Skip to content

[Entitlements] Add URLConnection instrumentation for file protocol #123824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Mar 5, 2025
Merged

[Entitlements] Add URLConnection instrumentation for file protocol #123824

merged 18 commits into from
Mar 5, 2025

Conversation

@ldematte
Copy link
Contributor

@ldematte ldematte commented Mar 2, 2025
edited
Loading

Based on #123503

Relates to ES-10994

ldematte
ldematte commented Mar 2, 2025
View reviewed changes
...src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

private void checkURLFileRead(Class<?> callerClass, URL url) {
try {
policyManager.checkFileRead(callerClass, Paths.get(url.toURI()));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be better/safer to use url.getFile() here instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rjernst I'd like your input here, wdyt? Is it OK as is, or is using url.getFile() better?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea behind the current implementation is that if we are getting the URL from a FileURLConnection, so the URL must be a valid File URL already; and even if we are give an invalid File URL, the method we are instrumenting would eventually fail anyway, so we don't care about re-throwing the exception.

The idea behind using url.getFile() instead is that this does not throw; it simply returns a (possibly invalid) String, that we will use to create a Path and then pass to the PolicyManager/FileAccessTree (which will do a string-matching check, so we don't really care if it's valid or not). While cratering a Path we can still get a InvalidPathException, but that is much more unlikely (there are just a bunch of character that cannot be in a path in the various OSes).

An third alternative is to catch the syntax exception and re-throw a NotEntitledException, much like I want to do with the next PR (Jar) once we cover all the protocols we want to cover: in case we "see" a different protocol, or in general some unknown URL (not file, not network), we block it (see

elasticsearch/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

Line 685 in a407e99

private void checkEntitlementForUrl(Class<?> callerClass, URL that) {
)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe what you have (using Paths.get on the uri) is the correct way. It's what we do in other places, eg in JarHell.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might be right that trying to get the path out of the URL directly can work without needing to catch exceptions, though it should be getPath() instead (see the docs on getFile(), it can contain query stuff as well).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Ryan. I'll keep Paths for now, and make a mental note to use getPath() if I spot anything even remotely suspicious.

@ldematte ldematte mentioned this pull request Mar 3, 2025
Merged
@ldematte ldematte changed the title [Entitlements] FileURLConnection instrumentation [Entitlements] Add URLConnection instrumentation for file protocol Mar 3, 2025
@ldematte ldematte added >non-issue auto-backport Automatically create backport pull requests when merged v8.18.1 v8.19.0 v9.0.1 :Core/Infra/Entitlements Entitlements infrastructure labels Mar 3, 2025
@ldematte ldematte marked this pull request as ready for review March 3, 2025 08:11
@ldematte ldematte requested a review from a team as a code owner March 3, 2025 08:11
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Mar 3, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@ldematte ldematte mentioned this pull request Mar 3, 2025
Merged
@prdoyle
Copy link
Contributor

prdoyle commented Mar 3, 2025

This withXxx style makes the test cases really easy to review!

@ldematte ldematte merged commit 67d0dd4 into elastic:main Mar 5, 2025
17 checks passed
@ldematte ldematte mentioned this pull request Mar 5, 2025
Merged
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
8.18 Commit could not be cherrypicked due to conflicts
8.x Commit could not be cherrypicked due to conflicts
9.0

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 123824

ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 5, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for file protocol (e…
1d038ac 
…lastic#123824)
ldematte added a commit that referenced this pull request Mar 5, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for file protocol (#…
92b6ba7 
…123824)
ldematte added a commit that referenced this pull request Mar 5, 2025
@ldematte
Revert "[Entitlements] Add URLConnection instrumentation for file pro…
33a9cc8 
…tocol (#123824)"

This reverts commit 92b6ba7.
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 5, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for file protocol (e…
57e0b46 
…lastic#123824)
@ldematte ldematte mentioned this pull request Mar 5, 2025
Merged
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 5, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for file protocol (e…
0fe888c 
…lastic#123824)
@ldematte ldematte mentioned this pull request Mar 5, 2025
Merged
@ldematte ldematte deleted the entitlements/missing-url-connection-3 branch March 5, 2025 07:05
elasticsearchmachine pushed a commit that referenced this pull request Mar 5, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for file protocol (#…
dc2d0f0 
…123824) (#124063)
elasticsearchmachine pushed a commit that referenced this pull request Mar 5, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for file protocol (#…
27d80f2 
…123824) (#124064)
elasticsearchmachine pushed a commit that referenced this pull request Mar 5, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for file protocol (#…
c709524 
…123824) (#124065)
ldematte added a commit that referenced this pull request Mar 9, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for jar protocol (#1…
a15aee6 
…23861)

Follows #123824

Relates to ES-10994
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 9, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for jar protocol (el…
c7ae1f3 
…astic#123861)

Follows elastic#123824

Relates to ES-10994
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 9, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for jar protocol (el…
281285f 
…astic#123861)

Follows elastic#123824

Relates to ES-10994
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Mar 9, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for jar protocol (el…
3860e8c 
…astic#123861)

Follows elastic#123824

Relates to ES-10994
elasticsearchmachine pushed a commit that referenced this pull request Mar 9, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for jar protocol (#1…
61121ad 
…23861) (#124443)

Follows #123824

Relates to ES-10994
elasticsearchmachine pushed a commit that referenced this pull request Mar 9, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for jar protocol (#1…
2a82161 
…23861) (#124441)

Follows #123824

Relates to ES-10994
elasticsearchmachine pushed a commit that referenced this pull request Mar 10, 2025
@ldematte
[Entitlements] Add URLConnection instrumentation for jar protocol (#1…
d123f33 
…23861) (#124442)

Follows #123824

Relates to ES-10994
georgewallace pushed a commit to georgewallace/elasticsearch that referenced this pull request Mar 11, 2025
@ldematte @georgewallace
[Entitlements] Add URLConnection instrumentation for file protocol (e…
73f42e9 
…lastic#123824)
georgewallace pushed a commit to georgewallace/elasticsearch that referenced this pull request Mar 11, 2025
@ldematte @georgewallace
[Entitlements] Add URLConnection instrumentation for jar protocol (el…
5870b3e 
…astic#123861)

Follows elastic#123824

Relates to ES-10994
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjernst rjernst rjernst left review comments

@prdoyle prdoyle prdoyle approved these changes

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged :Core/Infra/Entitlements Entitlements infrastructure >non-issue Team:Core/Infra Meta label for core/infra team v8.18.1 v8.19.0 v9.0.1 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ldematte @elasticsearchmachine @prdoyle @rjernst