aoqi@0: /* aoqi@0: * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved. aoqi@0: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. aoqi@0: * aoqi@0: * This code is free software; you can redistribute it and/or modify it aoqi@0: * under the terms of the GNU General Public License version 2 only, as aoqi@0: * published by the Free Software Foundation. Oracle designates this aoqi@0: * particular file as subject to the "Classpath" exception as provided aoqi@0: * by Oracle in the LICENSE file that accompanied this code. aoqi@0: * aoqi@0: * This code is distributed in the hope that it will be useful, but WITHOUT aoqi@0: * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or aoqi@0: * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License aoqi@0: * version 2 for more details (a copy is included in the LICENSE file that aoqi@0: * accompanied this code). aoqi@0: * aoqi@0: * You should have received a copy of the GNU General Public License version aoqi@0: * 2 along with this work; if not, write to the Free Software Foundation, aoqi@0: * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. aoqi@0: * aoqi@0: * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA aoqi@0: * or visit www.oracle.com if you need additional information or have any aoqi@0: * questions. aoqi@0: */ aoqi@0: aoqi@0: /* aoqi@0: * This file is available under and governed by the GNU General Public aoqi@0: * License version 2 only, as published by the Free Software Foundation. aoqi@0: * However, the following notice accompanied the original version of this aoqi@0: * file, and Oracle licenses the original version of this file under the BSD aoqi@0: * license: aoqi@0: */ aoqi@0: /* aoqi@0: Copyright 2009-2013 Attila Szegedi aoqi@0: aoqi@0: Licensed under both the Apache License, Version 2.0 (the "Apache License") aoqi@0: and the BSD License (the "BSD License"), with licensee being free to aoqi@0: choose either of the two at their discretion. aoqi@0: aoqi@0: You may not use this file except in compliance with either the Apache aoqi@0: License or the BSD License. aoqi@0: aoqi@0: If you choose to use this file in compliance with the Apache License, the aoqi@0: following notice applies to you: aoqi@0: aoqi@0: You may obtain a copy of the Apache License at aoqi@0: aoqi@0: http://www.apache.org/licenses/LICENSE-2.0 aoqi@0: aoqi@0: Unless required by applicable law or agreed to in writing, software aoqi@0: distributed under the License is distributed on an "AS IS" BASIS, aoqi@0: WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or aoqi@0: implied. See the License for the specific language governing aoqi@0: permissions and limitations under the License. aoqi@0: aoqi@0: If you choose to use this file in compliance with the BSD License, the aoqi@0: following notice applies to you: aoqi@0: aoqi@0: Redistribution and use in source and binary forms, with or without aoqi@0: modification, are permitted provided that the following conditions are aoqi@0: met: aoqi@0: * Redistributions of source code must retain the above copyright aoqi@0: notice, this list of conditions and the following disclaimer. aoqi@0: * Redistributions in binary form must reproduce the above copyright aoqi@0: notice, this list of conditions and the following disclaimer in the aoqi@0: documentation and/or other materials provided with the distribution. aoqi@0: * Neither the name of the copyright holder nor the names of aoqi@0: contributors may be used to endorse or promote products derived from aoqi@0: this software without specific prior written permission. aoqi@0: aoqi@0: THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS aoqi@0: IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED aoqi@0: TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A aoqi@0: PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER aoqi@0: BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR aoqi@0: CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF aoqi@0: SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR aoqi@0: BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, aoqi@0: WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR aoqi@0: OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF aoqi@0: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. aoqi@0: */ aoqi@0: aoqi@0: package jdk.internal.dynalink.beans; aoqi@0: aoqi@0: import java.lang.annotation.Annotation; aoqi@0: import java.lang.reflect.AccessibleObject; aoqi@0: import sun.reflect.CallerSensitive; aoqi@0: aoqi@0: /** aoqi@0: * Utility class that determines if a method or constructor is caller sensitive. It actually encapsulates two different aoqi@0: * strategies for determining caller sensitivity; a more robust one that works if Dynalink runs as code with access aoqi@0: * to {@code sun.reflect} package, and an unprivileged one that is used when Dynalink doesn't have access to that aoqi@0: * package. Note that even the unprivileged strategy is ordinarily robust, but it relies on the {@code toString} method aoqi@0: * of the annotation. If an attacker were to use a different annotation to spoof the string representation of the aoqi@0: * {@code CallerSensitive} annotation, they could designate their own methods as caller sensitive. This however does not aoqi@0: * escalate privileges, only causes Dynalink to never cache method handles for such methods, so all it would do would aoqi@0: * decrease the performance in linking such methods. In the opposite case when an attacker could trick Dynalink into not aoqi@0: * recognizing genuine {@code CallerSensitive} annotations, Dynalink would treat caller sensitive methods as ordinary aoqi@0: * methods, and would cache them bound to a zero-privilege delegate as the caller (just what Dynalink did before it aoqi@0: * could handle caller-sensitive methods). That would practically render caller-sensitive methods exposed through aoqi@0: * Dynalink unusable, but again, can not lead to any privilege escalations. Therefore, even the less robust unprivileged aoqi@0: * strategy is safe; the worst thing a successful attack against it can achieve is slight reduction in Dynalink-exposed aoqi@0: * functionality or performance. aoqi@0: */ aoqi@0: public class CallerSensitiveDetector { aoqi@0: aoqi@0: private static final DetectionStrategy DETECTION_STRATEGY = getDetectionStrategy(); aoqi@0: aoqi@0: static boolean isCallerSensitive(AccessibleObject ao) { aoqi@0: return DETECTION_STRATEGY.isCallerSensitive(ao); aoqi@0: } aoqi@0: aoqi@0: private static DetectionStrategy getDetectionStrategy() { aoqi@0: try { aoqi@0: return new PrivilegedDetectionStrategy(); aoqi@0: } catch(Throwable t) { aoqi@0: return new UnprivilegedDetectionStrategy(); aoqi@0: } aoqi@0: } aoqi@0: aoqi@0: private abstract static class DetectionStrategy { aoqi@0: abstract boolean isCallerSensitive(AccessibleObject ao); aoqi@0: } aoqi@0: aoqi@0: private static class PrivilegedDetectionStrategy extends DetectionStrategy { aoqi@0: private static final Class CALLER_SENSITIVE_ANNOTATION_CLASS = CallerSensitive.class; aoqi@0: aoqi@0: @Override aoqi@0: boolean isCallerSensitive(AccessibleObject ao) { aoqi@0: return ao.getAnnotation(CALLER_SENSITIVE_ANNOTATION_CLASS) != null; aoqi@0: } aoqi@0: } aoqi@0: aoqi@0: private static class UnprivilegedDetectionStrategy extends DetectionStrategy { aoqi@0: private static final String CALLER_SENSITIVE_ANNOTATION_STRING = "@sun.reflect.CallerSensitive()"; aoqi@0: aoqi@0: @Override aoqi@0: boolean isCallerSensitive(AccessibleObject o) { aoqi@0: for(Annotation a: o.getAnnotations()) { aoqi@0: if(String.valueOf(a).equals(CALLER_SENSITIVE_ANNOTATION_STRING)) { aoqi@0: return true; aoqi@0: } aoqi@0: } aoqi@0: return false; aoqi@0: } aoqi@0: } aoqi@0: }