Описание
Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH
Summary
The expected protocDigest is ignored when protoc is taken from the PATH.
Details
The documentation for the protocDigest parameter says:
... Users may wish to specify this if using a
PATH-based binary ...
However, when specifying <protoc>PATH</protoc> the protocDigest is not actually checked because the code returns here already
https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L91-L93
before the digest check: https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L106
PoC
Specify:
And notice how the protoc on the PATH is not rejected, despite a digest mismatch.
Impact
Users who have an untrusted protoc executable on their PATH and rely <protocDigest> as protection are affected.
Пакеты
io.github.ascopes:protobuf-maven-plugin
>= 4.0.0, <= 4.0.1
4.0.2
io.github.ascopes:protobuf-maven-plugin
< 3.10.2
3.10.2
1 Low
CVSS4
Дефекты
1 Low
CVSS4