Disable @-syntax in server-side CmdLineParser instances

Since args4j 2.0.29, the default behavior when passing an argument value of the form "@file" is to read the contents of "file" from the filesystem and use that as the argument value. This is inappropriate when the argument value is provided by a user on the internet to a Gerrit server. Turn off the behavior in all codepaths in Gerrit. The 5 calls fixed in this change are all the calls of the CmdLineParser constructors found by IntelliJ. It would arguably be ok to leave the @-syntax on for the standalone programs like ProtoGen, since someone running those programs on a server could already read arbitrary files with `cat`. However, it's safest to disable in all paths, so we don't risk making an incorrect judgment call, and so someone copy/pasting the usage doesn't unintentionally copy an insecure usage. Moreover, this functionality has not yet been present in any stable releases, so we know nobody is depending on it working. Change-Id: Ib2e40dee443b96c5a8db67affa52a424bba5c4ae
2018-10-05 10:01:49 -07:00
parent 6c0d52fcf4
commit eeae376f3c
5 changed files with 11 additions and 5 deletions
--- a/java/com/google/gerrit/asciidoctor/AsciiDoctor.java
+++ b/java/com/google/gerrit/asciidoctor/AsciiDoctor.java
@@ -40,6 +40,7 @@ import org.kohsuke.args4j.Argument;
 import org.kohsuke.args4j.CmdLineException;
 import org.kohsuke.args4j.CmdLineParser;
 import org.kohsuke.args4j.Option;
+import org.kohsuke.args4j.ParserProperties;

 public class AsciiDoctor {

@@ -138,7 +139,7 @@ public class AsciiDoctor {
  }

  private void invoke(String... parameters) throws IOException {
-    CmdLineParser parser = new CmdLineParser(this);
+    CmdLineParser parser = new CmdLineParser(this, ParserProperties.defaults().withAtSyntax(false));
    try {
      parser.parseArgument(parameters);
      if (inputFiles.isEmpty()) {
--- a/java/com/google/gerrit/asciidoctor/DocIndexer.java
+++ b/java/com/google/gerrit/asciidoctor/DocIndexer.java
@@ -48,6 +48,7 @@ import org.kohsuke.args4j.Argument;
 import org.kohsuke.args4j.CmdLineException;
 import org.kohsuke.args4j.CmdLineParser;
 import org.kohsuke.args4j.Option;
+import org.kohsuke.args4j.ParserProperties;

 public class DocIndexer {
  private static final Pattern SECTION_HEADER = Pattern.compile("^=+ (.*)");
@@ -68,7 +69,7 @@ public class DocIndexer {
  private List<String> inputFiles = new ArrayList<>();

  private void invoke(String... parameters) throws IOException {
-    CmdLineParser parser = new CmdLineParser(this);
+    CmdLineParser parser = new CmdLineParser(this, ParserProperties.defaults().withAtSyntax(false));
    try {
      parser.parseArgument(parameters);
      if (inputFiles.isEmpty()) {
--- a/java/com/google/gerrit/proto/ProtoGen.java
+++ b/java/com/google/gerrit/proto/ProtoGen.java
@@ -31,6 +31,7 @@ import org.eclipse.jgit.util.IO;
 import org.kohsuke.args4j.CmdLineException;
 import org.kohsuke.args4j.CmdLineParser;
 import org.kohsuke.args4j.Option;
+import org.kohsuke.args4j.ParserProperties;

 public class ProtoGen {
  @Option(
@@ -46,7 +47,7 @@ public class ProtoGen {
  }

  private int run(String[] argv) throws Exception {
-    CmdLineParser parser = new CmdLineParser(this);
+    CmdLineParser parser = new CmdLineParser(this, ParserProperties.defaults().withAtSyntax(false));
    try {
      parser.parseArgument(argv);
    } catch (CmdLineException e) {
--- a/java/com/google/gerrit/sshd/commands/UploadArchive.java
+++ b/java/com/google/gerrit/sshd/commands/UploadArchive.java
@@ -48,6 +48,7 @@ import org.kohsuke.args4j.Argument;
 import org.kohsuke.args4j.CmdLineException;
 import org.kohsuke.args4j.CmdLineParser;
 import org.kohsuke.args4j.Option;
+import org.kohsuke.args4j.ParserProperties;

 /** Allows getting archives for Git repositories over SSH using the Git upload-archive protocol. */
 public class UploadArchive extends AbstractGitCommand {
@@ -151,7 +152,8 @@ public class UploadArchive extends AbstractGitCommand {

    try {
      // Parse them into the 'options' field
-      CmdLineParser parser = new CmdLineParser(options);
+      CmdLineParser parser =
+          new CmdLineParser(options, ParserProperties.defaults().withAtSyntax(false));
      parser.parseArgument(args);
      if (options.path == null || Arrays.asList(".").equals(options.path)) {
        options.path = Collections.emptyList();
--- a/java/com/google/gerrit/util/cli/CmdLineParser.java
+++ b/java/com/google/gerrit/util/cli/CmdLineParser.java
@@ -62,6 +62,7 @@ import org.kohsuke.args4j.IllegalAnnotationError;
 import org.kohsuke.args4j.NamedOptionDef;
 import org.kohsuke.args4j.Option;
 import org.kohsuke.args4j.OptionDef;
+import org.kohsuke.args4j.ParserProperties;
 import org.kohsuke.args4j.spi.BooleanOptionHandler;
 import org.kohsuke.args4j.spi.EnumOptionHandler;
 import org.kohsuke.args4j.spi.FieldSetter;
@@ -410,7 +411,7 @@ public class CmdLineParser {
    private HelpOption help;

    MyParser(Object bean) {
-      super(bean);
+      super(bean, ParserProperties.defaults().withAtSyntax(false));
      parseAdditionalOptions(bean, new HashSet<>());
      ensureOptionsInitialized();
    }