Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8263204

Add Gradle Wrapper Validation Action

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: openjfx17
    • Fix Version/s: openjfx17
    • Component/s: javafx
    • Labels:
    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic

      Description

      Any system that builds an OpenJFX pull request can be compromised by malicious code hidden inside the Gradle Wrapper JAR file. See the following page for details:

      Gradle Wrapper Validation Action
      https://github.com/gradle/wrapper-validation-action

      SYSTEM / OS / JAVA RUNTIME INFORMATION

      My particular system is Ubuntu 20.04 LTS with OpenJDK 11.

      ------------------------------------------------------------------------
      $ uname -srm
      Linux 5.4.0-66-generic x86_64

      $ getconf GNU_LIBC_VERSION
      glibc 2.31

      $ java --version
      openjdk 11.0.10 2021-01-19
      OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
      OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
      ------------------------------------------------------------------------

      STEPS TO REPRODUCE

      Create a pull request with a tampered Gradle Wrapper.

      EXPECTED RESULTS

      The tampered Gradle Wrapper is detected and the JavaFX pre-submit tests on GitHub fail.

      ACTUAL RESULT

      The tampered Gradle Wrapper goes undetected.

      SOURCE CODE FOR AN EXECUTABLE TEST CASE

      I modified the current Gradle Wrapper JAR file with the command:

      ------------------------------------------------------------------------
      $ strip-nondeterminism -v gradle-wrapper.jar
      strip-nondeterminism: Not using a canonical time
      strip-nondeterminism: Using normalizers:
        bflt cpio gettext gzip jar javadoc javaproperties jmod png uimage zip
      Normalizing gradle-wrapper.jar
      ------------------------------------------------------------------------

      WORKAROUND

      The workaround is to check every pull request for the file 'gradle/wrapper/gradle-wrapper.jar' and manually verify its checksum before building the branch. The checksums are listed on the following page:

      Gradle distribution and wrapper JAR checksum reference
      https://gradle.org/release-checksums/

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jgneff John Neffenger
              Reporter:
              jgneff John Neffenger
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: