You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Dan Smith (JIRA)" <ji...@apache.org> on 2018/02/23 17:45:00 UTC
[jira] [Resolved] (GEODE-2149) Queries shouldn't allow access to
reflection API
[ https://issues.apache.org/jira/browse/GEODE-2149?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dan Smith resolved GEODE-2149.
------------------------------
Resolution: Duplicate
Fix Version/s: 1.3.0
> Queries shouldn't allow access to reflection API
> ------------------------------------------------
>
> Key: GEODE-2149
> URL: https://issues.apache.org/jira/browse/GEODE-2149
> Project: Geode
> Issue Type: Bug
> Reporter: Galen O'Sullivan
> Priority: Major
> Fix For: 1.3.0
>
>
> Currently, it is possible to run GFSH queries like:
> {code}
> query --query="select a.class from /region1 a"
> Result : true
> startCount : 0
> endCount : 20
> Rows : 1
> protectionDomain | modifiers | interface | array | primitive | superclass | componentType | name | annotation | synthetic | classLoader | typeParameters | genericSuperclass | package | interfaces | genericInterfaces | enclosingMethod | enclosingConstructor | enclosingClass | simpleName | typeName | canonicalName | anonymousClass | localClass | memberClass | classes | fields | methods | constructors | declaredClasses | declaredFields | declaredMethods | declaredConstructors | enum | annotations | declaredAnnotations | annotatedSuperclass | annotatedInterfaces
> ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- | --------- | ----- | --------- | ---------------------- | ------------------------ | ---------------- | ---------- | --------- | ------------------------ | ------------------ | ---------------------- | --------------------------------------------------------------- | ------------------ | ------------------ | ------------------------ | ------------------------ | ------------------------ | ---------- | ---------------- | ---------------- | -------------- | ---------- | ----------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | -------------------- | ----- | ------------------ | ------------------- | -------------------------------------------------------------------------- | -------------------
> ProtectionDomain null
> null
> <no principals>
> java.security.Permissions@2c1fc586 (
> ("java.security.AllPermission" "<all permissions>" "<all actions>")
> )
> | 17 | false | false | false | class java.lang.Object | org.json.JSONObject.Null | java.lang.String | false | false | org.json.JSONObject.Null | org.json.JSONArray | class java.lang.Object | package java.lang, Java Platform API Specification, version 1.8 | org.json.JSONArray | org.json.JSONArray | org.json.JSONObject.Null | org.json.JSONObject.Null | org.json.JSONObject.Null | String | java.lang.String | java.lang.String | false | false | false | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | false | org.json.JSONArray | org.json.JSONArray | sun.reflect.annotation.AnnotatedTypeFactory$AnnotatedTypeBaseImpl@7cad0747 | org.json.JSONArray
> NEXT_STEP_NAME : END
> {code}
> Methods and properties can be chained to get queries like the following, which seems to expose information about the running JVM:
> {code}
> query --query="select a.class.interfaces[0].package from /region1 a"
> Result : true
> startCount : 0
> endCount : 20
> Rows : 1
> name | annotations | declaredAnnotations | sealed | specificationTitle | specificationVersion | specificationVendor | implementationTitle | implementationVersion | implementationVendor
> ------- | ------------------ | ------------------- | ------ | ------------------------------- | -------------------- | ------------------- | ------------------------ | --------------------- | --------------------
> java.io | org.json.JSONArray | org.json.JSONArray | false | Java Platform API Specification | 1.8 | Oracle Corporation | Java Runtime Environment | 1.8.0_111 | Oracle Corporation
> NEXT_STEP_NAME : END
> {code}
> I haven't found a way to make a real security hole out of this, because as far as I can tell, I can't call functions on objects I can access, and it's generally harder to travel down the reflection API than up it. However, this doesn't seem like information that anyone would really need, and it exposes internals. Potentially there could be a way for someone with read access, even for a single table, to get more information than we really want them to have.
> I think that literal properties and methods like "getX()" can be called here, though I haven't investigated thoroughly.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)