mirror of
https://github.com/gradle/wrapper-validation-action.git
synced 2025-04-21 06:39:19 +08:00
Merge branch 'master' into releases/v1
This commit is contained in:
Paul Merlin
commit
8aa7c79fa3
13
README.md
13
README.md
@ -34,6 +34,12 @@ verify that any and all `gradle-wrapper.jar` files in the repository match the S
|
||||
|
||||
If any are found that do not match the SHA-256 checksums of our official releases, the action will fail.
|
||||
|
||||
Additionally, the action will find and SHA-256 hash all
|
||||
[homoglyph](https://en.wikipedia.org/wiki/Homoglyph)
|
||||
variants of files named `gradle-wrapper.jar`,
|
||||
for example a file named `gradlе-wrapper.jar` (which uses a Cyrillic `е` instead of `e`).
|
||||
The goal is to prevent homoglyph attacks which may be very difficult to spot in a GitHub diff.
|
||||
|
||||
## Usage
|
||||
|
||||
Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
|
||||
@ -47,7 +53,7 @@ Here's a sample complete workflow you can add to your repositories:
|
||||
**`.github/workflows/gradle-wrapper-validation.yml`**
|
||||
```yaml
|
||||
name: "Validate Gradle Wrapper"
|
||||
on: [push]
|
||||
on: [push, pull_request]
|
||||
|
||||
jobs:
|
||||
validation:
|
||||
@ -66,3 +72,8 @@ we highly recommend that you reach out to us at [security@gradle.com](mailto:sec
|
||||
If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
|
||||
and one of our valid release, you can compare them using this online utility: [DiffScope](https://try.diffoscope.org/).
|
||||
Regardless of what you find, we still kindly request that you reach out to us and let us know about any issues you encountered.
|
||||
|
||||
## Resources
|
||||
|
||||
To learn more about verifying the Gradle Wrapper JAR locally, see our
|
||||
[guide on the topic](https://docs.gradle.org/current/userguide/gradle_wrapper.html#wrapper_checksum_verification).
|
||||
|
||||
0
__tests__/data/invalid/gradlе-wrapper.jar
Normal file
0
__tests__/data/invalid/gradlе-wrapper.jar
Normal file
@ -4,7 +4,8 @@ import * as find from '../src/find'
|
||||
test('finds test data wrapper jars', async () => {
|
||||
const repoRoot = path.resolve('.')
|
||||
const wrapperJars = await find.findWrapperJars(repoRoot)
|
||||
expect(wrapperJars.length).toBe(2)
|
||||
expect(wrapperJars.length).toBe(3)
|
||||
expect(wrapperJars).toContain('__tests__/data/valid/gradle-wrapper.jar')
|
||||
expect(wrapperJars).toContain('__tests__/data/invalid/gradle-wrapper.jar')
|
||||
expect(wrapperJars).toContain('__tests__/data/invalid/gradlе-wrapper.jar') // homoglyph
|
||||
})
|
||||
|
||||
@ -4,7 +4,7 @@ import * as validate from '../src/validate'
|
||||
const baseDir = path.resolve('.')
|
||||
|
||||
test('succeeds if all found wrapper jars are valid', async () => {
|
||||
const result = await validate.findInvalidWrapperJars(baseDir, 2, false, [
|
||||
const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [
|
||||
'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
|
||||
])
|
||||
|
||||
@ -12,13 +12,14 @@ test('succeeds if all found wrapper jars are valid', async () => {
|
||||
|
||||
expect(result.toDisplayString()).toBe(
|
||||
'✓ Found known Gradle Wrapper JAR files:\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
|
||||
' 3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
|
||||
)
|
||||
})
|
||||
|
||||
test('fails if invalid wrapper jars are found', async () => {
|
||||
const result = await validate.findInvalidWrapperJars(baseDir, 2, false, [])
|
||||
const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [])
|
||||
|
||||
expect(result.isValid()).toBe(false)
|
||||
|
||||
@ -33,31 +34,37 @@ test('fails if invalid wrapper jars are found', async () => {
|
||||
new validate.WrapperJar(
|
||||
'__tests__/data/invalid/gradle-wrapper.jar',
|
||||
'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
|
||||
),
|
||||
new validate.WrapperJar(
|
||||
'__tests__/data/invalid/gradlе-wrapper.jar', // homoglyph
|
||||
'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
|
||||
)
|
||||
])
|
||||
|
||||
expect(result.toDisplayString()).toBe(
|
||||
'✗ Found unknown Gradle Wrapper JAR files:\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
|
||||
'✓ Found known Gradle Wrapper JAR files:\n' +
|
||||
' 3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
|
||||
)
|
||||
})
|
||||
|
||||
test('fails if not enough wrapper jars are found', async () => {
|
||||
const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [])
|
||||
const result = await validate.findInvalidWrapperJars(baseDir, 4, false, [])
|
||||
|
||||
expect(result.isValid()).toBe(false)
|
||||
|
||||
expect(result.errors).toEqual([
|
||||
'Expected to find at least 3 Gradle Wrapper JARs but got only 2'
|
||||
'Expected to find at least 4 Gradle Wrapper JARs but got only 3'
|
||||
])
|
||||
|
||||
expect(result.toDisplayString()).toBe(
|
||||
'✗ Found unknown Gradle Wrapper JAR files:\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
|
||||
' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
|
||||
'✗ Other validation errors:\n' +
|
||||
' Expected to find at least 3 Gradle Wrapper JARs but got only 2\n' +
|
||||
' Expected to find at least 4 Gradle Wrapper JARs but got only 3\n' +
|
||||
'✓ Found known Gradle Wrapper JAR files:\n' +
|
||||
' 3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
|
||||
)
|
||||
|
||||
45
dist/index.js
vendored
45
dist/index.js
vendored
File diff suppressed because one or more lines are too long
@ -7,5 +7,6 @@ module.exports = {
|
||||
transform: {
|
||||
'^.+\\.ts$': 'ts-jest'
|
||||
},
|
||||
verbose: true
|
||||
verbose: true,
|
||||
setupFilesAfterEnv: ['./jest.setup.js']
|
||||
}
|
||||
|
||||
1
jest.setup.js
Normal file
1
jest.setup.js
Normal file
@ -0,0 +1 @@
|
||||
jest.setTimeout(10000) // in milliseconds
|
||||
5
package-lock.json
generated
5
package-lock.json
generated
@ -6180,6 +6180,11 @@
|
||||
"resolved": "https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz",
|
||||
"integrity": "sha1-Tz+1OxBuYJf8+ctBCfKl6b36UCI="
|
||||
},
|
||||
"unhomoglyph": {
|
||||
"version": "1.0.3",
|
||||
"resolved": "https://registry.npmjs.org/unhomoglyph/-/unhomoglyph-1.0.3.tgz",
|
||||
"integrity": "sha512-PC/OAHE8aiTK0Gfmy0PxOlePazRn+BeCM1r4kFtkHgEnkJZgJoI7yD2yUEjsfSdLXKU1FSt/EcIZvNoKazYUTw=="
|
||||
},
|
||||
"union-value": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/union-value/-/union-value-1.0.1.tgz",
|
||||
|
||||
@ -26,7 +26,8 @@
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.2.0",
|
||||
"typed-rest-client": "^1.7.1"
|
||||
"typed-rest-client": "^1.7.1",
|
||||
"unhomoglyph": "^1.0.3"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^24.0.23",
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
import * as httpm from 'typed-rest-client/HttpClient'
|
||||
|
||||
const httpc = new httpm.HttpClient('eskatos/gradle-wrapper-check')
|
||||
const httpc = new httpm.HttpClient('gradle/wrapper-validation-action')
|
||||
|
||||
export async function fetchValidChecksums(
|
||||
allowSnapshots: boolean
|
||||
|
||||
4
src/declarations.d.ts
vendored
Normal file
4
src/declarations.d.ts
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
declare module 'unhomoglyph' {
|
||||
function unhomoglyph(input: string): string
|
||||
export = unhomoglyph
|
||||
}
|
||||
@ -1,13 +1,14 @@
|
||||
import * as util from 'util'
|
||||
import * as path from 'path'
|
||||
import * as fs from 'fs'
|
||||
import unhomoglyph from 'unhomoglyph'
|
||||
|
||||
const readdir = util.promisify(fs.readdir)
|
||||
|
||||
export async function findWrapperJars(baseDir: string): Promise<string[]> {
|
||||
const files = await recursivelyListFiles(baseDir)
|
||||
return files
|
||||
.filter(file => file.endsWith('gradle-wrapper.jar'))
|
||||
.filter(file => unhomoglyph(file).endsWith('gradle-wrapper.jar'))
|
||||
.map(wrapperJar => path.relative(baseDir, wrapperJar))
|
||||
.sort((a, b) => a.localeCompare(b))
|
||||
}
|
||||
|
||||
@ -14,7 +14,9 @@ export async function run(): Promise<void> {
|
||||
if (result.isValid()) {
|
||||
core.info(result.toDisplayString())
|
||||
} else {
|
||||
core.setFailed(result.toDisplayString())
|
||||
core.setFailed(
|
||||
`Gradle Wrapper Validation Failed!\n See https://github.com/gradle/wrapper-validation-action#reporting-failures\n${result.toDisplayString()}`
|
||||
)
|
||||
}
|
||||
} catch (error) {
|
||||
core.setFailed(error.message)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user