Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-2149

Queries shouldn't allow access to reflection API

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • None
    • 1.3.0
    • None
    • None

    Description

      Currently, it is possible to run GFSH queries like:

      query --query="select a.class from /region1 a"

Result     : true
startCount : 0
endCount   : 20
Rows       : 1

                                                                      protectionDomain                                                                       | modifiers | interface | array | primitive |       superclass       |      componentType       |       name       | annotation | synthetic |       classLoader        |   typeParameters   |   genericSuperclass    |                             package                             |     interfaces     | genericInterfaces  |     enclosingMethod      |   enclosingConstructor   |      enclosingClass      | simpleName |     typeName     |  canonicalName   | anonymousClass | localClass | memberClass |      classes       |       fields       |      methods       |    constructors    |  declaredClasses   |   declaredFields   |  declaredMethods   | declaredConstructors | enum  |    annotations     | declaredAnnotations |                            annotatedSuperclass                             | annotatedInterfaces
------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- | --------- | ----- | --------- | ---------------------- | ------------------------ | ---------------- | ---------- | --------- | ------------------------ | ------------------ | ---------------------- | --------------------------------------------------------------- | ------------------ | ------------------ | ------------------------ | ------------------------ | ------------------------ | ---------- | ---------------- | ---------------- | -------------- | ---------- | ----------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | -------------------- | ----- | ------------------ | ------------------- | -------------------------------------------------------------------------- | -------------------
ProtectionDomain  null
 null
 <no principals>
 java.security.Permissions@2c1fc586 (
 ("java.security.AllPermission" "<all permissions>" "<all actions>")
)

 | 17        | false     | false | false     | class java.lang.Object | org.json.JSONObject.Null | java.lang.String | false      | false     | org.json.JSONObject.Null | org.json.JSONArray | class java.lang.Object | package java.lang, Java Platform API Specification, version 1.8 | org.json.JSONArray | org.json.JSONArray | org.json.JSONObject.Null | org.json.JSONObject.Null | org.json.JSONObject.Null | String     | java.lang.String | java.lang.String | false          | false      | false       | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray   | false | org.json.JSONArray | org.json.JSONArray  | sun.reflect.annotation.AnnotatedTypeFactory$AnnotatedTypeBaseImpl@7cad0747 | org.json.JSONArray

NEXT_STEP_NAME : END

      Methods and properties can be chained to get queries like the following, which seems to expose information about the running JVM:

      query --query="select a.class.interfaces[0].package from /region1 a"

Result     : true
startCount : 0
endCount   : 20
Rows       : 1

 name   |    annotations     | declaredAnnotations | sealed |       specificationTitle        | specificationVersion | specificationVendor |   implementationTitle    | implementationVersion | implementationVendor
------- | ------------------ | ------------------- | ------ | ------------------------------- | -------------------- | ------------------- | ------------------------ | --------------------- | --------------------
java.io | org.json.JSONArray | org.json.JSONArray  | false  | Java Platform API Specification | 1.8                  | Oracle Corporation  | Java Runtime Environment | 1.8.0_111             | Oracle Corporation

NEXT_STEP_NAME : END

      I haven't found a way to make a real security hole out of this, because as far as I can tell, I can't call functions on objects I can access, and it's generally harder to travel down the reflection API than up it. However, this doesn't seem like information that anyone would really need, and it exposes internals. Potentially there could be a way for someone with read access, even for a single table, to get more information than we really want them to have.

      I think that literal properties and methods like "getX()" can be called here, though I haven't investigated thoroughly.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. GEODE-3247 Improve OQL expression execution

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              gosullivan Galen O'Sullivan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: