From a7ef4a0e3e7ec3ab465587b48efd865f2b2b5329 Mon Sep 17 00:00:00 2001 From: Jeremy Norris Date: Mon, 24 Jun 2024 15:17:25 -0500 Subject: [PATCH 1/6] Update to latest Maven (3.9.8), Maven Wrapper (3.3.2) & Java (21.0.3) releases. --- .mvn/wrapper/maven-wrapper.properties | 5 +++-- .sdkmanrc | 4 ++-- mvnw | 17 +++++++++++++---- mvnw.cmd | 5 ++++- 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties index fe378a15..f95f1ee8 100644 --- a/.mvn/wrapper/maven-wrapper.properties +++ b/.mvn/wrapper/maven-wrapper.properties @@ -14,5 +14,6 @@ # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. -wrapperVersion=3.3.1 -distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.6/apache-maven-3.9.6-bin.zip +wrapperVersion=3.3.2 +distributionType=only-script +distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.8/apache-maven-3.9.8-bin.zip diff --git a/.sdkmanrc b/.sdkmanrc index 9b281c73..7d27f296 100644 --- a/.sdkmanrc +++ b/.sdkmanrc @@ -1,4 +1,4 @@ # Enable auto-env through the sdkman_auto_env config # Add key=value pairs of SDKs to use below -java=21.0.2-tem -maven=3.9.6 +java=21.0.3-tem +maven=3.9.8 diff --git a/mvnw b/mvnw index ac8e247e..19529ddf 100755 --- a/mvnw +++ b/mvnw @@ -19,7 +19,7 @@ # ---------------------------------------------------------------------------- # ---------------------------------------------------------------------------- -# Apache Maven Wrapper startup batch script, version 3.3.1 +# Apache Maven Wrapper startup batch script, version 3.3.2 # # Optional ENV vars # ----------------- @@ -97,11 +97,19 @@ die() { exit 1 } +trim() { + # MWRAPPER-139: + # Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds. + # Needed for removing poorly interpreted newline sequences when running in more + # exotic environments such as mingw bash on Windows. + printf "%s" "${1}" | tr -d '[:space:]' +} + # parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties while IFS="=" read -r key value; do case "${key-}" in - distributionUrl) distributionUrl="${value-}" ;; - distributionSha256Sum) distributionSha256Sum="${value-}" ;; + distributionUrl) distributionUrl=$(trim "${value-}") ;; + distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;; esac done <"${0%/*}/.mvn/wrapper/maven-wrapper.properties" [ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in ${0%/*}/.mvn/wrapper/maven-wrapper.properties" @@ -131,7 +139,8 @@ esac distributionUrlName="${distributionUrl##*/}" distributionUrlNameMain="${distributionUrlName%.*}" distributionUrlNameMain="${distributionUrlNameMain%-bin}" -MAVEN_HOME="$HOME/.m2/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")" +MAVEN_USER_HOME="${MAVEN_USER_HOME:-${HOME}/.m2}" +MAVEN_HOME="${MAVEN_USER_HOME}/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")" exec_maven() { unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || : diff --git a/mvnw.cmd b/mvnw.cmd index 1ff8c9dd..b150b91e 100644 --- a/mvnw.cmd +++ b/mvnw.cmd @@ -19,7 +19,7 @@ @REM ---------------------------------------------------------------------------- @REM ---------------------------------------------------------------------------- -@REM Apache Maven Wrapper startup batch script, version 3.3.1 +@REM Apache Maven Wrapper startup batch script, version 3.3.2 @REM @REM Optional ENV vars @REM MVNW_REPOURL - repo url base for downloading maven distribution @@ -79,6 +79,9 @@ if ($env:MVNW_REPOURL) { $distributionUrlName = $distributionUrl -replace '^.*/','' $distributionUrlNameMain = $distributionUrlName -replace '\.[^.]*$','' -replace '-bin$','' $MAVEN_HOME_PARENT = "$HOME/.m2/wrapper/dists/$distributionUrlNameMain" +if ($env:MAVEN_USER_HOME) { + $MAVEN_HOME_PARENT = "$env:MAVEN_USER_HOME/wrapper/dists/$distributionUrlNameMain" +} $MAVEN_HOME_NAME = ([System.Security.Cryptography.MD5]::Create().ComputeHash([byte[]][char[]]$distributionUrl) | ForEach-Object {$_.ToString("x2")}) -join '' $MAVEN_HOME = "$MAVEN_HOME_PARENT/$MAVEN_HOME_NAME" From b13277aaa40da4edfe8be5a490a1e28d6cc2741e Mon Sep 17 00:00:00 2001 From: Jeremy Norris Date: Thu, 11 Jul 2024 07:19:04 -0500 Subject: [PATCH 2/6] Only execute build once during CI and then run distinct jobs to run tests for each Java version. --- .github/workflows/maven.yml | 59 ++++++++++++++++++++++++++----------- .gitignore | 1 + 2 files changed, 43 insertions(+), 17 deletions(-) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index bcdd71c7..476ebabc 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -15,42 +15,67 @@ on: jobs: build: runs-on: ubuntu-latest - strategy: - matrix: - java: ['8', '11', '17', '21'] steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 - name: Cache local Maven repository uses: actions/cache@v4 with: - path: ~/.m2/repository - key: ${{ runner.os }}-${{ matrix.java }}-maven-${{ hashFiles('**/pom.xml') }} + path: | + ~/.m2/repository + ~/.m2/wrapper + key: ${{ runner.os }}-build-maven-${{ hashFiles('**/pom.xml', '**/maven-wrapper.properties') }} restore-keys: | - ${{ runner.os }}-${{ matrix.java }}-maven- - - name: Set up build JDK + ${{ runner.os }}-build-maven- + - name: Set up JDK uses: actions/setup-java@v4 with: distribution: 'zulu' java-version: '21' check-latest: true - name: Build with Maven - run: ./mvnw -B -V -e -DskipTests=true package - - uses: actions/upload-artifact@v4 + run: ./mvnw -B -V -e verify -DskipTests=true -DskipITs=true + - name: Archive target directory + run: tar -cf target.tar target + - name: Upload target directory archive + uses: actions/upload-artifact@v4 + with: + name: build_target + path: target.tar + test: + needs: build + runs-on: ubuntu-latest + strategy: + matrix: + java: ['8', '11', '17', '21'] + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Cache local Maven repository + uses: actions/cache@v4 with: - name: java-${{ matrix.java }}-jars path: | - **/target/*.jar - **/target/bom.* - if: always() - - name: Set up test JDK ${{ matrix.java }} + ~/.m2/repository + ~/.m2/wrapper + key: ${{ runner.os }}-test-${{ matrix.java }}-maven-${{ hashFiles('**/pom.xml', '**/maven-wrapper.properties') }} + restore-keys: | + ${{ runner.os }}-test-${{ matrix.java }}-maven- + - name: Set up JDK uses: actions/setup-java@v4 with: distribution: 'zulu' java-version: ${{ matrix.java }} check-latest: true + - name: Download target directory archive + uses: actions/download-artifact@v4 + with: + name: build_target + - name: Extract target directory archive + run: tar -xf target.tar - name: Test with Maven - run: ./mvnw -B -V -e -P coverage verify -Denforcer.skip=true -Dmaven.resources.skip=true -Dflatten.skip=true -Dmaven.main.skip=true -Dbnd.skip=true -Dassembly.skipAssembly=true -Dmaven.javadoc.skip=true -Dcyclonedx.skip=true -DskipITs=false - - uses: actions/upload-artifact@v4 + run: ./mvnw -B -V -e -Pcoverage verify -Denforcer.skip=true -Dmaven.resources.skip=true -Dflatten.skip=true -Dmaven.main.skip=true -Dbnd.skip=true -Dassembly.skipAssembly=true -Dmaven.javadoc.skip=true -Dcyclonedx.skip=true -Dformatter.skip=true -Dforbiddenapis.skip=true -DskipTests=false -DskipITs=false + - name: Upload test results + uses: actions/upload-artifact@v4 with: name: java-${{ matrix.java }}-testresults path: | diff --git a/.gitignore b/.gitignore index 606ae2fb..389ad015 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ *.geany nb-configuration.xml .flattened-pom.xml +target.tar # Created by https://www.toptal.com/developers/gitignore/api/intellij+all,netbeans,eclipse,visualstudiocode,vim,emacs,macos,windows,linux,java,maven # Edit at https://www.toptal.com/developers/gitignore?templates=intellij+all,netbeans,eclipse,visualstudiocode,vim,emacs,macos,windows,linux,java,maven From 9766a56fdc16f4315a6686caa7b224be33aea259 Mon Sep 17 00:00:00 2001 From: Jeremy Norris Date: Thu, 11 Jul 2024 07:24:47 -0500 Subject: [PATCH 3/6] Run tests on Java 22. --- .github/workflows/maven.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 476ebabc..79c99c61 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - java: ['8', '11', '17', '21'] + java: ['8', '11', '17', '21', '22'] steps: - name: Checkout repository uses: actions/checkout@v4 From 6b9669f20b28e5ebc66b1e4d787961c34cb0a9b4 Mon Sep 17 00:00:00 2001 From: Jeremy Norris Date: Thu, 11 Jul 2024 07:50:33 -0500 Subject: [PATCH 4/6] Harden CI workflows by pinning action versions to specific commit hashes. --- .github/workflows/automerge.yml | 2 +- .github/workflows/codeql-analysis.yml | 12 ++++++------ .github/workflows/coverity.yml | 8 ++++---- .github/workflows/javadoc.yml | 6 +++--- .github/workflows/maven.yml | 18 +++++++++--------- .github/workflows/release.yml | 2 +- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index aeb47bf5..729c50a2 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Enable auto-merge for Dependabot PRs diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2adf1043..60d891a8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,18 +31,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: distribution: 'zulu' java-version: '21' - check-latest: true + check-latest: true cache: 'maven' # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -69,4 +69,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index e8bc0126..f12fd994 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -7,15 +7,15 @@ jobs: coverity: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up build JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: distribution: 'zulu' java-version: '21' - check-latest: true + check-latest: true cache: 'maven' - - uses: vapier/coverity-scan-action@v1 + - uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85 # v1.8.0 with: email: ${{ secrets.COVERITY_SCAN_EMAIL }} token: ${{ secrets.COVERITY_SCAN_TOKEN }} diff --git a/.github/workflows/javadoc.yml b/.github/workflows/javadoc.yml index 2dbd1d0c..38731767 100644 --- a/.github/workflows/javadoc.yml +++ b/.github/workflows/javadoc.yml @@ -11,9 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout 🛎ī¸ - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up build JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: distribution: 'zulu' java-version: '21' @@ -21,7 +21,7 @@ jobs: - name: Build Javadoc run: ./mvnw -B -V -e javadoc:javadoc - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@v4 + uses: JamesIves/github-pages-deploy-action@94f3c658273cf92fb48ef99e5fbc02bd2dc642b2 # v4.6.3 with: folder: target/site/apidocs target-folder: ${{github.ref_name}} diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 79c99c61..25224ad3 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -17,9 +17,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Cache local Maven repository - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.m2/repository @@ -28,7 +28,7 @@ jobs: restore-keys: | ${{ runner.os }}-build-maven- - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: distribution: 'zulu' java-version: '21' @@ -38,7 +38,7 @@ jobs: - name: Archive target directory run: tar -cf target.tar target - name: Upload target directory archive - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: build_target path: target.tar @@ -50,9 +50,9 @@ jobs: java: ['8', '11', '17', '21', '22'] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Cache local Maven repository - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.m2/repository @@ -61,13 +61,13 @@ jobs: restore-keys: | ${{ runner.os }}-test-${{ matrix.java }}-maven- - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: distribution: 'zulu' java-version: ${{ matrix.java }} check-latest: true - name: Download target directory archive - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build_target - name: Extract target directory archive @@ -75,7 +75,7 @@ jobs: - name: Test with Maven run: ./mvnw -B -V -e -Pcoverage verify -Denforcer.skip=true -Dmaven.resources.skip=true -Dflatten.skip=true -Dmaven.main.skip=true -Dbnd.skip=true -Dassembly.skipAssembly=true -Dmaven.javadoc.skip=true -Dcyclonedx.skip=true -Dformatter.skip=true -Dforbiddenapis.skip=true -DskipTests=false -DskipITs=false - name: Upload test results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: java-${{ matrix.java }}-testresults path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 95c9036f..7a354aea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,7 +17,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Runs a set of commands using the runners shell - name: Release From ff9f2348b95a548a4b16b46f1a8ad2b8770e51f8 Mon Sep 17 00:00:00 2001 From: Jeremy Norris Date: Thu, 11 Jul 2024 07:52:22 -0500 Subject: [PATCH 5/6] Increase Dependabot open PR limit. --- .github/dependabot.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ca2841c3..7e7a78a1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,9 +9,11 @@ updates: directory: "/" # Location of package manifests schedule: interval: "weekly" + open-pull-requests-limit: 25 - package-ecosystem: "github-actions" # Workflow files stored in the # default location of `.github/workflows` directory: "/" schedule: - interval: "weekly" + interval: "weekly" + open-pull-requests-limit: 25 From 39413bce043d3c4d52d8e255b9a34afcb4be5441 Mon Sep 17 00:00:00 2001 From: Jeremy Norris Date: Thu, 11 Jul 2024 10:18:44 -0500 Subject: [PATCH 6/6] Enforce DHGEX prime modulus bit length meets configured constraints. --- ChangeLog.md | 2 ++ src/main/java/com/jcraft/jsch/DHGEX.java | 14 ++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 15569361..c9ca552e 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,5 @@ +* [0.2.19](https://github.com/mwiede/jsch/releases/tag/jsch-0.2.19) + * Enforce DHGEX prime modulus bit length meets configured constraints. * [0.2.18](https://github.com/mwiede/jsch/releases/tag/jsch-0.2.18) * Handle negated patterns according to ssh_config(5) by @bmiddaugh in https://github.com/mwiede/jsch/pull/565 * [0.2.17](https://github.com/mwiede/jsch/releases/tag/jsch-0.2.17) diff --git a/src/main/java/com/jcraft/jsch/DHGEX.java b/src/main/java/com/jcraft/jsch/DHGEX.java index 15f9bd0f..393b0ba2 100644 --- a/src/main/java/com/jcraft/jsch/DHGEX.java +++ b/src/main/java/com/jcraft/jsch/DHGEX.java @@ -26,6 +26,8 @@ package com.jcraft.jsch; +import java.math.BigInteger; + abstract class DHGEX extends KeyExchange { private static final int SSH_MSG_KEX_DH_GEX_GROUP = 31; @@ -79,8 +81,7 @@ public void init(Session session, byte[] V_S, byte[] V_C, byte[] I_S, byte[] I_C min = Integer.parseInt(session.getConfig("dhgex_min")); max = Integer.parseInt(session.getConfig("dhgex_max")); preferred = Integer.parseInt(session.getConfig("dhgex_preferred")); - if (checkInvalidSize(min) || checkInvalidSize(max) || checkInvalidSize(preferred) - || preferred < min || max < preferred) { + if (min <= 0 || max <= 0 || preferred <= 0 || preferred < min || preferred > max) { throw new JSchException( "Invalid DHGEX sizes: min=" + min + " max=" + max + " preferred=" + preferred); } @@ -127,6 +128,11 @@ public boolean next(Buffer _buf) throws Exception { p = _buf.getMPInt(); g = _buf.getMPInt(); + int bits = new BigInteger(1, p).bitLength(); + if (bits < min || bits > max) { + return false; + } + dh.setP(p); dh.setG(g); // The client responds with: @@ -237,8 +243,4 @@ public boolean next(Buffer _buf) throws Exception { public int getState() { return state; } - - static boolean checkInvalidSize(int size) { - return (size < 1024 || size > 8192 || size % 1024 != 0); - } }