error-prone: implement BanClassLoader with forbidden-apis instead #14811
Conversation
This rule is attempting to ban dangerous usages of ClassLoader which could be security hazard (IMO a good idea). forbidden APIs is a good tool for banning, just like we use forbidden-apis to ban JNDI and other things.
github-project-automation
bot
moved this to Open
in OpenSearch Lucene & Core Performance Tracking
|
This PR does not have an entry in lucene/CHANGES.txt. Consider adding one. If the PR doesn't need a changelog entry, then add the skip-changelog label to it and you will stop receiving this reminder on future updates to the PR. |
| jdk.internal.misc.Unsafe#defineClass(**) | ||
| jdk.internal.access.JavaLangAccess#defineClass(**) | ||
| # forbidden complains it can't find this enclosed class | ||
| # java.lang.invoke.MethodHandles.Lookup#defineClass(**) |
There was a problem hiding this comment.
@uschindler if you have any ideas, i'd love to fix this. This is just using the same banned list that error-prone uses, except as forbidden signatures.
There was a problem hiding this comment.
Needs to be MethodHandles$Lookup, this is how the real class name looks like.
There was a problem hiding this comment.
In reality most of the signatures here are automatically enabled by default (in a more dynamic way).
jdk.internal.*is forbidden by default by disallowing all calls to non "public access" modules. See the "jdk-non-portable" bundled signatures: https://github.com/policeman-tools/forbidden-apis/wiki/BundledSignaturessun.misc.Unsafeis also forbidden by default (same as before: https://github.com/policeman-tools/forbidden-apis/wiki/BundledSignatures). Adding it here brings more problems than it solves. Becausesun.misc.Unsafeget removed around Java 25 (and especailly that method mentioned here), this will cause issues in later Java versions.
Because of that all "internal" and "sun.misc" stuff should be removed here. The other ones are fine, java.lang.invoke.MethodHandles.Lookup#defineClass(**) needs to be java.lang.invoke.MethodHandles$Lookup#defineClass(**)
There was a problem hiding this comment.
thanks for the explanation, I figured there was a way to catch it, the $ is what I was missing, too rusty with java :)
I will remove some of the redundancies, too.
There was a problem hiding this comment.
All fine. I think thats documented somewhere. But basically the signatures files need the "binary name" of all classes.
I will add the wiki page to explicitely give an example (in addition to java.lang.String).
|
This PR does not have an entry in lucene/CHANGES.txt. Consider adding one. If the PR doesn't need a changelog entry, then add the skip-changelog label to it and you will stop receiving this reminder on future updates to the PR. |
|
Source of the check: https://github.com/google/error-prone/blob/master/core/src/main/java/com/google/errorprone/bugpatterns/BanClassLoader.java It also checks for explicit Also maybe some of these don't need to be banned because they are impossible due to java module system? I think google is still on java 8 :) |
| jdk.internal.misc.Unsafe#defineClass(**) | ||
| jdk.internal.access.JavaLangAccess#defineClass(**) | ||
| # forbidden complains it can't find this enclosed class | ||
| # java.lang.invoke.MethodHandles.Lookup#defineClass(**) |
There was a problem hiding this comment.
In reality most of the signatures here are automatically enabled by default (in a more dynamic way).
jdk.internal.*is forbidden by default by disallowing all calls to non "public access" modules. See the "jdk-non-portable" bundled signatures: https://github.com/policeman-tools/forbidden-apis/wiki/BundledSignaturessun.misc.Unsafeis also forbidden by default (same as before: https://github.com/policeman-tools/forbidden-apis/wiki/BundledSignatures). Adding it here brings more problems than it solves. Becausesun.misc.Unsafeget removed around Java 25 (and especailly that method mentioned here), this will cause issues in later Java versions.
Because of that all "internal" and "sun.misc" stuff should be removed here. The other ones are fine, java.lang.invoke.MethodHandles.Lookup#defineClass(**) needs to be java.lang.invoke.MethodHandles$Lookup#defineClass(**)
Exactly, see above. Most of the signatures here can be removed. jdk.internal is unreachable unless you pass open-modules parameters to jvaca or jdk. Nevertheless to SUpport Java 8, the forbiddenapis has a dynamic About subclassing: A constructor is like a static methos. To forbid a constructur you need to give exact class names and ctors, there's no inheritance. |
|
In addition the list on errorprone is incomplete. Since Java 16 there's Actually the BanClassLoader error-prone check is a mess and outdated.
|
|
Final note abozut subclasses: You need to add all ctors of sublasses of Classloader which reside in JDK. Now you might argue that one could define a subclass in user code (extending URLClassLoader) to circumvent the check. But this is differeent because when you declare that "user defined" classloader you have to add a ctor which calls super -> then it detect calling the call to superclass' ctor which was forbidden. |
Remove internals which are already banned Fix syntax for MethodHandles$Lookup Simplify RMI server (we can ban the class outright)
|
This PR does not have an entry in lucene/CHANGES.txt. Consider adding one. If the PR doesn't need a changelog entry, then add the skip-changelog label to it and you will stop receiving this reminder on future updates to the PR. |
|
This PR does not have an entry in lucene/CHANGES.txt. Consider adding one. If the PR doesn't need a changelog entry, then add the skip-changelog label to it and you will stop receiving this reminder on future updates to the PR. |
|
With help of @uschindler, this check is a bit different than how the error-prone rules implement it, but more thorough. The stated goal of the error-prone check is to prevent turning input into code, but it did not really work for us: it only introduced a false positive in Luke but did not find any issue with expressions! So these rules instead target methods that define new code. |
github-project-automation
bot
moved this from Open
to Merged
in OpenSearch Lucene & Core Performance Tracking
|
Thanks Robert! As always: nice discussions. I will improve the signatures file documentation to give a hint how the inner class binary names look like (give an example). |
This rule is attempting to ban dangerous usages of ClassLoader which could be security hazard (IMO a good idea). forbidden APIs is a good tool for banning, just like we use forbidden-apis to ban JNDI and other things.