Merge pull request #6 from pixee/add-expanded-classload-sig

nahsra · web-flow · commit f07b6afec41c · 2023-09-06T12:36:35.000-04:00
Added new signature for protecting `Class.forName(s, bool, cl)`
diff --git a/.github/badges/jacoco.svg b/.github/badges/jacoco.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="96" height="20" role="img" aria-label="coverage: 84%"><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="96" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="61" height="20" fill="#555"/><rect x="61" width="35" height="20" fill="#a4a61d"/><rect width="96" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="315" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="510">coverage</text><text x="315" y="140" transform="scale(.1)" fill="#fff" textLength="510">coverage</text><text aria-hidden="true" x="775" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="245">84%</text><text x="775" y="140" transform="scale(.1)" fill="#fff" textLength="245">84%</text></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="106" height="20" role="img" aria-label="coverage: 84.1%"><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="106" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="61" height="20" fill="#555"/><rect x="61" width="45" height="20" fill="#a4a61d"/><rect width="106" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="315" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="510">coverage</text><text x="315" y="140" transform="scale(.1)" fill="#fff" textLength="510">coverage</text><text aria-hidden="true" x="825" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="350">84.1%</text><text x="825" y="140" transform="scale(.1)" fill="#fff" textLength="350">84.1%</text></g></svg>
diff --git a/README.md b/README.md
@@ -35,15 +35,15 @@ In Maven:
 <dependency>
   <groupId>io.github.pixee</groupId>
   <artifactId>java-security-toolkit</artifactId>
-  <version>1.0.6</version>
+  <version>1.0.7</version>
 </dependency>
 ```
 In Gradle:
 ```kotlin
-implementation("io.github.pixee:java-security-toolkit:1.0.6")
+implementation("io.github.pixee:java-security-toolkit:1.0.7")
 ```
 
-## Contributing
+## Contributing 
 We'd love to get contributions! See [CONTRIBUTING.md](CONTRIBUTING.md).
 
 ### Building
diff --git a/src/main/java/io/github/pixee/security/Reflection.java b/src/main/java/io/github/pixee/security/Reflection.java
@@ -61,6 +61,25 @@ public static Class<?> loadAndVerify(final String name) throws ClassNotFoundExce
     return loadAndVerify(name, defaultRestrictions());
   }
 
+  /**
+   * This method sandboxes the classloading to prevent possibly dangerous types from being loaded,
+   * using the default restrictions.
+   *
+   * @param name the name of the type to load
+   * @param initialize whether to initialize the class, passed to {@link Class#forName(String,
+   *     boolean, ClassLoader)}
+   * @param loader the ClassLoader to use, passed to {@link Class#forName(String, boolean,
+   *     ClassLoader)}
+   * @throws ClassNotFoundException if the class is not found
+   * @return the result of {@link Class#forName(String)}, if it passes the default restrictions
+   */
+  public static Class<?> loadAndVerify(
+      final String name, final boolean initialize, final ClassLoader loader)
+      throws ClassNotFoundException {
+    return loadAndVerify(
+        name, defaultRestrictions(), () -> Class.forName(name, initialize, loader));
+  }
+
   /**
    * This method sandboxes the classloading to prevent possibly dangerous types from being loaded.
    *
@@ -72,6 +91,14 @@ public static Class<?> loadAndVerify(final String name) throws ClassNotFoundExce
   public static Class<?> loadAndVerify(
       final String name, final Set<ReflectionRestrictions> restrictions)
       throws ClassNotFoundException {
+    return loadAndVerify(name, restrictions, () -> Class.forName(name));
+  }
+
+  private static Class<?> loadAndVerify(
+      final String name,
+      final Set<ReflectionRestrictions> restrictions,
+      final ClassSupplier classSupplier)
+      throws ClassNotFoundException {
 
     // we can do this check up front before we even load the type
     if (restrictions.contains(ReflectionRestrictions.MUST_NOT_INVOLVE_CODE_EXECUTION)) {
@@ -83,7 +110,7 @@ public static Class<?> loadAndVerify(
     }
 
     // load the type so we can do the other checks
-    final Class<?> type = Class.forName(name);
+    final Class<?> type = classSupplier.get();
 
     if (restrictions.contains(ReflectionRestrictions.MUST_BE_PUBLIC)) {
       final int modifiers = type.getModifiers();
@@ -116,5 +143,9 @@ public static Class<?> loadAndVerify(
           "groovy.",
           "org.python.");
 
+  private interface ClassSupplier {
+    Class<?> get() throws ClassNotFoundException;
+  }
+
   private static final String typeNotAllowedMessage = "type not allowed";
 }
diff --git a/src/test/java/io/github/pixee/security/ReflectionTest.java b/src/test/java/io/github/pixee/security/ReflectionTest.java
@@ -12,6 +12,7 @@
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ValueSource;
 
+/** Test the protections of {@link Reflection}. */
 final class ReflectionTest {
 
   @ParameterizedTest
@@ -26,6 +27,11 @@ void it_protects_dangerous_reflection(final String type) {
 
     // run the same test and confirm that the defaultRestrictions() returns this
     assertThrows(SecurityException.class, () -> Reflection.loadAndVerify(type));
+
+    // run the same test again on the other signature
+    assertThrows(
+        SecurityException.class,
+        () -> Reflection.loadAndVerify(type, true, getClass().getClassLoader()));
   }
 
   @Test
@@ -38,7 +44,10 @@ void it_enforces_public_restriction() throws ClassNotFoundException {
             Reflection.loadAndVerify(
                 ReflectionTest.class.getName(), setOf(ReflectionRestrictions.MUST_BE_PUBLIC)));
 
-    // the type we're testing is public and so we should be able to load it
+    // the type we're testing is public, and so we should be able to load it
+    Reflection.loadAndVerify(
+        Reflection.class.getName(), setOf(ReflectionRestrictions.MUST_BE_PUBLIC));
+
     Reflection.loadAndVerify(
         Reflection.class.getName(), setOf(ReflectionRestrictions.MUST_BE_PUBLIC));
   }
@@ -53,6 +62,8 @@ void it_enforces_public_restriction() throws ClassNotFoundException {
   void it_loads_normal_classes(final String typeName) throws ClassNotFoundException {
     Class<?> type = Reflection.loadAndVerify(typeName);
     assertThat(type, is(not(nullValue())));
+    type = Reflection.loadAndVerify(typeName, true, getClass().getClassLoader());
+    assertThat(type, is(not(nullValue())));
   }
 
   @Test
