From f582ce88fc5f6db10f631959bab5acfbe1f58bb5 Mon Sep 17 00:00:00 2001
From: rfscholte <rfscholte@apache.org>
Date: Wed, 21 Jul 2021 10:34:43 +0200
Subject: [PATCH] [MNG-7047] Validate that repo configuration does not contain
 any expression

---
 .../model/building/DefaultModelBuilder.java   |  2 +-
 .../maven/model/building/ModelProblem.java    |  1 -
 .../validation/DefaultModelValidator.java     | 25 +++++++---
 .../validation/DefaultModelValidatorTest.java | 16 +++++++
 .../repository-with-basedir-expression.xml    | 42 +++++++++++++++++
 .../raw-model/repository-with-expression.xml  | 46 +++++++++++++++++++
 6 files changed, 124 insertions(+), 8 deletions(-)
 create mode 100644 maven-model-builder/src/test/resources/poms/validation/raw-model/repository-with-basedir-expression.xml
 create mode 100644 maven-model-builder/src/test/resources/poms/validation/raw-model/repository-with-expression.xml

diff --git a/maven-model-builder/src/main/java/org/apache/maven/model/building/DefaultModelBuilder.java b/maven-model-builder/src/main/java/org/apache/maven/model/building/DefaultModelBuilder.java
index 3c1d8f61af..25e0bc709b 100644
--- a/maven-model-builder/src/main/java/org/apache/maven/model/building/DefaultModelBuilder.java
+++ b/maven-model-builder/src/main/java/org/apache/maven/model/building/DefaultModelBuilder.java
@@ -814,7 +814,7 @@ private Model readRawModel( ModelBuildingRequest request, DefaultModelProblemCol
             }
             catch ( IOException e )
             {
-                problems.add( new ModelProblemCollectorRequest( Severity.FATAL, Version.V37 ).setException( e ) );
+                problems.add( new ModelProblemCollectorRequest( Severity.FATAL, Version.V40 ).setException( e ) );
             }
         }
         else if ( request.getFileModel() == null )
diff --git a/maven-model-builder/src/main/java/org/apache/maven/model/building/ModelProblem.java b/maven-model-builder/src/main/java/org/apache/maven/model/building/ModelProblem.java
index a08b5efe23..581a41c518 100644
--- a/maven-model-builder/src/main/java/org/apache/maven/model/building/ModelProblem.java
+++ b/maven-model-builder/src/main/java/org/apache/maven/model/building/ModelProblem.java
@@ -51,7 +51,6 @@ enum Version
         V20,
         V30,
         V31,
-        V37,
         V40
     }
 
diff --git a/maven-model-builder/src/main/java/org/apache/maven/model/validation/DefaultModelValidator.java b/maven-model-builder/src/main/java/org/apache/maven/model/validation/DefaultModelValidator.java
index 2e71520d10..7ac53a4d23 100644
--- a/maven-model-builder/src/main/java/org/apache/maven/model/validation/DefaultModelValidator.java
+++ b/maven-model-builder/src/main/java/org/apache/maven/model/validation/DefaultModelValidator.java
@@ -70,7 +70,7 @@ public class DefaultModelValidator
     implements ModelValidator
 {
 
-    private static final Pattern CI_FRIENDLY_EXPRESSION = Pattern.compile( "\\$\\{(.+?)\\}" );
+    private static final Pattern EXPRESSION_NAME_PATTERN = Pattern.compile( "\\$\\{(.+?)\\}" );
 
     private static final List<String> CI_FRIENDLY_POSSIBLE_PROPERTY_NAMES =
         Arrays.asList( AbstractStringBasedModelInterpolator.REVISION_PROPERTY,
@@ -762,15 +762,28 @@ private void validateRawRepositories( ModelProblemCollector problems, List<Repos
                                           String prefix2, ModelBuildingRequest request )
     {
         Map<String, Repository> index = new HashMap<>();
-
+        
         for ( Repository repository : repositories )
         {
             validateStringNotEmpty( prefix, prefix2, "id", problems, Severity.ERROR, Version.V20, repository.getId(),
                                     null, repository );
 
-            validateStringNotEmpty( prefix, prefix2, "[" + repository.getId() + "].url", problems, Severity.ERROR,
-                                    Version.V20, repository.getUrl(), null, repository );
-
+            if ( validateStringNotEmpty( prefix, prefix2, "[" + repository.getId() + "].url", problems, Severity.ERROR,
+                                         Version.V20, repository.getUrl(), null, repository ) )
+            {
+                // only allow ${basedir} and ${project.basedir}
+                Matcher m = EXPRESSION_NAME_PATTERN.matcher( repository.getUrl() );
+                while ( m.find() )
+                {
+                    if ( !( "basedir".equals( m.group( 1 ) ) || "project.basedir".equals( m.group( 1 ) ) ) )
+                    {
+                        validateStringNoExpression( prefix + prefix2 + "[" + repository.getId() + "].url", problems,
+                                                    Severity.ERROR, Version.V40, repository.getUrl(), repository );
+                        break;
+                    }
+                }
+            }
+            
             String key = repository.getId();
 
             Repository existing = index.get( key );
@@ -992,7 +1005,7 @@ private boolean validateVersionNoExpression( String fieldName, ModelProblemColle
         // revision
         // sha1
         //
-        Matcher m = CI_FRIENDLY_EXPRESSION.matcher( string.trim() );
+        Matcher m = EXPRESSION_NAME_PATTERN.matcher( string.trim() );
         while ( m.find() )
         {
             if ( !CI_FRIENDLY_POSSIBLE_PROPERTY_NAMES.contains( m.group( 1 ) ) )
diff --git a/maven-model-builder/src/test/java/org/apache/maven/model/validation/DefaultModelValidatorTest.java b/maven-model-builder/src/test/java/org/apache/maven/model/validation/DefaultModelValidatorTest.java
index c6f31886b0..fd63809911 100644
--- a/maven-model-builder/src/test/java/org/apache/maven/model/validation/DefaultModelValidatorTest.java
+++ b/maven-model-builder/src/test/java/org/apache/maven/model/validation/DefaultModelValidatorTest.java
@@ -876,4 +876,20 @@ public void testParentVersionRELEASE()
         assertViolations( result, 0, 0, 1 );
         assertEquals( "'parent.version' is either LATEST or RELEASE (both of them are being deprecated)", result.getWarnings().get( 0 ) );
     }
+    
+    @Test
+    public void repositoryWithExpression() throws Exception
+    {
+        SimpleProblemCollector result = validateRaw( "raw-model/repository-with-expression.xml" );
+        assertViolations( result, 0, 1, 0 );
+        assertEquals( "'repositories.repository.[repo].url' contains an expression but should be a constant.", result.getErrors().get( 0 ) );
+    }
+    
+    @Test
+    public void repositoryWithBasedirExpression() throws Exception
+    {
+        SimpleProblemCollector result = validateRaw( "raw-model/repository-with-basedir-expression.xml" );
+        assertViolations( result, 0, 0, 0 );
+    }
+
 }
diff --git a/maven-model-builder/src/test/resources/poms/validation/raw-model/repository-with-basedir-expression.xml b/maven-model-builder/src/test/resources/poms/validation/raw-model/repository-with-basedir-expression.xml
new file mode 100644
index 0000000000..3e64091da8
--- /dev/null
+++ b/maven-model-builder/src/test/resources/poms/validation/raw-model/repository-with-basedir-expression.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.apache.maven.validation</groupId>
+    <artifactId>parent</artifactId>
+    <version>1</version>
+  </parent>
+
+  <groupId>org.apache.maven.validation</groupId>
+  <artifactId>project</artifactId>
+  <version>1.0.0-SNAPSHOT</version>
+
+  <repositories>
+    <repository>
+      <id>repo</id>
+      <url>file://${basedir}/target/remote-repo</url>
+    </repository>
+  </repositories>
+
+</project>
\ No newline at end of file
diff --git a/maven-model-builder/src/test/resources/poms/validation/raw-model/repository-with-expression.xml b/maven-model-builder/src/test/resources/poms/validation/raw-model/repository-with-expression.xml
new file mode 100644
index 0000000000..fcdd9465d8
--- /dev/null
+++ b/maven-model-builder/src/test/resources/poms/validation/raw-model/repository-with-expression.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.apache.maven.validation</groupId>
+    <artifactId>parent</artifactId>
+    <version>1</version>
+  </parent>
+
+  <groupId>org.apache.maven.validation</groupId>
+  <artifactId>project</artifactId>
+  <version>1.0.0-SNAPSHOT</version>
+
+  <properties>
+    <x>just/some/path</x>
+  </properties>
+
+  <repositories>
+    <repository>
+      <id>repo</id>
+      <url>file://${x}/sdk/maven/repo</url>
+    </repository>
+  </repositories>
+
+</project>
\ No newline at end of file