Uploaded image for project: 'Velocity'
  1. Velocity
  2. VELOCITY-931

SecureUberspector should block methods on ClassLoader and subclasses

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3
    • Component/s: None
    • Labels:
      None

      Description

      Currently, SecureUberspector matches classes stored with property "introspector.restrict.classes", which includes ClassLoader.   It then matches exact class names and blocks all methods from being called on that class.

      However, in most cases it's actually a subclass of ClassLoader that's available in the context, which under normal circumstances would not be blocked.

      My proposal – treat this as a special case.  (Remove it from the configuration).  If the class being inspected is assignable from ClassLoader, then block it.   

      You could make an argument that all the SecureUberspector should check if the class isAssignable from all configured classes, but I am concerned about possible performance penalties.  I'd argue that we should hard code checks for a few special internal classes but force the user to configure other specific classes themselves.

       

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              wglass William Glass-Husain
              Reporter:
              wglass William Glass-Husain

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment