07d55c647b
* master: Bump lodash from 4.17.20 to 4.17.21 fix: introduce retry to stabilize the workflow test: reproduce the problem by jest Bump hosted-git-info from 2.8.8 to 2.8.9 Bump y18n from 4.0.0 to 4.0.1 Create codeql-analysis.yml Bump node-notifier from 8.0.0 to 8.0.1 Bump @actions/core from 1.2.5 to 1.2.6 Upgrade dependencies Clarify reporting failures documentation Bump lodash from 4.17.15 to 4.17.19 checksums: Remove some superfluous type declarations Make lint pass on Windows / for files with CRLF line endings Build Remove now unneeded typescript definitions for unhomoglyph Upgrade prod dependencies Drop now removed upstream eslint typescript rules Upgrade dev dependencies Refine RELEASING.md |
||
---|---|---|
.github/workflows | ||
__tests__ | ||
dist | ||
node_modules | ||
src | ||
.eslintignore | ||
.eslintrc.json | ||
.gitignore | ||
.prettierignore | ||
.prettierrc.json | ||
action.yml | ||
CONTRIBUTING.md | ||
jest.config.js | ||
jest.setup.js | ||
LICENSE | ||
package-lock.json | ||
package.json | ||
README.md | ||
RELEASING.md | ||
tsconfig.json |
Gradle Wrapper Validation Action
This action validates the checksums of Gradle Wrapper JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.
The Gradle Wrapper Problem in Open Source
The gradle-wrapper.jar
is a binary blob of executable code that is checked into nearly
2.8 Million GitHub Repositories.
Searching across GitHub you can find many pull requests (PRs) with helpful titles like 'Update to Gradle xxx'. Many of these PRs are contributed by individuals outside of the organization maintaining the project.
Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog.
We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from external contributors.
There is a certain amount of blind trust open source maintainers have.
Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the gradle-wrapper.jar
that looks like this.
A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR.
A malicious gradle-wrapper.jar
could execute, download, or install arbitrary code while otherwise behaving like a completely normal gradle-wrapper.jar
.
Solution
We have created a simple GitHub Action that can be applied to any GitHub repository.
This GitHub Action will do one simple task:
verify that any and all gradle-wrapper.jar
files in the repository match the SHA-256 checksums of any of our official releases.
If any are found that do not match the SHA-256 checksums of our official releases, the action will fail.
Additionally, the action will find and SHA-256 hash all
homoglyph
variants of files named gradle-wrapper.jar
,
for example a file named gradlе-wrapper.jar
(which uses a Cyrillic е
instead of e
).
The goal is to prevent homoglyph attacks which may be very difficult to spot in a GitHub diff.
We created an example Homoglyph attack PR here.
Usage
Add to an existing Workflow
Simply add this action to your workflow after having checked out your source tree and before running any Gradle build:
uses: gradle/wrapper-validation-action@v1
Add a new dedicated Workflow
Here's a sample complete workflow you can add to your repositories:
.github/workflows/gradle-wrapper-validation.yml
name: "Validate Gradle Wrapper"
on: [push, pull_request]
jobs:
validation:
name: "Validation"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: gradle/wrapper-validation-action@v1
Contributing to an external GitHub Repository
Since GitHub Actions are completely free for open source projects and are automatically enabled on almost all projects, adding this check to a project's build is as simple as contributing a PR. Enabling the check requires no overhead on behalf of the project maintainer beyond merging the action.
You can add this action to your favorite Gradle based project without checking out their source locally via the GitHub Web UI thanks to the 'Create new file' button.
Simply add a new file named .github/workflows/gradle-wrapper-validation.yml
with the contents mentioned above.
We recommend the message commit contents of:
- Title:
Official Gradle Wrapper Validation Action
- Body (at minimum):
See: https://github.com/gradle/wrapper-validation-action
From there, you can easily follow the rest of the prompts to create a Pull Request against the project.
Reporting Failures
If this GitHub action fails because a gradle-wrapper.jar
doesn't match one of our published SHA-256 checksums,
we highly recommend that you reach out to us at security@gradle.com.
Note: gradle-wrapper.jar
generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the gradle-wrapper.jar
for those versions are legitimate using a hash comparison. You should try to determine if the gradle-wrapper.jar
was generated by one of these versions before running the build.
If the Gradle version in gradle-wrapper.properties
is out of this range, you may need to regenerate the gradle-wrapper.jar
by running ./gradlew wrapper
. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the gradle-wrapper.jar
.
If you're curious and want to explore what the differences are between the gradle-wrapper.jar
in your possession
and one of our valid release, you can compare them using this online utility: DiffScope.
Regardless of what you find, we still kindly request that you reach out to us and let us know.
Resources
To learn more about verifying the Gradle Wrapper JAR locally, see our guide on the topic.