Skip to content

Commit

Permalink
HV-1498 Fix privilege escalation when running under the security manager
Browse files Browse the repository at this point in the history
  • Loading branch information
@gsmet
gsmet committed Oct 19, 2017
1 parent 2b89528 commit 0886e89
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 1 deletion.
2 changes: 2 additions & 0 deletions documentation/src/main/asciidoc/ch01.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,8 @@ grant codeBase "file:path/to/hibernate-validator-{hvVersion}.jar" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission org.hibernate.validator.HibernateValidatorPermission "accessPrivateMembers";
// Only needed when working with XML descriptors (validation.xml or XML constraint mappings)
permission java.util.PropertyPermission "mapAnyUriToUri", "read";
};
Expand Down
29 changes: 29 additions & 0 deletions engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
/*
* Hibernate Validator, declare and validate application constraints
*
* License: Apache License, Version 2.0
* See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
*/
package org.hibernate.validator;

import java.security.BasicPermission;

/**
* Our specific implementation of {@link BasicPermission} as we cannot define additional {@link RuntimePermission}.
* <p>
* {@code HibernateValidatorPermission} is thread-safe and immutable.
*
* @author Guillaume Smet
*/
public class HibernateValidatorPermission extends BasicPermission {

public static final HibernateValidatorPermission ACCESS_PRIVATE_MEMBERS = new HibernateValidatorPermission( "accessPrivateMembers" );

public HibernateValidatorPermission(String name) {
super( name );
}

public HibernateValidatorPermission(String name, String actions) {
super( name, actions );
}
}
6 changes: 6 additions & 0 deletions engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
import javax.validation.groups.Default;
import javax.validation.metadata.BeanDescriptor;

import org.hibernate.validator.HibernateValidatorPermission;
import org.hibernate.validator.internal.engine.ValidationContext.ValidationContextBuilder;
import org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorManager;
import org.hibernate.validator.internal.engine.groups.Group;
Expand Down Expand Up @@ -1771,6 +1772,11 @@ private Member getAccessible(Member original) {
return member;
}

SecurityManager sm = System.getSecurityManager();
if ( sm != null ) {
sm.checkPermission( HibernateValidatorPermission.ACCESS_PRIVATE_MEMBERS );
}

Class<?> clazz = original.getDeclaringClass();

if ( original instanceof Field ) {
Expand Down
6 changes: 6 additions & 0 deletions .../src/main/java/org/hibernate/validator/internal/metadata/aggregated/PropertyMetaData.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import javax.validation.ElementKind;
import javax.validation.metadata.GroupConversionDescriptor;

import org.hibernate.validator.HibernateValidatorPermission;
import org.hibernate.validator.internal.engine.valuehandling.UnwrapMode;
import org.hibernate.validator.internal.metadata.core.ConstraintHelper;
import org.hibernate.validator.internal.metadata.core.MetaConstraint;
Expand Down Expand Up @@ -119,6 +120,11 @@ private static Member getAccessible(Member original) {
return original;
}

SecurityManager sm = System.getSecurityManager();
if ( sm != null ) {
sm.checkPermission( HibernateValidatorPermission.ACCESS_PRIVATE_MEMBERS );
}

Class<?> clazz = original.getDeclaringClass();
Member member;

Expand Down
1 change: 0 additions & 1 deletion ...c/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ private GetDeclaredField(Class<?> clazz, String fieldName) {
public Field run() {
try {
final Field field = clazz.getDeclaredField( fieldName );
field.setAccessible( true );
return field;
}
catch (NoSuchFieldException e) {
Expand Down
5 changes: 5 additions & 0 deletions tck-runner/src/test/resources/test.policy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ grant codeBase "file:${localRepository}/org/hibernate/hibernate-validator/${proj
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";

permission org.hibernate.validator.HibernateValidatorPermission "accessPrivateMembers";

// JAXB
permission java.util.PropertyPermission "mapAnyUriToUri", "read";
};
Expand All @@ -39,6 +41,8 @@ grant codeBase "file:${basedir}/../engine/target/hibernate-validator-${project.v
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";

permission org.hibernate.validator.HibernateValidatorPermission "accessPrivateMembers";

// JAXB
permission java.util.PropertyPermission "mapAnyUriToUri", "read";
};
Expand Down Expand Up @@ -81,6 +85,7 @@ grant codeBase "file:${project.build.directory}/classes" {
permission java.util.PropertyPermission "validation.provider", "read";
permission java.io.FilePermission "${localRepository}/org/hibernate/beanvalidation/tck/beanvalidation-tck-tests/${tck.version}/beanvalidation-tck-tests-${tck.version}.jar", "read";
permission java.util.PropertyPermission "user.language", "write";
permission org.hibernate.validator.HibernateValidatorPermission "accessPrivateMembers";
};

grant codeBase "file:${project.build.directory}/test-classes" {
Expand Down

0 comments on commit 0886e89

Please sign in to comment.