Please consider allowing users to enable the executable permissions (e.g. chmod +x ./myexecutable) for downloaded artifacts.
Why it's needed
It might come in handy when configuring protobuf compilation
Consider the following pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>protobuf-exec-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<build>
<extensions>
<extension>
<groupId>kr.motd.maven</groupId>
<artifactId>os-maven-plugin</artifactId>
<version>1.7.1</version>
</extension>
</extensions>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.5.0</version>
<executions>
<execution>
<id>exec-protoc</id>
<phase>generate-sources</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protoc</artifactId>
<version>4.30.0</version>
<classifier>${os.detected.classifier}</classifier>
<type>exe</type>
</dependency>
</dependencies>
<configuration>
<executableDependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protoc</artifactId>
</executableDependency>
<arguments>
<argument>--help</argument>
</arguments>
</configuration>
</plugin>
</plugins>
</build>
</project>when executing:
there is an error:
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:3.5.0:exec (exec-protoc) on project jms-connector: Command execution failed.:
Cannot run program "/Users/me/.m2/repository/com/google/protobuf/protoc/4.30.0/protoc-4.30.0-osx-aarch_64.exe" (in directory "/Users/me/projects/demo/proto"): error=13, Permission denied -> [Help 1]
But once the executable permission is set:
chmod +x /Users/neshkeev/.m2/repository/com/google/protobuf/protoc/4.30.0/protoc-4.30.0-*.exe
The command:
works as expected:
[INFO] --- exec:3.5.0:exec (exec-protoc) @ protobuf-exec-demo ---
Usage: /Users/neshkeev/.m2/repository/com/google/protobuf/protoc/4.30.0/protoc-4.30.0-osx-aarch_64.exe [OPTION] PROTO_FILES
Parse PROTO_FILES and generate output based on the options given:
-IPATH, --proto_path=PATH Specify the directory in which to search for
...
What is expected
In order to ensure that there are no surprises for existing setups a new permissions config can be added like this:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.5.0</version>
...
<configuration>
<permissions>777</permissions>
<!-- alternative(more user-friendly)
<permissions>rwx</permissions>
-->
...
</configuration>
</plugin>I don't insist on this approach, the interface can be different as long as it allows users to enable the executable permissions.
Why it's safe
My project uses org.xolstice.maven.plugins:protobuf-maven-plugin for compiling protobuf, but the project hasn't been updated for 5 years and there are some vulnerabilities (CVE-2021-26291, CVE-2022-4245, CVE-2022-4244) so I can't to keep on using it.
I studied the org.xolstice.maven.plugins:protobuf-maven-plugin plugin's source code and discovered that after downloading protobuf compiler (protoc) the plugin explicitly set the executable flag on protoc:
targetFile.setExecutable(true);
Since protobuf-maven-plugin explicitly sets the execution permission and no known vulnerabilities have been reporded regarding this, it's considered safe. The reported vulnerabilities above are related to maven itself, not the plugin.
Please consider allowing users to enable the executable permissions (e.g.
chmod +x ./myexecutable) for downloaded artifacts.Why it's needed
It might come in handy when configuring
protobufcompilationConsider the following
pom.xml:when executing:
there is an error:
But once the executable permission is set:
The command:
works as expected:
What is expected
In order to ensure that there are no surprises for existing setups a new
permissionsconfig can be added like this:I don't insist on this approach, the interface can be different as long as it allows users to enable the executable permissions.
Why it's safe
My project uses
org.xolstice.maven.plugins:protobuf-maven-pluginfor compilingprotobuf, but the project hasn't been updated for 5 years and there are some vulnerabilities (CVE-2021-26291,CVE-2022-4245,CVE-2022-4244) so I can't to keep on using it.I studied the
org.xolstice.maven.plugins:protobuf-maven-pluginplugin's source code and discovered that after downloadingprotobufcompiler (protoc) the plugin explicitly set theexecutableflag onprotoc:Since
protobuf-maven-pluginexplicitly sets the execution permission and no known vulnerabilities have been reporded regarding this, it's considered safe. The reported vulnerabilities above are related to maven itself, not the plugin.