JLLeitschuh

nikto -h https://plugins.gradle.org/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          104.16.174.166
+ Target Hostname:    plugins.gradle.org
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=ssl473435.cloudflaressl.com
                   Altnames: ssl473435.cloudflaressl.com, *.gradle.org, gradle.org
                   Ciphers:  ECDHE-ECDSA-CHACHA20-POLY1305

JLLeitschuh

buildscript {
    repositories {
        gradlePluginPortal()
    }
    dependencies {
        /*
         * In practice, this attack could have been leveraged against any plugin on 
         * the Gradle plugin portal.
         * I created my own plugin for testing purposes.
         */

JLLeitschuh

package org.jlleitschuh.testing.security;

import org.gradle.api.Plugin;
import org.gradle.api.Project;

public class SecurityPlugin implements Plugin<Project> {
    @Override
    public void apply(final Project target) {
        target.getLogger().lifecycle("A security plugin. I'm malicious!");
    }

JLLeitschuh

package org.jlleitschuh.testing.security;

import org.gradle.api.Plugin;
import org.gradle.api.Project;

public class SecurityPlugin implements Plugin<Project> {
    @Override
    public void apply(final Project target) {
        target.getLogger().lifecycle("A security plugin");
    }

JLLeitschuh

buildscript {
  repositories {
    maven {
      url "https://plugins.gradle.org/m2/"
    }
  }
  dependencies {
    classpath "gradle.plugin.com.github.spotbugs:spotbugs-gradle-plugin:1.6.4"
  }
}

JLLeitschuh

class Vector {
  private final int x, y, z;
  public Vector(int x, int y, int z) {
    this.x = x;
    this.y = y;
    this.z = z;
  }
  
  public Vector crossProduct(Vector other) {
      // Do your math here

JLLeitschuh

package edu.wpi.grip.core.operations;


import com.google.common.collect.ImmutableList;
import com.google.common.eventbus.EventBus;
import com.google.inject.Inject;
import edu.wpi.grip.core.OperationMetaData;
import edu.wpi.grip.core.events.OperationAddedEvent;
import edu.wpi.grip.core.operations.opencv.CVOperation;
import edu.wpi.grip.core.operations.opencv.enumeration.FlipCode;

JLLeitschuh

package edu.wpi.grip.core.operations.composite;


import com.google.common.eventbus.EventBus;
import edu.wpi.grip.core.Operation;
import edu.wpi.grip.core.sockets.InputSocket;
import edu.wpi.grip.core.sockets.OutputSocket;
import edu.wpi.grip.core.sockets.SocketHints;
import org.bytedeco.javacpp.opencv_core;
import org.bytedeco.javacpp.opencv_core.Mat;

JLLeitschuh

public class CooldownRestartPolicy implements ServiceRestartPolicy {
    /**
     * If restarting sooner than this, it's probably an unrecoverable error.
     */
    public static final int RESTART_INTERVAL = 5000;

    private long last;
    private long interval = RESTART_INTERVAL;

    public CooldownRestartPolicy() {

JLLeitschuh

@Override
    public synchronized void setValueWithKey(String key) throws IOException, IllegalArgumentException {
        final List<String> keys = getKeys();
        if (keys.contains(key)) {
            index = keys.indexOf(key);
            loadImage(paths.get(index));
        } else {
            throw new IllegalArgumentException(key + " was an illegal key");
        }
    }