Add docs/dist/LICENSE-AspectJ.html to all public artifacts
The license file will be included right in the main directory of both
binary and source artifacts for
- AspectJ Matcher,
- AspectJ Runtime,
- AspectJ Weaver,
- AspectJ Tools (Compiler),
- AspectJ Installer.
Fixes #185.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
This fixes a partial path traversal vulnerability.
Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
To demonstrate this vulnerability, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: Medium
CVSSS: 6.1
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.PartialPathTraversalVulnerability)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/13
Co-authored-by: Moderne <team@moderne.io>
Make IStateListener.aboutToCompareClasspaths use typed lists
Before, the signature was:
void aboutToCompareClasspaths(
List oldClasspath, List newClasspath);
Now it is:
void aboutToCompareClasspaths(
List<String> oldClasspath, List<String> newClasspath);
AJDT will also use the typed version after generics refactoring.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
In order to create the docs separately, running just a single module,
add 'install' to the previous build step, so the 'docs' module can find
the 'lib' dummy JAR in the local Maven repo.
Relates to #150.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
I have not used those directories or any files inside them at all. I
hope I am not taking away anything helpful from people who prefer
working with inter-linked Eclipse projects instead of Maven, but I think
we will notice if anyone complains and can revert in case of an
emergency.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Remove Aspectj.dev artifact and plugin repositories
After having removed the custom-built Maven Shade version, there should
be no more references to artifacts in that repository left. Let us see
if the build passes.
Furthermore, since being a committer, I can also attach AspectJ
installers to GitHub releases.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Bump Maven Shade Plugin to 3.3.0, add TODO to remove Flatten Maven Plugin
Fixed issues of concern include MSHADE-252, MSHADE-396, MSHADE-391.
TODO: MSHADE-36 is in Maven Shade 3.3.0 -> it should be possible to
include the dependency-reduced POM there directly. So maybe, we can rid
of Flatten Maven Plugin.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Add AspectJ 1.9.9.1 delta to existing 1.9.9 release notes
The minor release from a user perspective is just going to be about
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
#145, so we are not creating an extra release notes document.
POM bug: separate jvm.arg.allowSecurityManager from jvm.arg.addOpens
Before, this was in a single variable, and for JDK 18+, the security
manager setting also falsely overwrote the '--add-opens' command. This
was the root cause for a few dozen LTW tests to fail on JDK 18, if they
were not run in full LTW mode, i.e. in a separate JVM.
After this fix, it should be possible to revert the corresponding
commits, at least their non-cosmetic parts.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Add some smoke test cases for '--add-reads' and '--add-modules'
in order to show that the compiler options basically work. The test
cases are by no means exhaustive and simply verify that it works at all.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
AjcTestCase: be less verbose when appending to buffer repeatedly
Also put 'else (if)' and 'finally' on new lines rather than after the
preceding closing curly braces. This helps IDEs when using code folding
(show/hide content of code blocks enclosed in curly braces).
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Make sure to always print commands when running Java test classes
In some cases, the 'java ...' command was not printed, which is
especially unhelpful when tests fail.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Use upstream method to generate '--add-reads', '--add-exports' info
and copy it into our FileSystem instance. In order to be able to access
JDT Core's FileSystem.moduleUpdates field, we had to make it public
there first.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Add test case + experimental fix for AJC option '--add-exports'
I am expecting the test case to pass, but other tests to fail. This
temporary commit is meant to create feedback from GitHub CI test runs.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
Also add some Eclipse, AspectJ and Java version information to the
existing update sites.
Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>