Fix #366085 concerning declared annotations with source retention
See https://bugs.eclipse.org/bugs/show_bug.cgi?id=366085.
See https://stackoverflow.com/q/74618269/1082681.
The issue described in the Bugzilla issue is about 'declare @type', but
similar issues also existed for 'declare @field', 'declare @method',
'declare @constructor'. This fix is rather superficial and leaves
things to be desired, because it is rather hacky and simply ignores
errors source retention annotation declarations during weaving. A better
fix would drop the corresponding declarations while parsing and also
issue compiler warnings in each case.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
OutputSpec.matchesThisVm better supports version ranges
vmVersionRanges might be a single version like "9", a list of versions
like "1.2,1.3,1.4,1.5", an equivalent range of "1.2-1.5", an open range
like "-1.8", "9-" (equivalent to "9+") or a more complex list of ranges
like "-1.6,9-11,13-14,17-" or "8,11,16+".
Empty ranges like in "", " ", "8,,14", ",5", "6-," will be ignored.
I.e., they will not yield a positive match.
Bogus ranges like "9-11-14" will be ignored, too.
Existing XML test specs using '<line text="..." vm="v,v2,...,vn"/>
have been adjusted to use version ranges rather than long lists of
consecutive versions. Furthermore, ranges with a trailing '+' like '14+'
were replaced by using the new canonical format '14-', even though the
parser still correctly recognises '14+'.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
For now, only the "pattern matching for switch" tests from previews 1
and 2 were adjusted to work in preview 3, because guarded patterns were
replaced by 'when' clauses in 'switch' blocks. Therefore, existing test
classes did not compile anymore and had to be replaced by syntactically
upgraded versions with content merged from preview 1 and 2 classes.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Firstly, Batik is not needed for running AspectJ tests.
Secondly, the fixed Windows path separators led to GitHub CI/CD tests
failing under Java 18+ on GitHub. Replacing ';' by 'File.pathSeparator'
would have fixed the problem, but removing the paths altogether is the
cleaner solution.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
This fixes a partial path traversal vulnerability.
Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
To demonstrate this vulnerability, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: Medium
CVSSS: 6.1
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.PartialPathTraversalVulnerability)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/13
Co-authored-by: Moderne <team@moderne.io>
Make IStateListener.aboutToCompareClasspaths use typed lists
Before, the signature was:
void aboutToCompareClasspaths(
List oldClasspath, List newClasspath);
Now it is:
void aboutToCompareClasspaths(
List<String> oldClasspath, List<String> newClasspath);
AJDT will also use the typed version after generics refactoring.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
POM bug: separate jvm.arg.allowSecurityManager from jvm.arg.addOpens
Before, this was in a single variable, and for JDK 18+, the security
manager setting also falsely overwrote the '--add-opens' command. This
was the root cause for a few dozen LTW tests to fail on JDK 18, if they
were not run in full LTW mode, i.e. in a separate JVM.
After this fix, it should be possible to revert the corresponding
commits, at least their non-cosmetic parts.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Add some smoke test cases for '--add-reads' and '--add-modules'
in order to show that the compiler options basically work. The test
cases are by no means exhaustive and simply verify that it works at all.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Add test case + experimental fix for AJC option '--add-exports'
I am expecting the test case to pass, but other tests to fail. This
temporary commit is meant to create feedback from GitHub CI test runs.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Name annotation vs native style aspects uniformly in github_128 tests
Trying to find the difference between byte code generated by AJC for
functionally identical annotation vs native style aspect, I move the
aspects into subdirectories in order to be able to name them
identically. This way, when decompiling them with javap or Fernflower it
is easier to diff them later.
Why the decompilation? Because for the thread pool testing scenario
native syntax passes while annotation syntax fails. I.e., we need to
find the difference. That can be done by reading source code, if you
know where to look, or by starting with reverse engineering in order to
first understand more and look at the code later.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Expand "asynchronous proceed for nested around-advice" to 4 scenarios:
1. @AspectJ syntax, threads created inside advice code
2. @AspectJ syntax, submit runnable to thread pool
3. native syntax, threads created inside advice code
4. native syntax, submit runnable to thread pool
Scenarios 1, 3 and 4 are passing, while 2 is failing.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
AtAjLTWTests: 4 test cases switched to 'useFullLTW' mode
After the Java 18 JDT Core upgrade, some LTW tests are failing and
have to be switched from in-process to full LTW mode due to them now
obviously calling some code paths which need '--add-opens'.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Regression test for #125: Bugs198Tests.testGitHub_125
This test fails when run against AspectJ 1.9.8 with JDT Core 1.9.8.RC3.
It passes when using the latest JDT Core 1.9.9-SNAPSHOT. It sets system
property 'org.aspectj.weaver.openarchives=20', provoking open classpath
JAR file exhaustion when compiling a simple class with AJC, i.e. JARs
are being forcibly closed and automatically re-opened, as soon as they
are needed. Before the JDT Core bugfix, this test causes:
java.lang.NullPointerException
at ....compiler.batch.ClasspathJmod.getModulesDeclaringPackage
With the bugfix incorporated into AspectJ Tools, the problem is gone.
Note: New test dependency 'io.github.bmuskalla:scoped-system-properties'
helps to test compilation with the temporarily changed global system
property in isolation, saving the environment in a thread-local
variable and later cleanly restoring the original values again. If we
ever switch to parallel test execution, this would otherwise influence
other tests and potentially cause weird side effects. Better safe than
sorry.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Move some tests from Ajc198TestsJava to Bugs198Tests
They were accidentally stored in thw wrong test class, not just because
they are bug regression tests, not 1.9.8 features, but also because they
are meant to work on Java 5+, not on Java 17+ like the ones in
Ajc198TestsJava.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
This fixes:
- negating annotation style if() pointcuts doesn't work
- annotation style if() pointcut not able to use a binding
that is not exposed
Fixes #120,#122
Fix annotation style support for if(true) and if(false)
The documentation specifies annotation style pointcuts
can use if(false) or if(true) and not require a boolean
return value and body for the @Pointcut annotated
method but it doesn't work without this change to validation
that recognizes the situation.
Fixes #115
Trailing whitespaces are useless. Most of code-styles forbids them. Most of editors always trim them on save.
I propose to clean up project from trailing whitespaces in all java files at once.
Alexander Kriegisch
Jonathan Leitschuh
Andy Clement
Andrey Turbanov