Adds Gradle Wrapper Validation script #34
Conversation
oguzkocer
force-pushed
the
add/validate_gradle_wrapper_script
branch
from
c0616cf
to
5082bba
Compare
There was a problem hiding this comment.
👋 @oguzkocer !
Great job on creating our own Gradle Wrapper Validation script to be run on Buildkite, also, kudos on the PR description and test instructions, very helpful! 😍 💯 🥇
I have reviewed and tested this PR as per the instructions, everything LGTM! 👍
- You can see this script in action with this WPAndroid PR. ✅
- If you want to test the script locally. ✅
- If you want to simulate a homoglyph attack coverage with this PR. ✅
- If you want to simulate a tampered
gradle-wrapper.jar(see below).⚠️
The only use-case I didn't verify in my test is the Failed to validate '$wrapper_file' as I didn't know were to find such a tampered gradle-wrapper.jar that doesn't match the official sha256. Let me know if you know how to test that. 🙏
FYI: During my review and testing I added echo everywhere to understand exactly how this script works, just in case I am missing something vital. As I am not the best script reviewer, I didn't want to take any chance here... 😄
Having said the above, maybe you might want to wait of someone else to review this script as well, someone with more experience on that. Thus, I am just approving this PR, but not merging yet.
Combining with Official Github Action
Love this, nice touch! ❤️
Homoglyph Attacks
I agree! 💯
@ParaskP7 I'm guessing you can use any random |
Thanks @AliSoftware for the tip, but I actually tried that and what I got was that it didn't even go through the |
There was a problem hiding this comment.
Nice! Thanks @oguzkocer for working on this 👍
I didn't test the PR (given Petros already did), so only reviewed the code, and it looks good and correct to me 👌
Only left a suggestion to use our hash_file (which already handles the file name removal from sha256 output), otherwise 
| echo "Failed to validate '$wrapper_file'" | ||
| exit 1 | ||
| else | ||
| echo "'$wrapper_file' is validated with sha256 checksum from '$validated_with_checksum_from_url'" |
There was a problem hiding this comment.
💄 small nit (to not make it look like an "in-progress" message but more like a "done" message):
| echo "'$wrapper_file' is validated with sha256 checksum from '$validated_with_checksum_from_url'" | |
| echo "'$wrapper_file' was validated with sha256 checksum from '$validated_with_checksum_from_url'" |
Or (not sure what's the most correct one of the two in English?)
| echo "'$wrapper_file' is validated with sha256 checksum from '$validated_with_checksum_from_url'" | |
| echo "'$wrapper_file' has been validated with sha256 checksum from '$validated_with_checksum_from_url'" |
There was a problem hiding this comment.
An in-progress message would be is being validated and I believe, because the log is created at the time of the validation, the current tense is correct.
Co-authored-by: Olivier Halligon <olivier.halligon@automattic.com>
|
Thank you both for the PR review! 🙇 |
|
@ParaskP7 Here is how to generate the
P.S: It looks like I forgot to cd into the Note that you can no longer call this script directly because of the |
|
Thank you so much for the above, but actually, and shame on me (😊), as I was using the previously downloaded homoglyph I copy-pasted the Again, apologies for the false alarm, and now, I'll go hide in the dark and cry... 😊 🙏 😭 |
|
@ParaskP7 No worries at all. Thanks again for reviewing and testing the PR! 🙇♂️ |
This PR adds
bin/validate_gradle_wrapperhelper script which we can use to validate the Gradle Wrapper in our projects using Buildkite.During the implementation of this script, I've consulted with the official Gradle Wrapper Documentation as well as the official Gradle Wrapper Validation Github Action. Here is a summary of what the script does:
gradle-wrapper.jar. If no such file is found, it'll fail with the following error:No gradle-wrapper.jar files found.This is because if we don't have any Gradle Wrapper files in the project, we shouldn't be calling this script. If we do and it still fails, it's possibly due to Homoglyph attack. (more on that below)gradle-wrapper.jarfile, the script will download the json fromhttps://services.gradle.org/versions/alland make a list of urls of all the knownsha256hashes using thewrapperChecksumUrlproperty.sha256values are not directly listed in thejsonfile, but instead have to be downloaded from a url, we have to check each url until we find a match. We can possibly avoid this by using the Gradle wrapper version information, but that adds extra complexity and it's more error prone, so in my opinion, checking each known value is better. The good news is, since we use relatively latest Gradle versions in each project, we only end up checking a few versions.gradle-wrapper.jarfile, we'll log that information as such:'./gradle/wrapper/gradle-wrapper.jar' is validated with sha256 checksum from 'https://services.gradle.org/distributions/gradle-7.4.2-wrapper.jar.sha256'. This information allows us to always come back to a build and check how it was validated.gradle-wrapper.jarfile, which in most cases will only be one, and if each of them is validated, the script will return success return code. If any of the files fail to validate, it'll exit with an error as such:Failed to validate './gradle/wrapper/gradle-wrapper.jar'.Combining with Official Github Action
We initially wanted to use the Official Github Action, but it becomes a bit messy to use that as a prerequisite for our Buildkite actions. So, @jkmassel and I had a discussion about using our own script as a prerequisite, but also adding the Github Action as an extra piece of security. That means, if there is a validation error that our script misses, we'll at least know about it and address the issue in our script. This makes our script more future-proof and gives extra coverage for Homoglyph attacks.
Homoglyph Attacks
The main difference with this script and the official Github Action is that, this script doesn't cover all cases of Homoglyph attacks. The official Github Action will unhomoglyph each file and then if a file's name corresponds to
gradle-wrapper.jar, it'll validate it.On the contrary, since this script only looks for
gradle-wrapper.jarfile, if the file is a homoglyphed version, it'll not find it. That means - in most cases, it'll exit with a failure because it didn't find anygradle-wrapper.jarfiles. However, there is still a case this script doesn't cover and that is, if the project contains both a validgradle-wrapper.jarfile as well as a homoglyphed one, it'll return a false positive validation.I looked into adding the same Homoglyph file name validation to the bash script, but I think it's a bit tricky and messy to do it in bash. I also thought that
gradle-wrapper.jarfile is probably not the only file that can be used to attack. So, in my opinion, if this is something we are worried about, we should add a more generic check to our repositories where we block any Homoglyphed file names using a list of names we keep in a central location. If we go down that route, we can use the unhomoglyph library to avoid another re-write of something that already exists.Specifically for Gradle Wrapper validation; since we are also adding the Github Action, I don't think we should worry about it. We are already handling the Gradle upgrades ourselves. Once we start using this script as well as the Github Action, I think we will have more than enough coverage.
To Test
gradle-wrapper.jarfile within it.gradle-wrapper.jarfile from this PR, put it in a temporary directory and run this script which should fail withNo gradle-wrapper.jar files found..