Impact
When copying files or creating archives, Gradle does not preserve symbolic links. Instead, Gradle resolves symbolic links to their underlying target file. The permissions of the new file are the permissions of the symbolic link instead of the permissions of the target file.
This can lead to files that have unintended permissions because symbolic links are usually world readable and writeable.
While it is unlikely this impacts the build directly, it may open attack vectors where build artifacts are used or extracted.
Patches
In Gradle 7.6.3 and 8.4, the permissions of the target file will be used when copying or archiving a symbolic link.
It is recommended that users upgrade to a patched version.
Workarounds
If you are unable to upgrade to a patched Gradle version, you should explicitly set permissions for any symbolic links when copying or creating an archive.
References
Impact
When copying files or creating archives, Gradle does not preserve symbolic links. Instead, Gradle resolves symbolic links to their underlying target file. The permissions of the new file are the permissions of the symbolic link instead of the permissions of the target file.
This can lead to files that have unintended permissions because symbolic links are usually world readable and writeable.
While it is unlikely this impacts the build directly, it may open attack vectors where build artifacts are used or extracted.
Patches
In Gradle 7.6.3 and 8.4, the permissions of the target file will be used when copying or archiving a symbolic link.
It is recommended that users upgrade to a patched version.
Workarounds
If you are unable to upgrade to a patched Gradle version, you should explicitly set permissions for any symbolic links when copying or creating an archive.
References