From efa9f0c67888c0d88e6611560994c8c00ca92491 Mon Sep 17 00:00:00 2001
From: Michael Osipov <michaelo@apache.org>
Date: Mon, 18 Jul 2022 15:09:01 +0200
Subject: [PATCH] [MNG-7513] Address commons-io_commons-io vulnerability found
 in maven latest version

We can safely remove Commons IO altogether because it is not used in any direct or
transitive usecase at compile time or runtime.

This closes #771
---
 maven-core/pom.xml                            | 10 ++++
 .../maven/project/ProjectBuilderTest.java     | 48 ++++++++-----------
 maven-embedder/pom.xml                        |  5 ++
 pom.xml                                       | 20 ++++++++
 4 files changed, 55 insertions(+), 28 deletions(-)

diff --git a/maven-core/pom.xml b/maven-core/pom.xml
index f46fdeb1d998..61461c8aba8e 100644
--- a/maven-core/pom.xml
+++ b/maven-core/pom.xml
@@ -160,6 +160,11 @@ under the License.
       <artifactId>commons-jxpath</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-core</artifactId>
@@ -175,6 +180,11 @@ under the License.
       <artifactId>xmlunit-assertj</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-params</artifactId>
diff --git a/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java b/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
index 5590b9f728f7..8cc47a8530a2 100644
--- a/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
+++ b/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
@@ -20,7 +20,6 @@
  */
 
 import java.io.File;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -28,6 +27,7 @@
 import java.util.Properties;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import org.apache.commons.io.FileUtils;
 import org.apache.maven.AbstractCoreMavenComponentTestCase;
 import org.apache.maven.execution.MavenSession;
 import org.apache.maven.model.Plugin;
@@ -35,8 +35,8 @@
 import org.apache.maven.model.building.ModelBuildingRequest;
 import org.apache.maven.model.building.ModelProblem;
 import org.apache.maven.model.building.ModelSource;
-import org.apache.maven.shared.utils.io.FileUtils;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
 
 import static org.apache.maven.project.ProjectBuildingResultWithLocationMatcher.projectBuildingResultWithLocation;
 import static org.apache.maven.project.ProjectBuildingResultWithProblemMessageMatcher.projectBuildingResultWithProblemMessage;
@@ -166,35 +166,27 @@ public void testDontResolveDependencies()
     }
 
     @Test
-    public void testReadModifiedPoms() throws Exception {
+    public void testReadModifiedPoms( @TempDir Path tempDir ) throws Exception {
         // TODO a similar test should be created to test the dependency management (basically all usages
         // of DefaultModelBuilder.getCache() are affected by MNG-6530
 
-        Path tempDir = Files.createTempDirectory( null );
-        FileUtils.copyDirectoryStructure ( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
-        try
-        {
-            MavenSession mavenSession = createMavenSession( null );
-            ProjectBuildingRequest configuration = new DefaultProjectBuildingRequest();
-            configuration.setRepositorySession( mavenSession.getRepositorySession() );
-            org.apache.maven.project.ProjectBuilder projectBuilder = getContainer().lookup( org.apache.maven.project.ProjectBuilder.class );
-            File child = new File( tempDir.toFile(), "child/pom.xml" );
-            // build project once
-            projectBuilder.build( child, configuration );
-            // modify parent
-            File parent = new File( tempDir.toFile(), "pom.xml" );
-            String parentContent = FileUtils.fileRead( parent );
-            parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
-                     "<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
-            FileUtils.fileWrite( parent, "UTF-8", parentContent );
-            // re-build pom with modified parent
-            ProjectBuildingResult result = projectBuilder.build( child, configuration );
-            assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
-        }
-        finally
-        {
-            FileUtils.deleteDirectory( tempDir.toFile() );
-        }
+        FileUtils.copyDirectory( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
+        MavenSession mavenSession = createMavenSession( null );
+        ProjectBuildingRequest configuration = new DefaultProjectBuildingRequest();
+        configuration.setRepositorySession( mavenSession.getRepositorySession() );
+        org.apache.maven.project.ProjectBuilder projectBuilder = getContainer().lookup( org.apache.maven.project.ProjectBuilder.class );
+        File child = new File( tempDir.toFile(), "child/pom.xml" );
+        // build project once
+        projectBuilder.build( child, configuration );
+        // modify parent
+        File parent = new File( tempDir.toFile(), "pom.xml" );
+        String parentContent = FileUtils.readFileToString( parent, "UTF-8" );
+        parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
+                 "<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
+        FileUtils.write( parent, parentContent, "UTF-8" );
+        // re-build pom with modified parent
+        ProjectBuildingResult result = projectBuilder.build( child, configuration );
+        assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
     }
 
     @Test
diff --git a/maven-embedder/pom.xml b/maven-embedder/pom.xml
index 842f86823954..d49eb8f62fa3 100644
--- a/maven-embedder/pom.xml
+++ b/maven-embedder/pom.xml
@@ -149,6 +149,11 @@ under the License.
       <groupId>commons-cli</groupId>
       <artifactId>commons-cli</artifactId>
     </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
diff --git a/pom.xml b/pom.xml
index 1e08bb637db7..df1b8f40281a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -49,6 +49,7 @@ under the License.
     <javaVersion>8</javaVersion>
     <classWorldsVersion>2.6.0</classWorldsVersion>
     <commonsCliVersion>1.5.0</commonsCliVersion>
+    <commonsIoVersion>2.11.0</commonsIoVersion>
     <commonsLangVersion>3.12.0</commonsLangVersion>
     <junitVersion>5.8.1</junitVersion>
     <mockitoVersion>3.2.0</mockitoVersion>
@@ -300,6 +301,13 @@ under the License.
         <groupId>org.apache.maven.shared</groupId>
         <artifactId>maven-shared-utils</artifactId>
         <version>3.3.4</version>
+        <exclusions>
+          <!-- We use org.apache.maven.shared.utils.logging only in Maven Core -->
+          <exclusion>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>org.fusesource.jansi</groupId>
@@ -338,6 +346,13 @@ under the License.
         <groupId>org.apache.maven.wagon</groupId>
         <artifactId>wagon-http</artifactId>
         <version>${wagonVersion}</version>
+        <exclusions>
+          <!-- Not used at all -->
+          <exclusion>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <!--  Repository -->
       <dependency>
@@ -386,6 +401,11 @@ under the License.
         <artifactId>commons-cli</artifactId>
         <version>${commonsCliVersion}</version>
       </dependency>
+      <dependency>
+        <groupId>commons-io</groupId>
+        <artifactId>commons-io</artifactId>
+        <version>${commonsIoVersion}</version>
+      </dependency>
       <dependency>
         <groupId>commons-jxpath</groupId>
         <artifactId>commons-jxpath</artifactId>