(hertzbeat) branch master updated: [improve] improve code (#2523)

Sat, 31 Aug 2024 09:01:07 -0700 

This is an automated email from the ASF dual-hosted git repository.

gongchao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hertzbeat.git


The following commit(s) were added to refs/heads/master by this push:
     new 7bb049f2d [improve] improve code (#2523)
7bb049f2d is described below

commit 7bb049f2df8e2027f8ea292e1e0579bce954bdf0
Author: Jast <[email protected]>
AuthorDate: Sun Sep 1 00:00:56 2024 +0800

    [improve] improve code (#2523)
    
    Signed-off-by: tomsun28 <[email protected]>
    Co-authored-by: YuLuo <[email protected]>
    Co-authored-by: tomsun28 <[email protected]>
    Co-authored-by: aias00 <[email protected]>
---
 .../collector/collect/jmx/JmxClassLoader.java      | 55 ++++++++++++++++++++++
 .../collector/collect/jmx/JmxCollectImpl.java      |  9 +++-
 2 files changed, 63 insertions(+), 1 deletion(-)

diff --git 
a/collector/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxClassLoader.java
 
b/collector/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxClassLoader.java
new file mode 100644
index 000000000..e0fc8a595
--- /dev/null
+++ 
b/collector/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxClassLoader.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hertzbeat.collector.collect.jmx;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * custom class loader config for JMX
+ */
+@Slf4j
+public class JmxClassLoader extends ClassLoader {
+
+    private static final String[] WHITE_PRE_LIST = new String[]{
+            "java.",
+            "javax.management.",
+            "org.apache.hertzbeat.",
+            "org.springframework.util.",
+            "com.sun.",
+            "sun.",
+            "org.slf4j.",
+            "jdk.",
+            "org.w3c.dom."
+    };
+    
+    public JmxClassLoader(ClassLoader parent) {
+        super(parent);
+    }
+
+    @Override
+    protected Class<?> loadClass(String name, boolean resolve) throws 
ClassNotFoundException {
+        for (String whitePre : WHITE_PRE_LIST) {
+            if (name.startsWith(whitePre)) {
+                return super.loadClass(name, resolve);
+            }
+        }
+        log.error("Security vulnerability detection in JMX collect: Forbidden 
class: {}", name);
+        throw new ClassNotFoundException("Forbidden unsafe collection request 
content");
+    }
+
+}
diff --git 
a/collector/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxCollectImpl.java
 
b/collector/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxCollectImpl.java
index fb553a7dd..396428efd 100644
--- 
a/collector/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxCollectImpl.java
+++ 
b/collector/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxCollectImpl.java
@@ -69,10 +69,14 @@ public class JmxCollectImpl extends AbstractCollect {
     private static final String IGNORED_STUB = "/stub/";
 
     private static final String SUB_ATTRIBUTE = "->";
+    
     private final ConnectionCommonCache<CacheIdentifier, JmxConnect> 
connectionCommonCache;
 
+    private final ClassLoader jmxClassLoader;
+    
     public JmxCollectImpl() {
         connectionCommonCache = new ConnectionCommonCache<>();
+        jmxClassLoader = new 
JmxClassLoader(ClassLoader.getSystemClassLoader());
     }
 
     @Override
@@ -87,7 +91,8 @@ public class JmxCollectImpl extends AbstractCollect {
 
     @Override
     public void collect(CollectRep.MetricsData.Builder builder, long 
monitorId, String app, Metrics metrics) {
-
+        ClassLoader currentClassLoader = 
Thread.currentThread().getContextClassLoader();
+        Thread.currentThread().setContextClassLoader(jmxClassLoader);
         try {
             JmxProtocol jmxProtocol = metrics.getJmx();
 
@@ -129,6 +134,8 @@ public class JmxCollectImpl extends AbstractCollect {
             log.error("JMX Error :{}", errorMsg);
             builder.setCode(CollectRep.Code.FAIL);
             builder.setMsg(errorMsg);
+        } finally {
+            Thread.currentThread().setContextClassLoader(currentClassLoader);
         }
     }
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to