Issue #1797 - Safety checks for Java 9 and Multi-Release JARs during …

…bytecode scanning
jetty · Sep 7, 2017 · e3b628a · janbartel · Sep 8, 2017 · janbartel
1 parent fb86b8e
commit e3b628a
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 3 deletions.
diff --git a/jetty-annotations/src/main/java/org/eclipse/jetty/annotations/AnnotationParser.java b/jetty-annotations/src/main/java/org/eclipse/jetty/annotations/AnnotationParser.java
@@ -68,10 +68,30 @@ public class AnnotationParser
 {
     private static final Logger LOG = Log.getLogger(AnnotationParser.class);
 
+    private static final int JVM_MAJOR_VER;
+
     protected Set<String> _parsedClassNames = ConcurrentHashMap.newKeySet();
 
     protected static int ASM_OPCODE_VERSION = Opcodes.ASM5; //compatibility of api
-
+
+    static
+    {
+        // Determine JVM spec version
+        // Using guidance from http://openjdk.java.net/jeps/223
+        String jvmSpecVer = System.getProperty("java.vm.specification.version");
+
+        if (jvmSpecVer.indexOf('.') >= 0)
+        {
+            // Old spec version (Java 1.8 and older)
+            String parts[] = jvmSpecVer.split("\\.");
+            JVM_MAJOR_VER = Integer.parseInt(parts[1]);
+        }
+        else
+        {
+            // Newer spec version (Java 9+)
+            JVM_MAJOR_VER = Integer.parseInt(jvmSpecVer);
+        }
+    }
 
     /**
      * Convert internal name to simple name
@@ -1017,10 +1037,61 @@ private boolean isValidClassFilePath (String path)
         if (path == null || path.length()==0)
             return false;
 
-        //skip any classfiles that are in a hidden directory
+        if (path.startsWith("META-INF/versions/"))
+        {
+            // Handle JEP 238 - Multi-Release Jars
+            if (JVM_MAJOR_VER < 9)
+            {
+                if (LOG.isDebugEnabled())
+                {
+                    LOG.debug("JEP-238 Multi-Release JAR not supported on Java " +
+                            System.getProperty("java.version") + ": " + path);
+                }
+                return false;
+            }
+
+            // Safety check for ASM bytecode support level.
+            // When ASM 6.0 is integrated, the below will start to work.
+            if (ASM_OPCODE_VERSION <= Opcodes.ASM5)
+            {
+                // Cannot scan Java 9 classes with ASM version 5
+                if (LOG.isDebugEnabled())
+                {
+                    LOG.debug("Unable to scan newer Java bytecode (Java 9?) with ASM 5 (skipping): " + path);
+                }
+                return false;
+            }
+
+            int idxStart = "META-INF/versions/".length();
+            int idxEnd = path.indexOf('/', idxStart + 1);
+            try
+            {
+                int pathVersion = Integer.parseInt(path.substring(idxStart, idxEnd));
+                if (pathVersion < JVM_MAJOR_VER)
+                {
+                    if (LOG.isDebugEnabled())
+                    {
+                        LOG.debug("JEP-238 Multi-Release JAR version " + pathVersion +
+                                " not supported on Java " + System.getProperty("java.version") +
+                                ": " + path);
+                    }
+                    return false;
+                }
+            }
+            catch (NumberFormatException e)
+            {
+                if (LOG.isDebugEnabled())
+                {
+                    LOG.debug("Not a valid JEP-238 Multi-Release path: " + path);
+                }
+                return false;
+            }
+        }
+
+        // skip any classfiles that are in a hidden directory
         if (path.startsWith(".") || path.contains("/."))
         {
-            if (LOG.isDebugEnabled()) LOG.debug("Contains hidden dirs: {}"+path);
+            if (LOG.isDebugEnabled()) LOG.debug("Contains hidden dirs: " + path);
             return false;
         }
 

diff --git a/jetty-annotations/src/test/java/org/eclipse/jetty/annotations/TestAnnotationParser.java b/jetty-annotations/src/test/java/org/eclipse/jetty/annotations/TestAnnotationParser.java
@@ -163,6 +163,26 @@ public void testHiddenFilesInJar() throws Exception
         // only the valid classes inside bad-classes.jar should be parsed. If any invalid classes are parsed and exception would be thrown here
     }
 
+    @Test
+    public void testModuleInfoClassInJar() throws Exception
+    {
+        File badClassesJar = MavenTestingUtils.getTestResourceFile("jdk9/slf4j-api-1.8.0-alpha2.jar");
+        AnnotationParser parser = new AnnotationParser();
+        Set<Handler> emptySet = Collections.emptySet();
+        parser.parse(emptySet, badClassesJar.toURI());
+        // Should throw no exceptions, and happily skip the module-info.class files
+    }
+
+    @Test
+    public void testJep238MultiReleaseInJar() throws Exception
+    {
+        File badClassesJar = MavenTestingUtils.getTestResourceFile("jdk9/log4j-api-2.9.0.jar");
+        AnnotationParser parser = new AnnotationParser();
+        Set<Handler> emptySet = Collections.emptySet();
+        parser.parse(emptySet, badClassesJar.toURI());
+        // Should throw no exceptions, and skip the META-INF/versions/9/* files
+    }
+
     @Test
     public void testBasedirExclusion() throws Exception
     {

diff --git a/jetty-annotations/src/test/resources/jdk9/log4j-api-2.9.0.jar b/jetty-annotations/src/test/resources/jdk9/log4j-api-2.9.0.jar
diff --git a/jetty-annotations/src/test/resources/jdk9/slf4j-api-1.8.0-alpha2.jar b/jetty-annotations/src/test/resources/jdk9/slf4j-api-1.8.0-alpha2.jar