Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
None
-
None
-
None
Description
Currently, it is possible to run GFSH queries like:
query --query="select a.class from /region1 a" Result : true startCount : 0 endCount : 20 Rows : 1 protectionDomain | modifiers | interface | array | primitive | superclass | componentType | name | annotation | synthetic | classLoader | typeParameters | genericSuperclass | package | interfaces | genericInterfaces | enclosingMethod | enclosingConstructor | enclosingClass | simpleName | typeName | canonicalName | anonymousClass | localClass | memberClass | classes | fields | methods | constructors | declaredClasses | declaredFields | declaredMethods | declaredConstructors | enum | annotations | declaredAnnotations | annotatedSuperclass | annotatedInterfaces ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- | --------- | ----- | --------- | ---------------------- | ------------------------ | ---------------- | ---------- | --------- | ------------------------ | ------------------ | ---------------------- | --------------------------------------------------------------- | ------------------ | ------------------ | ------------------------ | ------------------------ | ------------------------ | ---------- | ---------------- | ---------------- | -------------- | ---------- | ----------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | -------------------- | ----- | ------------------ | ------------------- | -------------------------------------------------------------------------- | ------------------- ProtectionDomain null null <no principals> java.security.Permissions@2c1fc586 ( ("java.security.AllPermission" "<all permissions>" "<all actions>") ) | 17 | false | false | false | class java.lang.Object | org.json.JSONObject.Null | java.lang.String | false | false | org.json.JSONObject.Null | org.json.JSONArray | class java.lang.Object | package java.lang, Java Platform API Specification, version 1.8 | org.json.JSONArray | org.json.JSONArray | org.json.JSONObject.Null | org.json.JSONObject.Null | org.json.JSONObject.Null | String | java.lang.String | java.lang.String | false | false | false | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | false | org.json.JSONArray | org.json.JSONArray | sun.reflect.annotation.AnnotatedTypeFactory$AnnotatedTypeBaseImpl@7cad0747 | org.json.JSONArray NEXT_STEP_NAME : END
Methods and properties can be chained to get queries like the following, which seems to expose information about the running JVM:
query --query="select a.class.interfaces[0].package from /region1 a" Result : true startCount : 0 endCount : 20 Rows : 1 name | annotations | declaredAnnotations | sealed | specificationTitle | specificationVersion | specificationVendor | implementationTitle | implementationVersion | implementationVendor ------- | ------------------ | ------------------- | ------ | ------------------------------- | -------------------- | ------------------- | ------------------------ | --------------------- | -------------------- java.io | org.json.JSONArray | org.json.JSONArray | false | Java Platform API Specification | 1.8 | Oracle Corporation | Java Runtime Environment | 1.8.0_111 | Oracle Corporation NEXT_STEP_NAME : END
I haven't found a way to make a real security hole out of this, because as far as I can tell, I can't call functions on objects I can access, and it's generally harder to travel down the reflection API than up it. However, this doesn't seem like information that anyone would really need, and it exposes internals. Potentially there could be a way for someone with read access, even for a single table, to get more information than we really want them to have.
I think that literal properties and methods like "getX()" can be called here, though I haven't investigated thoroughly.
Attachments
Issue Links
- duplicates
-
GEODE-3247 Improve OQL expression execution
- Closed