William Price created JEXL-446:
----------------------------------
Summary: ClassTool module inspection is too strict
Key: JEXL-446
URL: https://issues.apache.org/jira/browse/JEXL-446
Project: Commons JEXL
Issue Type: Bug
Affects Versions: 3.5.0
Reporter: William Price
[ClassTool#isExported|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/internal/introspection/ClassTool.java#L125]
calls [Module#isExported(String
packageName)|https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/lang/Module.html#isExported(java.lang.String)]
via a MethodHandle. However, that method checks if the target package is
exported *unconditionally* (to all modules) which is too restrictive.
In my modularized application, I can use a *qualified export* and have more
granular control following the principle of least privilege:
{code:java}
module my.module {
exports my.module.package to org.apache.commons.jexl3;
}{code}
Because `my.module.package` is not unqualified, it is not exported
unconditionally and Module#isExported("my.module.package") returns false,
preventing Jexl from accessing classes in that package.
ClassTool should instead check that the package is exported to *at least*
Jexl's own module using [Module#isExported(String packageName, Module
module)|https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/lang/Module.html#isExported(java.lang.String,java.lang.Module)]
as this tests whether Jexl is allowed to reflect over public API and no more.
As a workaround the package can be exported unconditionally, but this may not
be desirable as it impacts encapsulation and security in other parts of the
larger program:
{code:java}
module my.module {
exports my.module.package;
} {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
