Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

includeGroupByRegex with exclusiveContent can be easily misconfigured leading to poor security #21967

Closed
codefish1 opened this issue Sep 12, 2022 · 1 comment · Fixed by #23356
Closed

includeGroupByRegex with exclusiveContent can be easily misconfigured leading to poor security #21967

codefish1 opened this issue Sep 12, 2022 · 1 comment · Fixed by #23356
Labels
a:feature A new functionality in:repository-declarations declaring repositories and filtering
Milestone
8.1 RC1

Comments

@codefish1
Copy link
Contributor

Within your build.gradle.kts file you can define exclusive content such, to limit where dependencies may be pulled form. I quite often see people use the regex like in the example below, which works, but matches to a much wider set of groups than they expect.

repositories {
  exclusiveContent {
    forRepository { maven("https://....") }
    filter {
      includeGroupByRegex("com.google.*")      
    }
  }

In this instance the regex should be something like

includeGroupByRegex("com\\.google(?:\..+|\Z)")

which will pull anything in com.goggle:foo and com.google.bar:foo

Expected Behavior

Add a new option for including, prehaps includeGroupByPrefix which automatically adds the regex for you correctly so you can just do

includeGroupByPrefix("com.google")

Current Behavior

Context
@codefish1 codefish1 added a:feature A new functionality to-triage labels Sep 12, 2022
@jbartok jbartok added in:repository-declarations declaring repositories and filtering @support and removed to-triage labels Sep 12, 2022
@yogurtearl
Copy link
Contributor

includeGroupByRegex("com.google.*")

will also match things like com_google.foo and com.googleandroid

codefish1 added a commit to codefish1/gradle that referenced this issue Jan 1, 2023
@codefish1
bugfix(gradle#21967): Additional API to easily include/exclude groups…
3156a1d 
… and their subgroups

Signed-off-by: David Morris <[email protected]>
@codefish1 codefish1 mentioned this issue Jan 1, 2023
Merged
12 tasks
@octylFractal octylFractal added this to the 8.1 RC1 milestone Feb 13, 2023
This was referenced Apr 17, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a:feature A new functionality in:repository-declarations declaring repositories and filtering
Projects
None yet
Milestone
8.1 RC1
Development

Successfully merging a pull request may close this issue.

bugfix(#21967): Additional API to easily include/exclude groups and their subgroups codefish1/gradle
4 participants
@yogurtearl @octylFractal @jbartok @codefish1