You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Galen O'Sullivan (JIRA)" <ji...@apache.org> on 2016/11/29 19:36:58 UTC

[jira] [Created] (GEODE-2149) Queries shouldn't allow access to reflection API

Galen O'Sullivan created GEODE-2149:
---------------------------------------

             Summary: Queries shouldn't allow access to reflection API
                 Key: GEODE-2149
                 URL: https://issues.apache.org/jira/browse/GEODE-2149
             Project: Geode
          Issue Type: Bug
            Reporter: Galen O'Sullivan


Currently, it is possible to run GFSH queries like:

{code}
query --query="select a.class from /region1 a"

Result     : true
startCount : 0
endCount   : 20
Rows       : 1

                                                                      protectionDomain                                                                       | modifiers | interface | array | primitive |       superclass       |      componentType       |       name       | annotation | synthetic |       classLoader        |   typeParameters   |   genericSuperclass    |                             package                             |     interfaces     | genericInterfaces  |     enclosingMethod      |   enclosingConstructor   |      enclosingClass      | simpleName |     typeName     |  canonicalName   | anonymousClass | localClass | memberClass |      classes       |       fields       |      methods       |    constructors    |  declaredClasses   |   declaredFields   |  declaredMethods   | declaredConstructors | enum  |    annotations     | declaredAnnotations |                            annotatedSuperclass                             | annotatedInterfaces
------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- | --------- | ----- | --------- | ---------------------- | ------------------------ | ---------------- | ---------- | --------- | ------------------------ | ------------------ | ---------------------- | --------------------------------------------------------------- | ------------------ | ------------------ | ------------------------ | ------------------------ | ------------------------ | ---------- | ---------------- | ---------------- | -------------- | ---------- | ----------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | -------------------- | ----- | ------------------ | ------------------- | -------------------------------------------------------------------------- | -------------------
ProtectionDomain  null
 null
 <no principals>
 java.security.Permissions@2c1fc586 (
 ("java.security.AllPermission" "<all permissions>" "<all actions>")
)

 | 17        | false     | false | false     | class java.lang.Object | org.json.JSONObject.Null | java.lang.String | false      | false     | org.json.JSONObject.Null | org.json.JSONArray | class java.lang.Object | package java.lang, Java Platform API Specification, version 1.8 | org.json.JSONArray | org.json.JSONArray | org.json.JSONObject.Null | org.json.JSONObject.Null | org.json.JSONObject.Null | String     | java.lang.String | java.lang.String | false          | false      | false       | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray   | false | org.json.JSONArray | org.json.JSONArray  | sun.reflect.annotation.AnnotatedTypeFactory$AnnotatedTypeBaseImpl@7cad0747 | org.json.JSONArray

NEXT_STEP_NAME : END
{code}

Methods and properties can be chained to get queries like the following, which seems to expose information about the running JVM:
{code}
query --query="select a.class.interfaces[0].package from /region1 a"

Result     : true
startCount : 0
endCount   : 20
Rows       : 1

 name   |    annotations     | declaredAnnotations | sealed |       specificationTitle        | specificationVersion | specificationVendor |   implementationTitle    | implementationVersion | implementationVendor
------- | ------------------ | ------------------- | ------ | ------------------------------- | -------------------- | ------------------- | ------------------------ | --------------------- | --------------------
java.io | org.json.JSONArray | org.json.JSONArray  | false  | Java Platform API Specification | 1.8                  | Oracle Corporation  | Java Runtime Environment | 1.8.0_111             | Oracle Corporation

NEXT_STEP_NAME : END
{code}

I haven't found a way to make a real security hole out of this, because as far as I can tell, I can't call functions on objects I can access, and it's generally harder to travel down the reflection API than up it. However, this doesn't seem like information that anyone would really need, and it exposes internals. Potentially there could be a way for someone with read access, even for a single table, to get more information than we really want them to have.

I think that literal properties and methods like "getX()" can be called here, though I haven't investigated thoroughly.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)