The patches mentioned on the blog post about the deserialization vulnerability were generated using this script, written by the GoCD Team. You can verify it yourself and run it. The final checksums will not match because the process of zipping it will include timestamps.


backup_file="go.backup.$(date +%s).for-commons-collections-exploit.jar"

echo "Logs will be in: $log_file"
exec >"$log_file" 2>&1

set -x -e -o pipefail
cd "$(dirname "$0")"

cp go.jar "$backup_file"
unzip -d go-jar go.jar

(cd go-jar/defaultFiles/; unzip -d cruise-war cruise.war)
zip -d go-jar/defaultFiles/cruise-war/WEB-INF/lib/commons-collections-3.1.jar \
(cd go-jar/defaultFiles/cruise-war; zip -f ../cruise.war WEB-INF/lib/commons-collections-3.1.jar)

(cd go-jar/defaultFiles/; unzip -d agent-jar agent.jar)
zip -d go-jar/defaultFiles/agent-jar/lib/commons-collections-3.2.jar \
(cd go-jar/defaultFiles/agent-jar; zip -f ../agent.jar lib/commons-collections-3.2.jar)

(cd go-jar; zip -f ../go.jar defaultFiles/cruise.war)
(cd go-jar; zip -f ../go.jar defaultFiles/agent.jar)

rm -rf go-jar

diff <(unzip -lv go.jar) <(unzip -lv "$backup_file") || true