You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2022/08/20 21:40:54 UTC

[GitHub] [nifi] ottobackwards commented on a diff in pull request #6317: NIFI-10375: If a class is not allowed in the AllowListClassLoader by …

ottobackwards commented on code in PR #6317:
URL: https://github.com/apache/nifi/pull/6317#discussion_r950746081


##########
nifi-stateless/nifi-stateless-bootstrap/src/main/java/org/apache/nifi/stateless/bootstrap/AllowListClassLoader.java:
##########
@@ -37,36 +43,92 @@
  * </p>
  */
 public class AllowListClassLoader extends ClassLoader {
-    private final Set<String> allowed;
+    private static final Logger logger = LoggerFactory.getLogger(AllowListClassLoader.class);
+
+    private final Set<String> allowedClassNames;
+    private final List<String> allowedModulePrefixes = Arrays.asList("java.", "jdk.");
 
     public AllowListClassLoader(final ClassLoader parent, final Set<String> allowed) {
         super(parent);
-        this.allowed = allowed;
+        this.allowedClassNames = allowed;
     }
 
     /**
      * @return the set of all Class names that will not be blocked from loading by the parent
      */
     public Set<String> getClassesAllowed() {
-        return Collections.unmodifiableSet(allowed);
+        return Collections.unmodifiableSet(allowedClassNames);
     }
 
     @Override
     protected Class<?> loadClass(final String name, final boolean resolve) throws ClassNotFoundException {
-        if (allowed.contains(name)) {
+        if (allowedClassNames.contains(name)) {
             return super.loadClass(name, resolve);
         }
 
+        final Class<?> found = super.loadClass(name, false);
+        if (found != null) {
+            final boolean allowed = isClassAllowed(name, found);
+            if (allowed) {
+                if (resolve) {
+                    super.resolveClass(found);
+                }
+
+                return found;
+            }
+        }
+
         throw new ClassNotFoundException(name + " was blocked by AllowListClassLoader");
     }
 
     @Override
     protected Class<?> findClass(final String name) throws ClassNotFoundException {
-        if (allowed.contains(name)) {
-            return super.findClass(name);
+        final Class<?> found = super.findClass(name);
+        if (isClassAllowed(name, found)) {
+            return found;
         }
 
         throw new ClassNotFoundException(name + " was blocked by AllowListClassLoader");
     }
 
+    private boolean isClassAllowed(final String name, final Class<?> clazz) {
+        // If the name of the class is in the allowed class names, allow it.
+        if (allowedClassNames.contains(name)) {
+            return true;
+        }
+
+        // If the class has a module whose name is allowed, allow it.
+        // The module is obtained by calling Class.getModule(). However, that method is only available in Java 9.
+        // Since this codebase must be Java 8 compatible we can't make that method call. So we use Reflection to determine
+        // if the getModule method exists (which it will for Java 9+ but not Java 1.8), and if so get the name of the module.
+        try {

Review Comment:
   I think, by the comments you want to check it getModule == null?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org