[jira] [Created] (GEODE-2149) Queries shouldn't allow access to reflection API

Tue, 29 Nov 2016 11:37:17 -0800 

Galen O'Sullivan created GEODE-2149:
---------------------------------------

             Summary: Queries shouldn't allow access to reflection API
                 Key: GEODE-2149
                 URL: https://issues.apache.org/jira/browse/GEODE-2149
             Project: Geode
          Issue Type: Bug
            Reporter: Galen O'Sullivan


Currently, it is possible to run GFSH queries like:

{code}
query --query="select a.class from /region1 a"

Result     : true
startCount : 0
endCount   : 20
Rows       : 1

                                                                      
protectionDomain                                                                
       | modifiers | interface | array | primitive |       superclass       |   
   componentType       |       name       | annotation | synthetic |       
classLoader        |   typeParameters   |   genericSuperclass    |              
               package                             |     interfaces     | 
genericInterfaces  |     enclosingMethod      |   enclosingConstructor   |      
enclosingClass      | simpleName |     typeName     |  canonicalName   | 
anonymousClass | localClass | memberClass |      classes       |       fields   
    |      methods       |    constructors    |  declaredClasses   |   
declaredFields   |  declaredMethods   | declaredConstructors | enum  |    
annotations     | declaredAnnotations |                            
annotatedSuperclass                             | annotatedInterfaces
------------------------------------------------------------------------------------------------------------------------------------------------------------
 | --------- | --------- | ----- | --------- | ---------------------- | 
------------------------ | ---------------- | ---------- | --------- | 
------------------------ | ------------------ | ---------------------- | 
--------------------------------------------------------------- | 
------------------ | ------------------ | ------------------------ | 
------------------------ | ------------------------ | ---------- | 
---------------- | ---------------- | -------------- | ---------- | ----------- 
| ------------------ | ------------------ | ------------------ | 
------------------ | ------------------ | ------------------ | 
------------------ | -------------------- | ----- | ------------------ | 
------------------- | 
-------------------------------------------------------------------------- | 
-------------------
ProtectionDomain  null
 null
 <no principals>
 java.security.Permissions@2c1fc586 (
 ("java.security.AllPermission" "<all permissions>" "<all actions>")
)

 | 17        | false     | false | false     | class java.lang.Object | 
org.json.JSONObject.Null | java.lang.String | false      | false     | 
org.json.JSONObject.Null | org.json.JSONArray | class java.lang.Object | 
package java.lang, Java Platform API Specification, version 1.8 | 
org.json.JSONArray | org.json.JSONArray | org.json.JSONObject.Null | 
org.json.JSONObject.Null | org.json.JSONObject.Null | String     | 
java.lang.String | java.lang.String | false          | false      | false       
| org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | 
org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | 
org.json.JSONArray | org.json.JSONArray   | false | org.json.JSONArray | 
org.json.JSONArray  | 
sun.reflect.annotation.AnnotatedTypeFactory$AnnotatedTypeBaseImpl@7cad0747 | 
org.json.JSONArray

NEXT_STEP_NAME : END
{code}

Methods and properties can be chained to get queries like the following, which 
seems to expose information about the running JVM:
{code}
query --query="select a.class.interfaces[0].package from /region1 a"

Result     : true
startCount : 0
endCount   : 20
Rows       : 1

 name   |    annotations     | declaredAnnotations | sealed |       
specificationTitle        | specificationVersion | specificationVendor |   
implementationTitle    | implementationVersion | implementationVendor
------- | ------------------ | ------------------- | ------ | 
------------------------------- | -------------------- | ------------------- | 
------------------------ | --------------------- | --------------------
java.io | org.json.JSONArray | org.json.JSONArray  | false  | Java Platform API 
Specification | 1.8                  | Oracle Corporation  | Java Runtime 
Environment | 1.8.0_111             | Oracle Corporation

NEXT_STEP_NAME : END
{code}

I haven't found a way to make a real security hole out of this, because as far 
as I can tell, I can't call functions on objects I can access, and it's 
generally harder to travel down the reflection API than up it. However, this 
doesn't seem like information that anyone would really need, and it exposes 
internals. Potentially there could be a way for someone with read access, even 
for a single table, to get more information than we really want them to have.

I think that literal properties and methods like "getX()" can be called here, 
though I haven't investigated thoroughly.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to