TudbuT/tuddylib
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

fix a security issue

Browse source
This commit is contained in:
Daniella / Tove 2024-06-08 14:20:54 +02:00
parent e45f021b0b
commit d38a801404
Signed by: TudbuT
GPG key ID: B3CF345217F202D3
3 changed files with 5 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/main/java/de/tudbut/security/PermissionManager.java
View file

@ -41,7 +41,7 @@ public interface PermissionManager extends Cloneable {
return getClassName(clazz, null, 0);
}
default String getClassName(Class<?> clazz, boolean[] cache, int idx) {
if(cache != null && cache[0])
if(cache != null && cache[idx])
return clazz.getName();
try {
// Reset the name field so that it must be cached again

4
src/main/java/de/tudbut/security/permissionmanager/CallClassRestriction.java
View file

@ -55,8 +55,8 @@ public class CallClassRestriction extends Restriction {
// is class, inner class of it, loaded by it, or lambda in it?
Class<?> enclosingClass = lambda.getClass().getEnclosingClass();
boolean[] cache = new boolean[2];
b = allow.contains(getClassName(lambda.getClass(), cache, 0))
|| allow.contains(getClassName(lambda.getClass(), cache, 0).replaceAll("\\$\\$Lambda.*$", ""));
b = allow.contains(getClassName(lambda.getClass()))
|| allow.contains(getClassName(lambda.getClass()).replaceAll("\\$\\$Lambda.*$", ""));
if (enclosingClass != null)
b = b || allow.contains(getClassName(enclosingClass));
}

5
src/main/java/de/tudbut/security/permissionmanager/ClassLoaderRestriction.java
View file

@ -94,9 +94,8 @@ public class ClassLoaderRestriction extends Restriction {
b = b || allow.stream().anyMatch(x -> x.getClass() == enclosingClass);
// is lambda in allowed class?
boolean[] cache = new boolean[1];
String name = getClassName(lambda.getClass(), cache, 0).replaceAll("\\$\\$Lambda.*$", "");
b = b || allow.stream().anyMatch(x -> getClassName(x.getClass(), cache, 0).equals(name)); // is lambda in classloader
String name = getClassName(lambda.getClass()).replaceAll("\\$\\$Lambda.*$", "");
b = b || allow.stream().anyMatch(x -> getClassName(x.getClass()).equals(name)); // is lambda in classloader
try {
b = b || allow.contains(getClassObject(name).getClassLoader()); // is lambda in classloader-loaded class
} catch (Exception e) {