PasswordCredentials passwordCredentials = (PasswordCredentials) credentials;
if (authentication instanceof AllSchemesAuthentication) {
- NTLMCredentials ntlmCredentials = new NTLMCredentials(credentials);
- httpCredentials = new NTCredentials(ntlmCredentials.getUsername(), ntlmCredentials.getPassword(), ntlmCredentials.getWorkstation(), ntlmCredentials.getDomain());
+ NTLMCredentials ntlmCredentials = new NTLMCredentials(passwordCredentials);
+ Credentials httpCredentials = new NTCredentials(ntlmCredentials.getUsername(), ntlmCredentials.getPassword(), ntlmCredentials.getWorkstation(), ntlmCredentials.getDomain());
credentialsProvider.setCredentials(new AuthScope(host, port, AuthScope.ANY_REALM, AuthSchemes.NTLM), httpCredentials);
- LOGGER.debug("Using {} and {} for authenticating against '{}:{}' using {}", credentials, ntlmCredentials, host, port, AuthSchemes.NTLM);
+ LOGGER.debug("Using {} and {} for authenticating against '{}:{}' using {}", passwordCredentials, ntlmCredentials, host, port, AuthSchemes.NTLM);
}
- httpCredentials = new UsernamePasswordCredentials(credentials.getUsername(), credentials.getPassword());
+ Credentials httpCredentials = new UsernamePasswordCredentials(passwordCredentials.getUsername(), passwordCredentials.getPassword());
credentialsProvider.setCredentials(new AuthScope(host, port, AuthScope.ANY_REALM, scheme), httpCredentials);
- LOGGER.debug("Using {} for authenticating against '{}:{}' using {}", credentials, host, port, scheme);
+ LOGGER.debug("Using {} for authenticating against '{}:{}' using {}", passwordCredentials, host, port, scheme);
+ } else {
+ throw new IllegalArgumentException(String.format("Credentials must be an instance of: %s", PasswordCredentials.class.getCanonicalName()));
+ }
+ }
}
}
@@ -256,11 +274,10 @@
CredentialsProvider credentialsProvider = (CredentialsProvider) context.getAttribute(HttpClientContext.CREDS_PROVIDER);
HttpHost targetHost = (HttpHost) context.getAttribute(HttpCoreContext.HTTP_TARGET_HOST);
Credentials credentials = credentialsProvider.getCredentials(new AuthScope(targetHost.getHostName(), targetHost.getPort()));
- if (credentials == null) {
- throw new HttpException("No credentials for preemptive authentication");
- }
+ if (credentials != null) {
authState.update(authScheme, credentials);
}
}
}
+ }
}
