[jira] [Work logged] (ARTEMIS-4763) properties config - support metrics plugin, conversion of .class for non string attributes and empty init

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/ARTEMIS-4763?focusedWorklogId=918290&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918290
 ]

ASF GitHub Bot logged work on ARTEMIS-4763:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/May/24 10:25
            Start Date: 08/May/24 10:25
    Worklog Time Spent: 10m 
      Work Description: gtully commented on PR #4924:
URL: 
https://github.com/apache/activemq-artemis/pull/4924#issuecomment-2100259018

   I don't know that it helps, the values in question come from configuration. 
We have no choice but to trust configuration, i.e: the file system, where our 
sources live. These are exiting extension points, where the config provides the 
implementation. Any malicious intervention will implement any required 
interface if that is enforced. Any allow list gate will have to be configured 
in some way, probably on the file system.
   For an existing gadget to be exploited via this mechanism, the config has to 
be compromised, which is the file system, on that same file system can be any 
jar etc... so anything we do can be compromised unless we go down the route of 
signed jars etc. even then if the file system is compromised....
   
   
   in short, I am not convinced of an interface check being of any great value 
when the threat is from file system compromise.
   
   Having said that, if there is value in the additional check, and I guess the 
value is that it makes it a little harder (if that makes any difference) it 
would need to be done before every newInstance of this sort to be effective. 
The xml parser does the same thing for one, in support of the same use case. 
Again, it is trusting config.
   
   
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 918290)
    Time Spent: 50m  (was: 40m)

> properties config - support metrics plugin, conversion of .class for non 
> string attributes and empty init 
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-4763
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4763
>             Project: ActiveMQ Artemis
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 2.33.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> the metrics plugin is not a broker plugin, so cannot be initialised via the 
> broker plugins collection. We can only add .class instances to collections.
> The metrics instance is an attribute that needs a class type argument on the 
> metrics configuration.
> supporting a conversion to any non string scalar type using a .class value 
> will work nicely.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)