Wed, 03 Jul 2013 12:39:28 +0200
8010946: AccessControl.doPrivileged is broken when called from js script
Reviewed-by: jlaskey, sundar
aoqi@0 | 1 | /* |
aoqi@0 | 2 | * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved. |
aoqi@0 | 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
aoqi@0 | 4 | * |
aoqi@0 | 5 | * This code is free software; you can redistribute it and/or modify it |
aoqi@0 | 6 | * under the terms of the GNU General Public License version 2 only, as |
aoqi@0 | 7 | * published by the Free Software Foundation. Oracle designates this |
aoqi@0 | 8 | * particular file as subject to the "Classpath" exception as provided |
aoqi@0 | 9 | * by Oracle in the LICENSE file that accompanied this code. |
aoqi@0 | 10 | * |
aoqi@0 | 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
aoqi@0 | 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
aoqi@0 | 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
aoqi@0 | 14 | * version 2 for more details (a copy is included in the LICENSE file that |
aoqi@0 | 15 | * accompanied this code). |
aoqi@0 | 16 | * |
aoqi@0 | 17 | * You should have received a copy of the GNU General Public License version |
aoqi@0 | 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
aoqi@0 | 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
aoqi@0 | 20 | * |
aoqi@0 | 21 | * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
aoqi@0 | 22 | * or visit www.oracle.com if you need additional information or have any |
aoqi@0 | 23 | * questions. |
aoqi@0 | 24 | */ |
aoqi@0 | 25 | |
aoqi@0 | 26 | /* |
aoqi@0 | 27 | * This file is available under and governed by the GNU General Public |
aoqi@0 | 28 | * License version 2 only, as published by the Free Software Foundation. |
aoqi@0 | 29 | * However, the following notice accompanied the original version of this |
aoqi@0 | 30 | * file, and Oracle licenses the original version of this file under the BSD |
aoqi@0 | 31 | * license: |
aoqi@0 | 32 | */ |
aoqi@0 | 33 | /* |
aoqi@0 | 34 | Copyright 2009-2013 Attila Szegedi |
aoqi@0 | 35 | |
aoqi@0 | 36 | Licensed under both the Apache License, Version 2.0 (the "Apache License") |
aoqi@0 | 37 | and the BSD License (the "BSD License"), with licensee being free to |
aoqi@0 | 38 | choose either of the two at their discretion. |
aoqi@0 | 39 | |
aoqi@0 | 40 | You may not use this file except in compliance with either the Apache |
aoqi@0 | 41 | License or the BSD License. |
aoqi@0 | 42 | |
aoqi@0 | 43 | If you choose to use this file in compliance with the Apache License, the |
aoqi@0 | 44 | following notice applies to you: |
aoqi@0 | 45 | |
aoqi@0 | 46 | You may obtain a copy of the Apache License at |
aoqi@0 | 47 | |
aoqi@0 | 48 | http://www.apache.org/licenses/LICENSE-2.0 |
aoqi@0 | 49 | |
aoqi@0 | 50 | Unless required by applicable law or agreed to in writing, software |
aoqi@0 | 51 | distributed under the License is distributed on an "AS IS" BASIS, |
aoqi@0 | 52 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
aoqi@0 | 53 | implied. See the License for the specific language governing |
aoqi@0 | 54 | permissions and limitations under the License. |
aoqi@0 | 55 | |
aoqi@0 | 56 | If you choose to use this file in compliance with the BSD License, the |
aoqi@0 | 57 | following notice applies to you: |
aoqi@0 | 58 | |
aoqi@0 | 59 | Redistribution and use in source and binary forms, with or without |
aoqi@0 | 60 | modification, are permitted provided that the following conditions are |
aoqi@0 | 61 | met: |
aoqi@0 | 62 | * Redistributions of source code must retain the above copyright |
aoqi@0 | 63 | notice, this list of conditions and the following disclaimer. |
aoqi@0 | 64 | * Redistributions in binary form must reproduce the above copyright |
aoqi@0 | 65 | notice, this list of conditions and the following disclaimer in the |
aoqi@0 | 66 | documentation and/or other materials provided with the distribution. |
aoqi@0 | 67 | * Neither the name of the copyright holder nor the names of |
aoqi@0 | 68 | contributors may be used to endorse or promote products derived from |
aoqi@0 | 69 | this software without specific prior written permission. |
aoqi@0 | 70 | |
aoqi@0 | 71 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS |
aoqi@0 | 72 | IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
aoqi@0 | 73 | TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A |
aoqi@0 | 74 | PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER |
aoqi@0 | 75 | BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
aoqi@0 | 76 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
aoqi@0 | 77 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
aoqi@0 | 78 | BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
aoqi@0 | 79 | WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR |
aoqi@0 | 80 | OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF |
aoqi@0 | 81 | ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
aoqi@0 | 82 | */ |
aoqi@0 | 83 | |
aoqi@0 | 84 | package jdk.internal.dynalink.beans; |
aoqi@0 | 85 | |
aoqi@0 | 86 | import java.lang.annotation.Annotation; |
aoqi@0 | 87 | import java.lang.reflect.AccessibleObject; |
aoqi@0 | 88 | import sun.reflect.CallerSensitive; |
aoqi@0 | 89 | |
aoqi@0 | 90 | /** |
aoqi@0 | 91 | * Utility class that determines if a method or constructor is caller sensitive. It actually encapsulates two different |
aoqi@0 | 92 | * strategies for determining caller sensitivity; a more robust one that works if Dynalink runs as code with access |
aoqi@0 | 93 | * to {@code sun.reflect} package, and an unprivileged one that is used when Dynalink doesn't have access to that |
aoqi@0 | 94 | * package. Note that even the unprivileged strategy is ordinarily robust, but it relies on the {@code toString} method |
aoqi@0 | 95 | * of the annotation. If an attacker were to use a different annotation to spoof the string representation of the |
aoqi@0 | 96 | * {@code CallerSensitive} annotation, they could designate their own methods as caller sensitive. This however does not |
aoqi@0 | 97 | * escalate privileges, only causes Dynalink to never cache method handles for such methods, so all it would do would |
aoqi@0 | 98 | * decrease the performance in linking such methods. In the opposite case when an attacker could trick Dynalink into not |
aoqi@0 | 99 | * recognizing genuine {@code CallerSensitive} annotations, Dynalink would treat caller sensitive methods as ordinary |
aoqi@0 | 100 | * methods, and would cache them bound to a zero-privilege delegate as the caller (just what Dynalink did before it |
aoqi@0 | 101 | * could handle caller-sensitive methods). That would practically render caller-sensitive methods exposed through |
aoqi@0 | 102 | * Dynalink unusable, but again, can not lead to any privilege escalations. Therefore, even the less robust unprivileged |
aoqi@0 | 103 | * strategy is safe; the worst thing a successful attack against it can achieve is slight reduction in Dynalink-exposed |
aoqi@0 | 104 | * functionality or performance. |
aoqi@0 | 105 | */ |
aoqi@0 | 106 | public class CallerSensitiveDetector { |
aoqi@0 | 107 | |
aoqi@0 | 108 | private static final DetectionStrategy DETECTION_STRATEGY = getDetectionStrategy(); |
aoqi@0 | 109 | |
aoqi@0 | 110 | static boolean isCallerSensitive(AccessibleObject ao) { |
aoqi@0 | 111 | return DETECTION_STRATEGY.isCallerSensitive(ao); |
aoqi@0 | 112 | } |
aoqi@0 | 113 | |
aoqi@0 | 114 | private static DetectionStrategy getDetectionStrategy() { |
aoqi@0 | 115 | try { |
aoqi@0 | 116 | return new PrivilegedDetectionStrategy(); |
aoqi@0 | 117 | } catch(Throwable t) { |
aoqi@0 | 118 | return new UnprivilegedDetectionStrategy(); |
aoqi@0 | 119 | } |
aoqi@0 | 120 | } |
aoqi@0 | 121 | |
aoqi@0 | 122 | private abstract static class DetectionStrategy { |
aoqi@0 | 123 | abstract boolean isCallerSensitive(AccessibleObject ao); |
aoqi@0 | 124 | } |
aoqi@0 | 125 | |
aoqi@0 | 126 | private static class PrivilegedDetectionStrategy extends DetectionStrategy { |
aoqi@0 | 127 | private static final Class<? extends Annotation> CALLER_SENSITIVE_ANNOTATION_CLASS = CallerSensitive.class; |
aoqi@0 | 128 | |
aoqi@0 | 129 | @Override |
aoqi@0 | 130 | boolean isCallerSensitive(AccessibleObject ao) { |
aoqi@0 | 131 | return ao.getAnnotation(CALLER_SENSITIVE_ANNOTATION_CLASS) != null; |
aoqi@0 | 132 | } |
aoqi@0 | 133 | } |
aoqi@0 | 134 | |
aoqi@0 | 135 | private static class UnprivilegedDetectionStrategy extends DetectionStrategy { |
aoqi@0 | 136 | private static final String CALLER_SENSITIVE_ANNOTATION_STRING = "@sun.reflect.CallerSensitive()"; |
aoqi@0 | 137 | |
aoqi@0 | 138 | @Override |
aoqi@0 | 139 | boolean isCallerSensitive(AccessibleObject o) { |
aoqi@0 | 140 | for(Annotation a: o.getAnnotations()) { |
aoqi@0 | 141 | if(String.valueOf(a).equals(CALLER_SENSITIVE_ANNOTATION_STRING)) { |
aoqi@0 | 142 | return true; |
aoqi@0 | 143 | } |
aoqi@0 | 144 | } |
aoqi@0 | 145 | return false; |
aoqi@0 | 146 | } |
aoqi@0 | 147 | } |
aoqi@0 | 148 | } |