[jira] [Resolved] (JEXL-446) ClassTool module inspection is too strict

Wed, 24 Sep 2025 07:55:16 -0700 


     [ 
https://issues.apache.org/jira/browse/JEXL-446?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Henri Biestro resolved JEXL-446.
--------------------------------
    Resolution: Fixed

Diagnostic and #PR are accurate and efficient; thanks again [~wrprice]

> ClassTool module inspection is too strict
> -----------------------------------------
>
>                 Key: JEXL-446
>                 URL: https://issues.apache.org/jira/browse/JEXL-446
>             Project: Commons JEXL
>          Issue Type: Bug
>    Affects Versions: 3.5.0
>            Reporter: William Price
>            Assignee: Henri Biestro
>            Priority: Major
>             Fix For: 3.6.0
>
>
> [ClassTool#isExported|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/internal/introspection/ClassTool.java#L125]
>  calls [Module#isExported(String 
> packageName)|https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/lang/Module.html#isExported(java.lang.String)]
>  via a MethodHandle.  However, that method checks if the target package is 
> exported *unconditionally* (to all modules) which is too restrictive.
> In my modularized application, I can use a *qualified export* and have more 
> granular control following the principle of least privilege:
>  
> {code:java}
> module my.module {
>   exports my.module.package to org.apache.commons.jexl3;
> }{code}
> Because `my.module.package` is not unqualified, it is not exported 
> unconditionally and Module#isExported("my.module.package") returns false, 
> preventing Jexl from accessing classes in that package.
> ClassTool should instead check that the package is exported to *at least* 
> Jexl's own module using [Module#isExported(String packageName, Module 
> module)|https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/lang/Module.html#isExported(java.lang.String,java.lang.Module)]
>  as this tests whether Jexl is allowed to reflect over public API and no more.
> As a workaround the package can be exported unconditionally, but this may not 
> be desirable as it impacts encapsulation and security in other parts of the 
> larger program:
> {code:java}
> module my.module {
>   exports my.module.package;
> } {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to