[IGNITE-13300] Ignite sandbox vulnerability allows to execute user code in privileged proxy - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.9
Fix Version/s: 2.9
Component/s: security
Labels:
- iep-38
- sandbox

Description

Ignite sandbox returns a privileged proxy for Ignite and some other system interfaces. If the user implements one of these interfaces and gets via privileged proxy an instance of implemented class, privileged proxy for user class will be returned.
Reproducer:

public class PrivilegedProxyTest extends AbstractSandboxTest {
    public void testPrivelegedUserObject() throws Exception {
        grid(CLNT_FORBIDDEN_WRITE_PROP).getOrCreateCache(DEFAULT_CACHE_NAME).put(0, new TestIterator<>());

        runForbiddenOperation(() -> grid(CLNT_FORBIDDEN_WRITE_PROP).compute().run(() -> {
            GridIterator<?> it = (GridIterator<?>)Ignition.localIgnite().cache(DEFAULT_CACHE_NAME).get(0);

            it.iterator();
        }), AccessControlException.class);
    }

    public static class TestIterator<T> extends GridIterableAdapter<T> {
        public TestIterator() {
            super(Collections.emptyIterator());
        }

        @Override public GridIterator<T> iterator() {
            controlAction();

            return super.iterator();
        }
    }
}

Attachments

Issue Links

links to

GitHub Pull Request #8084

Activity

People

Assignee:: Aleksey Plekhanov

Reporter:: Aleksey Plekhanov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 27/Jul/20 10:10

Updated:: 29/Jul/20 07:59

Resolved:: 28/Jul/20 06:28

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m