Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH
Summary
The expected protocDigest is ignored when protoc is taken from the PATH.
Details
The documentation for the protocDigest parameter says:
> ... Users may wish to specify this if using a PATH-based binary ...
However, when specifying <protoc>PATH</protoc> the protocDigest is not actually checked because the code returns here already
https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L91-L93
before the digest check: https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L106
PoC
Specify:
<protoc>PATH</protoc>
<protocDigest>sha256:0000000000000000000000000000000000000000000000000000000000000000</protocDigest>
And notice how the protoc on the PATH is not rejected, despite a digest mismatch.
Impact
Users who have an untrusted protoc executable on their PATH and rely <protocDigest> as protection are affected.
| Software | From | Fixed in |
|---|---|---|
io.github.ascopes / protobuf-maven-plugin
|
4.0.0 | 4.0.2 |
|
io.github.ascopes / protobuf-maven-plugin
|
- | 3.10.2 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime