Search in sources :

Example 11 with SuppressForbidden

use of org.opensearch.common.SuppressForbidden in project OpenSearch by opensearch-project.

the class JarHell method checkJarHell.

/**
 * Checks the set of URLs for duplicate classes
 * @param urls A set of URLs from the classpath to be checked for conflicting jars
 * @param output A {@link String} {@link Consumer} to which debug output will be sent
 * @throws IllegalStateException if jar hell was found
 */
@SuppressForbidden(reason = "needs JarFile for speed, just reading entries")
public static void checkJarHell(Set<URL> urls, Consumer<String> output) throws URISyntaxException, IOException {
    // we don't try to be sneaky and use deprecated/internal/not portable stuff
    // like sun.boot.class.path, and with jigsaw we don't yet have a way to get
    // a "list" at all. So just exclude any elements underneath the java home
    String javaHome = System.getProperty("java.home");
    output.accept("java.home: " + javaHome);
    final Map<String, Path> clazzes = new HashMap<>(32768);
    Set<Path> seenJars = new HashSet<>();
    for (final URL url : urls) {
        final Path path = PathUtils.get(url.toURI());
        // exclude system resources
        if (path.startsWith(javaHome)) {
            output.accept("excluding system resource: " + path);
            continue;
        }
        if (path.toString().endsWith(".jar")) {
            if (!seenJars.add(path)) {
                throw new IllegalStateException("jar hell!" + System.lineSeparator() + "duplicate jar on classpath: " + path);
            }
            output.accept("examining jar: " + path);
            try (JarFile file = new JarFile(path.toString())) {
                Manifest manifest = file.getManifest();
                if (manifest != null) {
                    checkManifest(manifest, path);
                }
                // inspect entries
                Enumeration<JarEntry> elements = file.entries();
                while (elements.hasMoreElements()) {
                    String entry = elements.nextElement().getName();
                    if (entry.endsWith(".class")) {
                        // for jar format, the separator is defined as /
                        entry = entry.replace('/', '.').substring(0, entry.length() - 6);
                        checkClass(clazzes, entry, path);
                    }
                }
            }
        } else {
            output.accept("examining directory: " + path);
            // case for tests: where we have class files in the classpath
            final Path root = PathUtils.get(url.toURI());
            final String sep = root.getFileSystem().getSeparator();
            // gradle will add these to the classpath even if they never get created
            if (Files.exists(root)) {
                Files.walkFileTree(root, new SimpleFileVisitor<Path>() {

                    @Override
                    public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException {
                        String entry = root.relativize(file).toString();
                        if (entry.endsWith(".class")) {
                            // normalize with the os separator, remove '.class'
                            entry = entry.replace(sep, ".").substring(0, entry.length() - ".class".length());
                            checkClass(clazzes, entry, path);
                        }
                        return super.visitFile(file, attrs);
                    }
                });
            }
        }
    }
}
Also used : Path(java.nio.file.Path) HashMap(java.util.HashMap) FileVisitResult(java.nio.file.FileVisitResult) IOException(java.io.IOException) JarFile(java.util.jar.JarFile) Manifest(java.util.jar.Manifest) JarEntry(java.util.jar.JarEntry) URL(java.net.URL) BasicFileAttributes(java.nio.file.attribute.BasicFileAttributes) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) SuppressForbidden(org.opensearch.common.SuppressForbidden)

Example 12 with SuppressForbidden

use of org.opensearch.common.SuppressForbidden in project OpenSearch by opensearch-project.

the class JdkJarHellCheck method main.

@SuppressForbidden(reason = "command line tool")
public static void main(String[] argv) throws IOException {
    JdkJarHellCheck checker = new JdkJarHellCheck();
    for (String location : argv) {
        Path path = Paths.get(location);
        if (Files.exists(path) == false) {
            throw new IllegalArgumentException("Path does not exist: " + path);
        }
        checker.scanForJDKJarHell(path);
    }
    if (checker.getDetected().isEmpty()) {
        System.exit(0);
    } else {
        checker.getDetected().forEach(System.out::println);
        System.exit(1);
    }
}
Also used : Path(java.nio.file.Path) SuppressForbidden(org.opensearch.common.SuppressForbidden)

Example 13 with SuppressForbidden

use of org.opensearch.common.SuppressForbidden in project OpenSearch by opensearch-project.

the class ContextDocGenerator method resetRootDir.

@SuppressForbidden(reason = "resolve api docs directory with environment")
private static Path resetRootDir() throws IOException {
    Path rootDir = PathUtils.get("../../docs/painless/painless-api-reference");
    IOUtils.rm(rootDir);
    Files.createDirectories(rootDir);
    return rootDir;
}
Also used : Path(java.nio.file.Path) SuppressForbidden(org.opensearch.common.SuppressForbidden)

Example 14 with SuppressForbidden

use of org.opensearch.common.SuppressForbidden in project job-scheduler by opensearch-project.

the class IntervalSchedule method runningOnTime.

@SuppressForbidden(reason = "Ignore forbidden api Math.abs()")
@Override
public Boolean runningOnTime(Instant lastExecutionTime) {
    if (lastExecutionTime == null) {
        return true;
    }
    long enabledTimeEpochMillis = this.startTimeWithDelay.toEpochMilli();
    Instant now = this.clock.instant();
    long expectedMillisSinceLastExecution = (now.toEpochMilli() - enabledTimeEpochMillis) % this.intervalInMillis;
    if (expectedMillisSinceLastExecution < 1000) {
        expectedMillisSinceLastExecution = this.intervalInMillis + expectedMillisSinceLastExecution;
    }
    long expectedLastExecutionTime = now.toEpochMilli() - expectedMillisSinceLastExecution;
    long expectedCurrentExecutionTime = expectedLastExecutionTime + this.intervalInMillis;
    return Math.abs(lastExecutionTime.toEpochMilli() - expectedLastExecutionTime) < 1000 || Math.abs(lastExecutionTime.toEpochMilli() - expectedCurrentExecutionTime) < 1000;
}
Also used : Instant(java.time.Instant) SuppressForbidden(org.opensearch.common.SuppressForbidden)

Example 15 with SuppressForbidden

use of org.opensearch.common.SuppressForbidden in project OpenSearch by opensearch-project.

the class EvilSecurityTests method assertExactPermissions.

/**
 * checks exact file permissions, meaning those and only those for that path.
 */
@SuppressForbidden(reason = "to create FilePermission object")
static void assertExactPermissions(FilePermission expected, PermissionCollection actual) {
    // see javadocs
    String target = expected.getName();
    Set<String> permissionSet = asSet(expected.getActions().split(","));
    boolean read = permissionSet.remove("read");
    boolean readlink = permissionSet.remove("readlink");
    boolean write = permissionSet.remove("write");
    boolean delete = permissionSet.remove("delete");
    boolean execute = permissionSet.remove("execute");
    assertTrue("unrecognized permission: " + permissionSet, permissionSet.isEmpty());
    assertEquals(read, actual.implies(new FilePermission(target, "read")));
    assertEquals(readlink, actual.implies(new FilePermission(target, "readlink")));
    assertEquals(write, actual.implies(new FilePermission(target, "write")));
    assertEquals(delete, actual.implies(new FilePermission(target, "delete")));
    assertEquals(execute, actual.implies(new FilePermission(target, "execute")));
}
Also used : Matchers.hasToString(org.hamcrest.Matchers.hasToString) Matchers.containsString(org.hamcrest.Matchers.containsString) FilePermission(java.io.FilePermission) SuppressForbidden(org.opensearch.common.SuppressForbidden)

Aggregations

SuppressForbidden (org.opensearch.common.SuppressForbidden)42 URL (java.net.URL)17 Path (java.nio.file.Path)13 IOException (java.io.IOException)12 FilePermission (java.io.FilePermission)8 HttpURLConnection (java.net.HttpURLConnection)6 Settings (org.opensearch.common.settings.Settings)6 File (java.io.File)5 Permissions (java.security.Permissions)5 HashMap (java.util.HashMap)5 URLConnection (java.net.URLConnection)4 ProtectionDomain (java.security.ProtectionDomain)4 ArrayList (java.util.ArrayList)4 LinkedHashSet (java.util.LinkedHashSet)4 Matchers.containsString (org.hamcrest.Matchers.containsString)4 InputStream (java.io.InputStream)3 CodeSource (java.security.CodeSource)3 PermissionCollection (java.security.PermissionCollection)3 Policy (java.security.Policy)3 HashSet (java.util.HashSet)3