rootvector2 commented on code in PR #501:
URL: https://github.com/apache/commons-bcel/pull/501#discussion_r3414620347
##########
src/test/java/org/apache/bcel/util/BCELifierTest.java:
##########
@@ -279,6 +288,30 @@ void testStackMap(final String className) throws Exception
{
assertEquals("Hello World" + EOL, exec(workDir, getAppJava(), "-cp",
CLASSPATH, className, "Hello"));
}
+ @Test
+ void testCreateInvokeEscapesConstantPoolName() throws Exception {
+ // A hostile constant pool can hold any UTF-8 as a referenced method
name.
+ final String evilName = "evil\"); System.exit(1); il.append(\"";
+ final ClassGen cg = new ClassGen("Example", "java.lang.Object",
"Example.java", Const.ACC_PUBLIC | Const.ACC_SUPER, new String[] {});
+ final ConstantPoolGen cp = cg.getConstantPool();
+ final InstructionFactory factory = new InstructionFactory(cg, cp);
+ final InstructionList il = new InstructionList();
+ il.append(InstructionConst.ALOAD_0);
+ il.append(factory.createInvoke("java.lang.Object", evilName,
Type.VOID, Type.NO_ARGS, Const.INVOKEVIRTUAL));
+ il.append(InstructionConst.RETURN);
+ final MethodGen mg = new MethodGen(Const.ACC_PUBLIC, Type.VOID,
Type.NO_ARGS, new String[] {}, "m", "Example", il, cp);
+ mg.setMaxStack();
+ mg.setMaxLocals();
+ cg.addMethod(mg.getMethod());
+
Review Comment:
yep, real gap. same root cause as the createInvoke case: `BCELifier` writes
constant-pool-derived names straight into the generated string literals. pushed
a follow-up that routes the class/superclass/source-file/interface names, the
`MethodGen` method and class names, exception names, argument names and the
stackmap names through `Utility.convertString` too. added tests for the method
declaration name and the class/source-file cases.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
