✨ Add Fixed Unsafe Reflection

Author: gilday

pom.xml

@@ -28,6 +28,11 @@
         <artifactId>jakarta.ws.rs-api</artifactId>
         <version>3.1.0</version>
       </dependency>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>1.1.2</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -36,6 +41,10 @@
       <groupId>jakarta.ws.rs</groupId>
       <artifactId>jakarta.ws.rs-api</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-api</artifactId>

src/main/java/com/acme/reflection/UnsafeReflectionFixed.java

@@ -0,0 +1,45 @@
+package com.acme.reflection;
+
+import io.github.pixee.security.Reflection;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.QueryParam;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+
+/** {@link UnsafeReflection}, but with the expected hardening against unsafe reflection. */
+@Path("/unsafe-reflection-fixed")
+public class UnsafeReflectionFixed {
+
+  @GET
+  public String hello(@QueryParam("translator") final String translationStrategy) {
+    final var translator = loadTranslatorByName(translationStrategy);
+    return translator.translate("Hello, world!");
+  }
+
+  private static TranslatorStrategy loadTranslatorByName(final String translationStrategy) {
+    final Class<?> translatorClazz;
+    try {
+      translatorClazz = Reflection.loadAndVerify("com.acme." + translationStrategy);
+    } catch (ClassNotFoundException e) {
+      throw new IllegalArgumentException("Invalid translator: " + translationStrategy, e);
+    }
+    if (TranslatorStrategy.class.isAssignableFrom(translatorClazz)) {
+      throw new IllegalArgumentException("Invalid translator: " + translationStrategy);
+    }
+    final Constructor<?> translatorCtor;
+    try {
+      translatorCtor = translatorClazz.getConstructor();
+    } catch (NoSuchMethodException e) {
+      throw new IllegalStateException(
+          "Translator " + translationStrategy + " is missing a no-args constructor", e);
+    }
+    final TranslatorStrategy translator;
+    try {
+      translator = (TranslatorStrategy) translatorCtor.newInstance();
+    } catch (InstantiationException | IllegalAccessException | InvocationTargetException e) {
+      throw new IllegalStateException("Failed to initialize translator " + translationStrategy, e);
+    }
+    return translator;
+  }
+}