[ 
https://issues.apache.org/jira/browse/GEODE-2149?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dan Smith resolved GEODE-2149.
------------------------------
       Resolution: Duplicate
    Fix Version/s: 1.3.0

> Queries shouldn't allow access to reflection API
> ------------------------------------------------
>
>                 Key: GEODE-2149
>                 URL: https://issues.apache.org/jira/browse/GEODE-2149
>             Project: Geode
>          Issue Type: Bug
>            Reporter: Galen O'Sullivan
>            Priority: Major
>             Fix For: 1.3.0
>
>
> Currently, it is possible to run GFSH queries like:
> {code}
> query --query="select a.class from /region1 a"
> Result     : true
> startCount : 0
> endCount   : 20
> Rows       : 1
>                                                                       
> protectionDomain                                                              
>          | modifiers | interface | array | primitive |       superclass       
> |      componentType       |       name       | annotation | synthetic |      
>  classLoader        |   typeParameters   |   genericSuperclass    |           
>                   package                             |     interfaces     | 
> genericInterfaces  |     enclosingMethod      |   enclosingConstructor   |    
>   enclosingClass      | simpleName |     typeName     |  canonicalName   | 
> anonymousClass | localClass | memberClass |      classes       |       fields 
>       |      methods       |    constructors    |  declaredClasses   |   
> declaredFields   |  declaredMethods   | declaredConstructors | enum  |    
> annotations     | declaredAnnotations |                            
> annotatedSuperclass                             | annotatedInterfaces
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>  | --------- | --------- | ----- | --------- | ---------------------- | 
> ------------------------ | ---------------- | ---------- | --------- | 
> ------------------------ | ------------------ | ---------------------- | 
> --------------------------------------------------------------- | 
> ------------------ | ------------------ | ------------------------ | 
> ------------------------ | ------------------------ | ---------- | 
> ---------------- | ---------------- | -------------- | ---------- | 
> ----------- | ------------------ | ------------------ | ------------------ | 
> ------------------ | ------------------ | ------------------ | 
> ------------------ | -------------------- | ----- | ------------------ | 
> ------------------- | 
> -------------------------------------------------------------------------- | 
> -------------------
> ProtectionDomain  null
>  null
>  <no principals>
>  java.security.Permissions@2c1fc586 (
>  ("java.security.AllPermission" "<all permissions>" "<all actions>")
> )
>  | 17        | false     | false | false     | class java.lang.Object | 
> org.json.JSONObject.Null | java.lang.String | false      | false     | 
> org.json.JSONObject.Null | org.json.JSONArray | class java.lang.Object | 
> package java.lang, Java Platform API Specification, version 1.8 | 
> org.json.JSONArray | org.json.JSONArray | org.json.JSONObject.Null | 
> org.json.JSONObject.Null | org.json.JSONObject.Null | String     | 
> java.lang.String | java.lang.String | false          | false      | false     
>   | org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | 
> org.json.JSONArray | org.json.JSONArray | org.json.JSONArray | 
> org.json.JSONArray | org.json.JSONArray   | false | org.json.JSONArray | 
> org.json.JSONArray  | 
> sun.reflect.annotation.AnnotatedTypeFactory$AnnotatedTypeBaseImpl@7cad0747 | 
> org.json.JSONArray
> NEXT_STEP_NAME : END
> {code}
> Methods and properties can be chained to get queries like the following, 
> which seems to expose information about the running JVM:
> {code}
> query --query="select a.class.interfaces[0].package from /region1 a"
> Result     : true
> startCount : 0
> endCount   : 20
> Rows       : 1
>  name   |    annotations     | declaredAnnotations | sealed |       
> specificationTitle        | specificationVersion | specificationVendor |   
> implementationTitle    | implementationVersion | implementationVendor
> ------- | ------------------ | ------------------- | ------ | 
> ------------------------------- | -------------------- | ------------------- 
> | ------------------------ | --------------------- | --------------------
> java.io | org.json.JSONArray | org.json.JSONArray  | false  | Java Platform 
> API Specification | 1.8                  | Oracle Corporation  | Java Runtime 
> Environment | 1.8.0_111             | Oracle Corporation
> NEXT_STEP_NAME : END
> {code}
> I haven't found a way to make a real security hole out of this, because as 
> far as I can tell, I can't call functions on objects I can access, and it's 
> generally harder to travel down the reflection API than up it. However, this 
> doesn't seem like information that anyone would really need, and it exposes 
> internals. Potentially there could be a way for someone with read access, 
> even for a single table, to get more information than we really want them to 
> have.
> I think that literal properties and methods like "getX()" can be called here, 
> though I haven't investigated thoroughly.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to