Add docs/dist/LICENSE-AspectJ.html to all public artifacts
The license file will be included right in the main directory of both
binary and source artifacts for
- AspectJ Matcher,
- AspectJ Runtime,
- AspectJ Weaver,
- AspectJ Tools (Compiler),
- AspectJ Installer.
Fixes #185.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
This fixes a partial path traversal vulnerability.
Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
To demonstrate this vulnerability, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: Medium
CVSSS: 6.1
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.PartialPathTraversalVulnerability)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/13
In order to create the docs separately, running just a single module,
add 'install' to the previous build step, so the 'docs' module can find
the 'lib' dummy JAR in the local Maven repo.
Relates to #150.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
I have not used those directories or any files inside them at all. I
hope I am not taking away anything helpful from people who prefer
working with inter-linked Eclipse projects instead of Maven, but I think
we will notice if anyone complains and can revert in case of an
emergency.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Remove Aspectj.dev artifact and plugin repositories
After having removed the custom-built Maven Shade version, there should
be no more references to artifacts in that repository left. Let us see
if the build passes.
Furthermore, since being a committer, I can also attach AspectJ
installers to GitHub releases.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Bump Maven Shade Plugin to 3.3.0, add TODO to remove Flatten Maven Plugin
Fixed issues of concern include MSHADE-252, MSHADE-396, MSHADE-391.
TODO: MSHADE-36 is in Maven Shade 3.3.0 -> it should be possible to
include the dependency-reduced POM there directly. So maybe, we can rid
of Flatten Maven Plugin.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
POM bug: separate jvm.arg.allowSecurityManager from jvm.arg.addOpens
Before, this was in a single variable, and for JDK 18+, the security
manager setting also falsely overwrote the '--add-opens' command. This
was the root cause for a few dozen LTW tests to fail on JDK 18, if they
were not run in full LTW mode, i.e. in a separate JVM.
After this fix, it should be possible to revert the corresponding
commits, at least their non-cosmetic parts.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
AjcTestCase: be less verbose when appending to buffer repeatedly
Also put 'else (if)' and 'finally' on new lines rather than after the
preceding closing curly braces. This helps IDEs when using code folding
(show/hide content of code blocks enclosed in curly braces).
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Use upstream method to generate '--add-reads', '--add-exports' info
and copy it into our FileSystem instance. In order to be able to access
JDT Core's FileSystem.moduleUpdates field, we had to make it public
there first.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
At present, no tests are failing without those resources, but for good
measure, I added them anyway, because then the same path could in the
future also be used for stand-alone compilation tests which are not
triggered in-process via AJDT interface but, not unlike "full LTW"
test execution mode, in a separate JVM.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Name annotation vs native style aspects uniformly in github_128 tests
Trying to find the difference between byte code generated by AJC for
functionally identical annotation vs native style aspect, I move the
aspects into subdirectories in order to be able to name them
identically. This way, when decompiling them with javap or Fernflower it
is easier to diff them later.
Why the decompilation? Because for the thread pool testing scenario
native syntax passes while annotation syntax fails. I.e., we need to
find the difference. That can be done by reading source code, if you
know where to look, or by starting with reverse engineering in order to
first understand more and look at the code later.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Make Stack<AroundClosure> in JoinPointImpl InheritableThreadLocal
In case of asynchronous proceeding for nested around-advice, child
threads need copies of the original around-closure stack. Otherwise, the
target method thread will have popped the stack empty after unwinding.
Fixes #128.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Make sure that program arguments are passed through in full LTW mode
This fixes e.g. LTWTests.testDeclareAbstractAspect, which passes on
names of ITD methods to the test program, which in turn executes those
methods via reflection.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
AtAjLTWTests: 4 test cases switched to 'useFullLTW' mode
After the Java 18 JDT Core upgrade, some LTW tests are failing and
have to be switched from in-process to full LTW mode due to them now
obviously calling some code paths which need '--add-opens'.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
It was referring to a no longer existent weaver under
aj-build/dist/tools/lib/aspectjweaver.jar, which now has been replaced
by the new file lib/aspectj/lib/aspectjweaver.jar.
Several tests were broken, not finding the agent. But because those
tests make no assertions, nobody ever noticed. Only when I had to change
some LTW tests from in-process to full LTW mode (see next commit) due to
them now obviously calling some code paths which need '--add-opens', I
even noticed the problem.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Bump actions/setup-java from 1 to 3, use Temurin, drop Java 14
Adopt OpenJDK moved to Eclipse Temurin and is no longer updated. Temurin
builds for JDK 14 are however not available. Therefore, we drop the JDK
14 CI build.
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 1 to 3.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](https://github.com/actions/setup-java/compare/v1...v3)
Otherwise, Dependabot would run builds whenever something is pushed on
master and it rebases its PR. It is still possible to just click on the
skipped workflow in the PR and then issue "re-run all jobs" in order to
perform a build.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
It will create PRs for Maven and GitHub action updates. Of course, we
cannot simply merge the PRs, because Dependabot has not singed an
Eclipse CLA, but at least we know about updates and how they affect the
build result. Then we can decide to clone the changes and commit them
manually.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Regression test for #125: Bugs198Tests.testGitHub_125
This test fails when run against AspectJ 1.9.8 with JDT Core 1.9.8.RC3.
It passes when using the latest JDT Core 1.9.9-SNAPSHOT. It sets system
property 'org.aspectj.weaver.openarchives=20', provoking open classpath
JAR file exhaustion when compiling a simple class with AJC, i.e. JARs
are being forcibly closed and automatically re-opened, as soon as they
are needed. Before the JDT Core bugfix, this test causes:
java.lang.NullPointerException
at ....compiler.batch.ClasspathJmod.getModulesDeclaringPackage
With the bugfix incorporated into AspectJ Tools, the problem is gone.
Note: New test dependency 'io.github.bmuskalla:scoped-system-properties'
helps to test compilation with the temporarily changed global system
property in isolation, saving the environment in a thread-local
variable and later cleanly restoring the original values again. If we
ever switch to parallel test execution, this would otherwise influence
other tests and potentially cause weird side effects. Better safe than
sorry.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Move some tests from Ajc198TestsJava to Bugs198Tests
They were accidentally stored in thw wrong test class, not just because
they are bug regression tests, not 1.9.8 features, but also because they
are meant to work on Java 5+, not on Java 17+ like the ones in
Ajc198TestsJava.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
projects / aspectj.git / log