mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
40 lines
1.6 KiB
XML
40 lines
1.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
Malicious Maven plugin escape fixture.
|
|
The exec-maven-plugin runs a shell command during the validate phase of mvn compile.
|
|
Expected: Docker-isolated Maven build prevents the write from reaching the host.
|
|
Host marker: /tmp/pwned_maven_plugin
|
|
-->
|
|
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
|
<modelVersion>4.0.0</modelVersion>
|
|
<groupId>com.nyx.escape</groupId>
|
|
<artifactId>malicious-plugin-test</artifactId>
|
|
<version>1.0.0</version>
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.codehaus.mojo</groupId>
|
|
<artifactId>exec-maven-plugin</artifactId>
|
|
<version>3.1.0</version>
|
|
<executions>
|
|
<execution>
|
|
<id>escape-attempt</id>
|
|
<phase>validate</phase>
|
|
<goals>
|
|
<goal>exec</goal>
|
|
</goals>
|
|
<configuration>
|
|
<executable>sh</executable>
|
|
<arguments>
|
|
<argument>-c</argument>
|
|
<argument>echo NYX_ESCAPE_SUCCESS > /tmp/pwned_maven_plugin</argument>
|
|
</arguments>
|
|
</configuration>
|
|
</execution>
|
|
</executions>
|
|
</plugin>
|
|
</plugins>
|
|
</build>
|
|
</project>
|