A standard Java implementation might provide several ClassLoaders to load clas ses from a file system, a URL, or a zipped file, among others, but also provides developers the ability to create their own custom ClassLoaders to handle custom requirements. Java has the ability to load code dynamically at runtime from a variety of sources. This is accomplished through a special category of classes called ClassLoaders. Understanding of the issue requires some basic knowledge of the way Java ClassLoaders work since class loading is one of the least understood aspects of Java, we will proceed to provide an introduction to this concept prior to explaining the issue itself. It is related to the way classes loaded by different ClassLoaders are treated. The vulnerability can be found in the new reflection library, available since Java 7, and more specifically in the new MethodHandle class used for dynamically accessing and invoking methods. After the issue became public, Oracle released a patch as part of 8u77. Moreover, subsequent investigation has revealed that the vulnerability is even more severe than initially reported. Oracle released a patch in update 7u40, but as Security Explorations announced earlier this year, the patch only addressed the proof of concept, and a simple code modification still exposes the vulnerability. 5.In July 2013, security organization Security Explorations discovered a security vulnerability in Java 7u25 by which an attacker could completely escape the Java sandbox. The Invokable class hides this behind the API that is simple to use and very concise. We see that even such a simple operation needs a lot of checks using standard reflection API. || Modifier.isFinal(method.getDeclaringClass().getModifiers()))) īoolean isOverridableFinalGauava = invokable.isOverridable() || Modifier.isStatic(method.getModifiers()) || Modifier.isPrivate(method.getModifiers()) Fortunately, the isOverridable() method from the Invokable class makes it easier: Method method = ("notOverridablePublicMethod") īoolean isOverridableStandardJava = (!(Modifier.isFinal(method.getModifiers()) There is not much difference between these two variants, but checking if a method is overridable is a really non-trivial task in Java. Now let's examine the somePublicMethod() using Guava API and Java standard reflection API: Method method = ("somePublicMethod") īoolean isPublicStandradJava = Modifier.isPublic(method.getModifiers()) īoolean isPublicGuava = invokable.isPublic() TypeToken type = new TypeToken(getClass()) Only the integerListToken can be assigned to a reference of type nubmerTypeToken because an Integer class extends a Number class. We can use the TypeToken class to capture an actual type of generic list and check if they really can be referenced by the same reference: TypeToken> stringListTokenĪssertFalse(stringListToken.isSubtypeOf(integerListToken)) ĪssertFalse(numberTypeToken.isSubtypeOf(integerListToken)) ĪssertTrue(integerListToken.isSubtypeOf(numberTypeToken)) The TypeToken class uses this workaround to allow the manipulation of generic types. If we have a method that returns a List, we can use reflection to obtain the return type of that method – a ParameterizedType representing List. It basically compares two types that are just a List without any information about the actual type.īy using the standard Java reflection API we can detect the generic types of methods and classes. Because of type erasure, the method isAssignableFrom() can not know the actual generic type of the lists.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |