| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a partial path traversal vulnerability.
Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
To demonstrate this vulnerability, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: Medium
CVSSS: 6.1
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.PartialPathTraversalVulnerability)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/13
Co-authored-by: Moderne <team@moderne.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before, the signature was:
void aboutToCompareClasspaths(
List oldClasspath, List newClasspath);
Now it is:
void aboutToCompareClasspaths(
List<String> oldClasspath, List<String> newClasspath);
AJDT will also use the typed version after generics refactoring.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
This reverts commit 5288ef1c1c8be2df85e59740f41622f4cfb9d899.
|
|
|
|
|
|
|
| |
in order to show that the compiler options basically work. The test
cases are by no means exhaustive and simply verify that it works at all.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
| |
I am expecting the test case to pass, but other tests to fail. This
temporary commit is meant to create feedback from GitHub CI test runs.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|\
| |
| |
| |
| |
| | |
# Conflicts:
# tests/src/test/java/org/aspectj/systemtest/ajc198/Bugs198Tests.java
# tests/src/test/resources/org/aspectj/systemtest/ajc198/ajc198.xml
|
| |
| |
| |
| |
| |
| | |
Out of scope for PR #132, future work for issue #141.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
1. @AspectJ syntax, threads created inside advice code
2. @AspectJ syntax, submit runnable to thread pool
3. native syntax, threads created inside advice code
4. native syntax, submit runnable to thread pool
Scenarios 1, 3 and 4 are passing, while 2 is failing.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
| |
| |
| |
| |
| |
| | |
Relates to #128.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
| |
| |
| |
| | |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
| |
| |
| |
| |
| |
| |
| |
| | |
After the Java 18 JDT Core upgrade, some LTW tests are failing and
have to be switched from in-process to full LTW mode due to them now
obviously calling some code paths which need '--add-opens'.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- JDT Core dependency in pom.xml
- Constants.java
- LangUtil.java
- AjcTask.java
- messages_aspectj.properties
- XMLBasedAjcTestCaseForJava17Only.java
- XMLBasedAjcTestCaseForJava18*.java
- tests/bugs199
- tests/features199
- JavaVersionCompatibility.md
- README-199.html
- GitHub CI build
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test fails when run against AspectJ 1.9.8 with JDT Core 1.9.8.RC3.
It passes when using the latest JDT Core 1.9.9-SNAPSHOT. It sets system
property 'org.aspectj.weaver.openarchives=20', provoking open classpath
JAR file exhaustion when compiling a simple class with AJC, i.e. JARs
are being forcibly closed and automatically re-opened, as soon as they
are needed. Before the JDT Core bugfix, this test causes:
java.lang.NullPointerException
at ....compiler.batch.ClasspathJmod.getModulesDeclaringPackage
With the bugfix incorporated into AspectJ Tools, the problem is gone.
Note: New test dependency 'io.github.bmuskalla:scoped-system-properties'
helps to test compilation with the temporarily changed global system
property in isolation, saving the environment in a thread-local
variable and later cleanly restoring the original values again. If we
ever switch to parallel test execution, this would otherwise influence
other tests and potentially cause weird side effects. Better safe than
sorry.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
| |
They were accidentally stored in thw wrong test class, not just because
they are bug regression tests, not 1.9.8 features, but also because they
are meant to work on Java 5+, not on Java 17+ like the ones in
Ajc198TestsJava.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
| |
This fixes:
- negating annotation style if() pointcuts doesn't work
- annotation style if() pointcut not able to use a binding
that is not exposed
Fixes #120,#122
|
|
|
|
|
|
|
|
|
|
| |
The documentation specifies annotation style pointcuts
can use if(false) or if(true) and not require a boolean
return value and body for the @Pointcut annotated
method but it doesn't work without this change to validation
that recognizes the situation.
Fixes #115
|
|
|
|
|
|
| |
Relates to #68.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|\
| |
| | |
Trim trailing whitespaces.
|
| |
| |
| |
| |
| | |
Trailing whitespaces are useless. Most of code-styles forbids them. Most of editors always trim them on save.
I propose to clean up project from trailing whitespaces in all java files at once.
|
|\ \
| | |
| | | |
Replace uses of StringBuffer with StringBuilder.
|
| |/
| |
| |
| | |
StringBuffer is a legacy synchronized class. StringBuilder is a direct replacement to StringBuffer which generally have better performance.
|
| |
| |
| |
| | |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|/
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
| |
After JDT Core (ECJ) was updated to the final Java 17 feature set, the
tests now pass as expected.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Fix one fault sanity test configuration
- Deactivate Java 16 preview tests (no longer supported by Java 17
compiler)
- Test sealed classes as final on Java 17 (no longer preview)
- Add tests for JEP 406, pattern matching for switch (preview). At
present, the beta 17 branch of JDT Core does not handle the tested
features and expected compile errors correctly yet, so I had to
temporarily deactivate test execution, only printing TODO messages.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
| |
Relates to #70
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
| |
This was required by the Eclipse team as one precondition for the next
release.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to JEP 260 (Encapsulate Most Internal APIs), aspect weaving on
Java 16 now requires '--add-opens java.base/java.lang=ALL-UNNAMED' on
the command line. Otherwise there will be illegal access exceptions for
some internal API calls AspectJ needs, most prominently when trying to
define classes in other packages or modules.
This had to be done on several levels:
- Maven Surefire: running tests in a JVM directly forked by Surefire.
In order to make this backwards compatible, I added two profiles
with JDK-level-dependent auto-activation, one 8-15 and one 16+. In
the latter a property containing the JVM parameter is defined, in
the former it is empty, i.e. the JVM is started without the
parameter. In Java 8 the parameter did not even exist, in Java 9+ we
could use it, but we need to test how users use AspectJ.
- RunSpec: Whenever an XML test is declared to use '<run>', we need to
determine the current JVM version and again dynamically add the
parameter when forking the target JVM.
- AntSpec: Whenever an XML test is declared to use '<ant>', we need to
determine the current JVM version dynamically add two properties
usable from within Ant scripts: 'aj.addOpensKey' and
'aj.addOpensValue'. Unfortunately, Ant needs to use two '<argLine>'
parameters, because the two parts of the option are separated by a
space character.
- Ant scripts: When triggered by an AntSpec, each Ant target using LTW
needs to manually set
<jvmarg value="${aj.addOpensKey}"/>
<jvmarg value="${aj.addOpensValue}"/>
for each '<java>' task. It was quite tedious to find all(?) of them.
TODO: In the AspectJ 1.9.7 release notes we need to document that this
parameter is now needed for LTW.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before Java 16, JDK proxies were given a virtual package name of
'com.sun.proxy'. Now the packages are numbered 'jdk.proxy[n]', i.e.
'jdk.proxy1', 'jdk.proxy2' etc. This makes the package-name-derived path
name here less predictable. In our simple runtime scenario, we can be
pretty sure than the counter starts at 1 because it is the first and
only proxy we create.
TODO: A better solution would be a recursive filtered search via
Files.walk, ideally added as a recursive search option for
CountingFilenameFilter.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Test all features which were preview in 14+15 and are now final in 16,
compiling them with language level 16.
- For Java 15 we only have sanity tests (and of course the Java <14
tests), compiling Java 16 features to target 15 does not seem to work.
- Test remaining Java 16 preview feature (sealed classes).
- Instead of overriding runTest(String) in several base classes like
XMLBasedAjcTestCaseForJava*Only or XMLBasedAjcTestCaseForJava*OrLater,
we now override setUp() from JUnit's TestCase base class. This will
run before runTest(String) and make the tests fail much faster, if a
user tries to run them on the wrong VM.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
| |
It failed with "RuntimeException: I never heard about what kind of build
it was!!" on my (@kriegaex) Windows machine, mostly because in case of a
failing full build the corresponding status is never set.
TODO: Ensure that 'MyStateListener.informedAboutKindOfBuild' is set for
failed builds, too.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
| |
Also fix some minor details in Java 14 suite
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These tests need a Java 14 level AspectJ compiler, because they use
version-specific preview features. This compiler has been upgraded
to a Java 15 compliant JDT Core already, i.e. it does not support
preview features of a previous version anymore.
An error message similar to the above explanation will appear when
trying to run any XMLBasedAjcTestCaseForJava14Only subclass, such as
Ajc196PreviewFeaturesTests (currently the only one).
When running AllTestsAspectJ196, Ajc196PreviewFeaturesTests will not be
added to the test suite anymore.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
| |
- Java 14 feature sample classes moved from 'bugs' to 'features'
- One test case using a Java 14 preview feature was moved to the
Java 14-only tests
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
| |
Getting rid of XML includes and two superfluous files, merging them with
their respective including counterparts. As far as I can see, the two
test suites are not part of the automatic build process, but can be
started manually as easily as any other test (suite) now.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
|
|
|
|
| |
Some Ajc196 tests are using preview features (see .../ajc196.xml), i.e.
they will fail on Java 15+ because code compiled with '--enable-preview'
can only run on the same JVM version, not on a more recent one. Hence,
the preview-using tests are now being excluded in order to make the
build run on Java 15, even though no Java 15 features are present in the
current 1.9.7 snapshot.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
| |
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
|
|
|
|
|
|
| |
Do not assume a certain element order for tree nodes if there can be
more than one.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
|
| |
|
|\ |
|
| | |
|
| | |
|