Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Fixes :
- Files containing an underscore in their name can't be restored in the cache directory correctly (not in the same directory location).
- The cache is able to extract/restore files in locations outside the project. I guess the extraction part is not a vulnerability since someone with commit permissions can guess other ways to extract data. But the possibility of restoring at any place on the disk looks pretty dangerous to me if a remote cache server is compromised.
Enhancements :
- Possibility to restore artefacts on disk, with a dedicated property : maven.build.cache.restoreOnDiskArtefacts (default to true). Meaning in the project directory, as opposed to the cache directory.
- IDE integration and use of the cache locally in developement is way easier. It is now possible to retrieve a cached jar in the "target" directory.
- Introduce "globs" to filter extra attached outputs by filenames.
Attachments
Issue Links
- links to