[AppSec] Skip converting Strongly Encapsulated Internals for WAF #3501
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This doesn't have to do with the java.time or java.lang specifically right? It's a general JPMS-related problem, no? |
|
Yes, that's correct, I'm not sure if any classes from another Basically we can check package accessibility but only starting from Java 9. |
ValentinZakharov
force-pushed
the
vzakharov/skip_java_internals
branch
4 times, most recently
from
94c3470
to
8bcf658
Compare
ValentinZakharov
force-pushed
the
vzakharov/skip_java_internals
branch
from
8bcf658
to
421c9b6
Compare
bantonsson
approved these changes
Apr 20, 2022
cataphract
reviewed
Apr 20, 2022
| if (setAccessible(f)) { | ||
| try { | ||
| newMap.put(f.getName(), guardedConversion(f.get(obj), depth + 1, elemsLeft)); | ||
| } catch (IllegalAccessException e) { |
There was a problem hiding this comment.
I think this should be caught inside the setAccessible private method and return false from there.
ValentinZakharov
force-pushed
the
vzakharov/skip_java_internals
branch
from
421c9b6
to
158dc6e
Compare
bantonsson
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Prevents decomposition of object that are belongs to Strongly Encapsulated Java Internals, in order to avoid throwing InaccessibleObjectException in Java 9+. Represents such objects as strings instead.
Motivation
Customer reported AppSec false positive issue, when request body contains:
<error: Unable to make field private final int java.time.LocalDate.year accessible: module java.base does not "opens java.time" to unnamed module @34f15e65>and
<error: unable to make field private final int java.lang.string java.lang.enum.name accessible: module java.base does not "opes java.time" to unnamed module @34f15e65>Additionally customer emphasized, they are using Dropwizard running on Java 17.
Additional Notes
If the request body contains a complex object, AppSec converts it in java standard datatypes with strings for WAF analysis. In order data converted (into map of strings, array of string, etc.) can be properly consumed by WAF.
Decomposition of complex object is done with Java Reflection. Starting from the Java 9, there were introduced Strongly Encapsulated Internals (see: JEP-260, JEP-396, JEP-403), which made some of standard java classes inaccessible for Reflection. As the result, decomposition throws InaccessibleObjectException for classes like LocalDate or Enum when running on Java 16+.