Enable the executable permissions for downloaded artifacts #461
Description
Please consider allowing users to enable the executable permissions (e.g. chmod +x ./myexecutable) for downloaded artifacts.
Why it's needed
It might come in handy when configuring protobuf compilation
Consider the following pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>protobuf-exec-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<build>
<extensions>
<extension>
<groupId>kr.motd.maven</groupId>
<artifactId>os-maven-plugin</artifactId>
<version>1.7.1</version>
</extension>
</extensions>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.5.0</version>
<executions>
<execution>
<id>exec-protoc</id>
<phase>generate-sources</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protoc</artifactId>
<version>4.30.0</version>
<classifier>${os.detected.classifier}</classifier>
<type>exe</type>
</dependency>
</dependencies>
<configuration>
<executableDependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protoc</artifactId>
</executableDependency>
<arguments>
<argument>--help</argument>
</arguments>
</configuration>
</plugin>
</plugins>
</build>
</project>when executing:
mvn generate-sourcesthere is an error:
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:3.5.0:exec (exec-protoc) on project jms-connector: Command execution failed.:
Cannot run program "/Users/me/.m2/repository/com/google/protobuf/protoc/4.30.0/protoc-4.30.0-osx-aarch_64.exe" (in directory "/Users/me/projects/demo/proto"): error=13, Permission denied -> [Help 1]
But once the executable permission is set:
chmod +x /Users/neshkeev/.m2/repository/com/google/protobuf/protoc/4.30.0/protoc-4.30.0-*.exe
The command:
mvn generate-sourcesworks as expected:
[INFO] --- exec:3.5.0:exec (exec-protoc) @ protobuf-exec-demo ---
Usage: /Users/neshkeev/.m2/repository/com/google/protobuf/protoc/4.30.0/protoc-4.30.0-osx-aarch_64.exe [OPTION] PROTO_FILES
Parse PROTO_FILES and generate output based on the options given:
-IPATH, --proto_path=PATH Specify the directory in which to search for
...
What is expected
In order to ensure that there are no surprises for existing setups a new permissions config can be added like this:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.5.0</version>
...
<configuration>
<permissions>777</permissions>
<!-- alternative(more user-friendly)
<permissions>rwx</permissions>
-->
...
</configuration>
</plugin>I don't insist on this approach, the interface can be different as long as it allows users to enable the executable permissions.
Why it's safe
My project uses org.xolstice.maven.plugins:protobuf-maven-plugin for compiling protobuf, but the project hasn't been updated for 5 years and there are some vulnerabilities (CVE-2021-26291, CVE-2022-4245, CVE-2022-4244) so I can't to keep on using it.
I studied the org.xolstice.maven.plugins:protobuf-maven-plugin plugin's source code and discovered that after downloading protobuf compiler (protoc) the plugin explicitly set the executable flag on protoc:
targetFile.setExecutable(true);Since protobuf-maven-plugin explicitly sets the execution permission and no known vulnerabilities have been reporded regarding this, it's considered safe. The reported vulnerabilities above are related to maven itself, not the plugin.