Skip to content

Commit 73186c5

Browse files
molly-moenmolly-moen
authored
only allow easymock for validation (#374)
1 parent adfea79 commit 73186c5

File tree

1 file changed

+15
-9
lines changed

1 file changed

+15
-9
lines changed

org-code-javabuilder/lib/src/main/java/org/code/javabuilder/UserClassLoader.java

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@
33
import java.lang.invoke.LambdaMetafactory;
44
import java.lang.invoke.StringConcatFactory;
55
import java.lang.reflect.InvocationTargetException;
6-
import java.lang.reflect.Method;
76
import java.net.URL;
87
import java.net.URLClassLoader;
98
import java.util.HashSet;
@@ -41,10 +40,16 @@ public Class<?> loadClass(String name) throws ClassNotFoundException {
4140
}
4241
// If this is not a user provided class, we are loading something used by a user provided class.
4342
// If it is either an allowed class or package, we can load with our standard class loader.
44-
// Otherwise, throw an exception.
4543
if (this.allowedClasses.contains(name)) {
4644
return this.approvedClassLoader.loadClass(name);
4745
}
46+
47+
// Validation code has a few additional allowed classes.
48+
if (this.permissionLevel == RunPermissionLevel.VALIDATOR
49+
&& this.validatorAllowedClasses.contains(name)) {
50+
return this.approvedClassLoader.loadClass(name);
51+
}
52+
4853
// allow .<specific-class> usage from allowed packages. If this code
4954
// has validation permissions, also check the
5055
// validator permissions allowed package list.
@@ -107,11 +112,7 @@ private boolean isInAllowedPackage(String[] allowedPackageList, String name) {
107112
String.class.getName(),
108113
StringBuffer.class.getName(),
109114
StringBuilder.class.getName(),
110-
Throwable.class.getName(),
111-
ThreadLocal.class.getName(), // EasyMock support
112-
CloneNotSupportedException.class.getName(), // EasyMock support
113-
Method.class.getName(), // EasyMock support
114-
InvocationTargetException.class.getName()); // EasyMock support
115+
Throwable.class.getName());
115116

116117
// Allowed packages (any individual class is allowed from these classes)
117118
private static final String[] allowedPackages =
@@ -126,11 +127,16 @@ private boolean isInAllowedPackage(String[] allowedPackageList, String name) {
126127
"org.code.neighborhood.",
127128
"org.code.theater.",
128129
"org.code.lang",
129-
"org.easymock.",
130130
"jdk.internal.reflect.SerializationConstructorAccessorImpl" // EasyMock support
131131
};
132132

133133
// Allowed packages for code with elevated permissions, such as validation code.
134134
private static final String[] validatorAllowedPackages =
135-
new String[] {"org.code.validation", "java.lang.reflect"};
135+
new String[] {"org.code.validation", "java.lang.reflect", "org.easymock."};
136+
137+
private static final Set<String> validatorAllowedClasses =
138+
Set.of(
139+
ThreadLocal.class.getName(), // EasyMock support
140+
CloneNotSupportedException.class.getName(), // EasyMock support
141+
InvocationTargetException.class.getName()); // EasyMock support
136142
}

0 commit comments

Comments
 (0)