feat: Optimize Gradle wrapper checksum validation#3736
Draft
fbricon wants to merge 1 commit into
Draft
Conversation
fbricon
force-pushed
the
reduce-gradlew-checksum-checks
branch
from
282bc2e to
861577e
Compare
Replace the download-all-versions pipeline with a single-version lookup that validates the wrapper JAR before Gradle runs, preventing a compromised wrapper from executing. The new flow checks user-allowed checksums, bundled checksums.json (by version then by value), a per-version disk cache, and finally a single network fetch with a 5-second timeout. An unparseable distributionUrl with an unknown JAR is now treated as INVALID rather than silently allowed. - Add VALID/INVALID/UNVERIFIABLE enum to ValidationResult - Move validation into getGradleDistribution() (before import) - Delete DownloadChecksumJob (inline fetch with short timeout) - Remove waitForLoadingGradleVersionJob / LoadingGradleVersionJobMatcher - Remove versions.json from runtime bundle (build-time only) - Add version field to checksums.json entries in Groovy script - Cache fetched checksums to disk per version for offline reuse - Fix getDisallowed() returning allowed set instead of disallowed - Simplify GradlePreferenceChangeListener to trigger re-import Fixes redhat-developer/vscode-java#4357 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fbricon
force-pushed
the
reduce-gradlew-checksum-checks
branch
from
861577e to
977f5dd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the download-all-versions pipeline with a single-version lookup
that validates the wrapper JAR before Gradle runs, preventing a
compromised wrapper from executing. The new flow checks user-allowed
checksums, bundled checksums.json (by version then by value), a
per-version disk cache, and finally a single network fetch with a
5-second timeout. An unparseable distributionUrl with an unknown JAR
is now treated as INVALID rather than silently allowed.
Fixes redhat-developer/vscode-java#4357
Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com