Disallow calling getMBeansFromURL

apache · Jun 3, 2020 · 3e4c4be · 3e4c4be
1 parent 9440ca6
commit 3e4c4be
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -106,7 +106,7 @@ public Object invoke(Object proxy, Method method, Object[] args) throws Throwabl
         } else if ("setAttributes".equals(method.getName())) {
             handleSetAttributes(mbs, objectName, (AttributeList) args[1]);
         } else if ("invoke".equals(method.getName())) {
-            handleInvoke(objectName, (String) args[1], (Object[]) args[2], (String[]) args[3]);
+            handleInvoke(mbs, objectName, (String) args[1], (Object[]) args[2], (String[]) args[3]);
         }
 
         return null;
@@ -345,11 +345,20 @@ private boolean canBypassRBAC(BulkRequestContext context, ObjectName objectName,
         return false;
     }
 
-    void handleInvoke(ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
-        handleInvoke(null, objectName, operationName, params, signature);
+    void handleInvoke(MBeanServer mbs, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException, InstanceNotFoundException {
+        handleInvoke(mbs, null, objectName, operationName, params, signature);
     }
 
-    void handleInvoke(BulkRequestContext context, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
+    void handleInvoke(MBeanServer mbs, BulkRequestContext context, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException, InstanceNotFoundException {
+        if (mbs != null && mbs.isInstanceOf(objectName, "javax.management.loading.MLet")
+            && ("addUrl".equals(operationName) || "getMBeansFromURL".equals(operationName))) {
+            SecurityException se = new SecurityException(operationName + " is not allowed to be invoked");
+            if (logger != null) {
+                logger.log(INVOKE, INVOKE_SIG, null, se, objectName, operationName, signature, params);
+            }
+            throw se;
+        }
+
         if (context == null) {
             context = BulkRequestContext.newContext(configAdmin);
         }