sis-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Desruisseaux (JIRA)" <>
Subject [jira] [Commented] (SIS-320) Enable SIS to run is security-constrained environments
Date Fri, 11 Mar 2016 11:50:50 GMT


Martin Desruisseaux commented on SIS-320:

The above {{security.policy}} file allows the application to run, but there is probably more
places missing a call to {{AccessController.doPrivileged(...)}}. Current state is conservative
(we use privileged block for stuff like getting environment variable values). The main risk
is in the code registering a shutdown hook, since that hook executes codes registered by other
parts of the SIS library. A malicious code could use this SIS mechanism for registering its
own code. This security hole should be fixed when we will use Jigsaw since that hook is in
a SIS internal package.

We removed the use of {{doPrivileged}} for {{ServiceLoader}} since the loader could create
non-SIS classes if they are declared in {{META-INF/services/foo}}. We will revisit with Jigsaw.
If desired, the use of {{doPrivileged}} can be re-enabled by applying this diff:

svn diff -r1734539:1734538 core/sis-utility/src/main/java/org/apache/sis/internal/system/

> Enable SIS to run is security-constrained environments
> ------------------------------------------------------
>                 Key: SIS-320
>                 URL:
>             Project: Spatial Information Systems
>          Issue Type: Improvement
>          Components: Metadata, Referencing, Storage, Utilities
>    Affects Versions: 0.3, 0.4, 0.5, 0.6
>            Reporter: Martin Desruisseaux
>            Assignee: Martin Desruisseaux
>             Fix For: 0.7
> Wraps some code necessary to SIS working in {{AccessController.doPrivileged(...)}} blocks.
> {code:java}
> String dir = AccessController.doPrivileged((PrivilegedAction<String>) () ->
>     return System.getenv("SIS_DATA");
> });
> {code}
> We should not wrap all security-sensitive request for information, but only those that
are needed for SIS working. Examples:
> * Environment variable value for {{SIS_DATA}}.
> * Property value for {{"java.naming.factory.initial"}}, {{"derby.system.home"}}.
> * Call to {{Field.setAccessible(true)}} in {{clone()}} methods for setting final fields.
> Information for which we do *not* request privileged actions at this time:
> * MBean registration.
> * Property value for {{"java.home"}}.
> * Call to {{Field.setAccessible(true)}} on deserialization for setting final transient
> Initial patch for SIS has been submitted by Guilhem L├ęgal.

This message was sent by Atlassian JIRA

View raw message