Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

java_binary.jvm_flags allows Bash injection #7097

Closed
laszlocsomor opened this issue Jan 11, 2019 · 1 comment
Closed

java_binary.jvm_flags allows Bash injection #7097

laszlocsomor opened this issue Jan 11, 2019 · 1 comment
Labels
P3 We're not considering working on this, but happy to review a PR. (No assignee) stale Issues or PRs that are stale (no activity for 30 days) team-Rules-Java Issues for Java rules type: bug

Comments

@laszlocsomor
Copy link
Contributor

Description of the problem / feature request:

On Linux/macOS, where java_binary uses a Bash stub script to start the JVM (in contrast to Windows where we use a C++ binary instead of the Bash stub), Bazel embeds the value of java_binary.jvm_flags directly into the stub script.

The intent is to support Bash quoting so the user can pass JVM flags like:

java_binary(
  ...
  jvm_flags = ["-Duser.name='Jane Doe'"],
)

The probably unintended consequence is, the user can also pass this:

java_binary(
  ...
  jvm_flags = ["-Duser.name='`date`'"],
)

which will dutifully pass the current date to the JVM.

This is arguably a bug.

Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

BUILD file:

java_binary(
    name = "helloarg",
    srcs = ["HelloArg.java"],
    main_class = "HelloArg",
    jvm_flags = ["-Duser.name=\"$(COMPILATION_MODE)`date`\\\\\"\ '\\\\\"Ada Lovelace'"],
)

HelloArg.java:

public class HelloArg {
  public static void main(String[] args) {
    System.out.printf("Hello %s\n", System.getProperty("user.name"));
  }
}

Output:

$ bazel run //:helloarg
...
Hello fastbuildFri Jan 11 17:37:25 CET 2019\ \\"Ada Lovelace

What operating system are you running Bazel on?

Linux

What's the output of bazel info release?

0.21

Have you found anything relevant by searching the web?

Found this while fixing #7072.
@iirina iirina added team-Rules-Java Issues for Java rules untriaged labels Jan 14, 2019
@lberki lberki added P3 We're not considering working on this, but happy to review a PR. (No assignee) and removed untriaged labels Mar 13, 2019
@ghost ghost mentioned this issue May 15, 2019
Closed
@sgowroji sgowroji added the stale Issues or PRs that are stale (no activity for 30 days) label Feb 16, 2023
@sgowroji
Copy link
Member

Hi there! We're doing a clean up of old issues and will be closing this one. Please reopen if you’d like to discuss anything further. We’ll respond as soon as we have the bandwidth/resources to do so.

@sgowroji sgowroji closed this as not planned Won't fix, can't repro, duplicate, stale Feb 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
P3 We're not considering working on this, but happy to review a PR. (No assignee) stale Issues or PRs that are stale (no activity for 30 days) team-Rules-Java Issues for Java rules type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@iirina @lberki @laszlocsomor @sgowroji