From 9c09e20d4d58eaa8a6014b1532e4d2df1bbcac83 Mon Sep 17 00:00:00 2001
From: Lim Sim Yee <137663782+simei2k@users.noreply.github.com>
Date: Sun, 18 May 2025 13:35:08 +0800
Subject: [PATCH]  Fix ClassLoader Security Vulnerability

This PR addresses a security vulnerability in the getClassLoader() method where accessing the thread's context class loader could fail under a SecurityManager with restricted thread permissions.

Security Issues Fixed
Missing Security Checks: Added proper privilege management when accessing the thread's context class loader.

This vulnerability was also found in smallrye/smallrye-config@fb0def6 and fixed.

References:
1. smallrye/smallrye-config@fb0def6
2. https://nvd.nist.gov/vuln/detail/cve-2020-1729
---
 .../gaarason/database/logging/Resources.java  | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/database-logging/src/main/java/gaarason/database/logging/Resources.java b/database-logging/src/main/java/gaarason/database/logging/Resources.java
index 32dcd445..15b030a3 100644
--- a/database-logging/src/main/java/gaarason/database/logging/Resources.java
+++ b/database-logging/src/main/java/gaarason/database/logging/Resources.java
@@ -1,4 +1,6 @@
 package gaarason.database.logging;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 
 /**
@@ -47,10 +49,28 @@ public static Class<?> classForName(String className) throws ClassNotFoundExcept
     }
 
     private static ClassLoader getClassLoader() {
+        // Keep original behavior if default class loader is set
         if (defaultClassLoader != null) {
             return defaultClassLoader;
-        } else {
+        }
+        
+        // Check if security manager is present (optimization from fixed code)
+        if (System.getSecurityManager() == null) {
+            // Fast path when no security manager exists
             return Thread.currentThread().getContextClassLoader();
+        } else {
+            // Use doPrivileged when security manager is active
+            return AccessController.doPrivileged((PrivilegedAction<ClassLoader>) () -> {
+                try {
+                    return Thread.currentThread().getContextClassLoader();
+                } catch (SecurityException ex) {
+                    // Log exception but don't expose stack trace
+                    // Using System.err since we don't want to assume logger availability
+                    System.err.println("SecurityException: Unable to access thread context class loader");
+                    // Return null on failure, maintaining original behavior on exception
+                    return null;
+                }
+            });
         }
     }