From e3abccca009cbf702716e8b85f3d737497854054 Mon Sep 17 00:00:00 2001 From: Todd Baert Date: Wed, 6 Mar 2024 12:03:50 -0500 Subject: [PATCH] fix: potential finalizer attack Signed-off-by: Todd Baert --- .../openfeature/contrib/providers/flagd/FlagdProvider.java | 6 +++++- .../flagd/resolver/process/targeting/Fractional.java | 5 +++++ .../providers/gofeatureflag/GoFeatureFlagProvider.java | 5 +++++ .../providers/gofeatureflag/hook/DataCollectorHook.java | 5 +++++ .../contrib/providers/jsonlogic/FileBasedFetcher.java | 5 +++++ 5 files changed, 25 insertions(+), 1 deletion(-) diff --git a/providers/flagd/src/main/java/dev/openfeature/contrib/providers/flagd/FlagdProvider.java b/providers/flagd/src/main/java/dev/openfeature/contrib/providers/flagd/FlagdProvider.java index fdbb46850..d33cc39bc 100644 --- a/providers/flagd/src/main/java/dev/openfeature/contrib/providers/flagd/FlagdProvider.java +++ b/providers/flagd/src/main/java/dev/openfeature/contrib/providers/flagd/FlagdProvider.java @@ -22,7 +22,7 @@ * OpenFeature provider for flagd. */ @Slf4j -@SuppressWarnings("PMD.TooManyStaticImports") +@SuppressWarnings({"PMD.TooManyStaticImports", "checkstyle:NoFinalizer"}) public class FlagdProvider extends EventProvider implements FeatureProvider { private static final String FLAGD_PROVIDER = "flagD Provider"; @@ -33,6 +33,10 @@ public class FlagdProvider extends EventProvider implements FeatureProvider { private EvaluationContext evaluationContext; + protected final void finalize() { + // DO NOT REMOVE, spotbugs: CT_CONSTRUCTOR_THROW + } + /** * Create a new FlagdProvider instance with default options. */ diff --git a/providers/flagd/src/main/java/dev/openfeature/contrib/providers/flagd/resolver/process/targeting/Fractional.java b/providers/flagd/src/main/java/dev/openfeature/contrib/providers/flagd/resolver/process/targeting/Fractional.java index 19e76f7f6..320cc3d7c 100644 --- a/providers/flagd/src/main/java/dev/openfeature/contrib/providers/flagd/resolver/process/targeting/Fractional.java +++ b/providers/flagd/src/main/java/dev/openfeature/contrib/providers/flagd/resolver/process/targeting/Fractional.java @@ -93,10 +93,15 @@ private static String distributeValue(final String hashKey, final List)) { throw new JsonLogicException("Property is not an array"); diff --git a/providers/go-feature-flag/src/main/java/dev/openfeature/contrib/providers/gofeatureflag/GoFeatureFlagProvider.java b/providers/go-feature-flag/src/main/java/dev/openfeature/contrib/providers/gofeatureflag/GoFeatureFlagProvider.java index 6beb780af..4fa717b17 100644 --- a/providers/go-feature-flag/src/main/java/dev/openfeature/contrib/providers/gofeatureflag/GoFeatureFlagProvider.java +++ b/providers/go-feature-flag/src/main/java/dev/openfeature/contrib/providers/gofeatureflag/GoFeatureFlagProvider.java @@ -59,6 +59,7 @@ * GoFeatureFlagProvider is the JAVA provider implementation for the feature flag solution GO Feature Flag. */ @Slf4j +@SuppressWarnings({"checkstyle:NoFinalizer"}) public class GoFeatureFlagProvider implements FeatureProvider { public static final long DEFAULT_CACHE_TTL_MS = 1000; public static final int DEFAULT_CACHE_CONCURRENCY_LEVEL = 1; @@ -81,6 +82,10 @@ public class GoFeatureFlagProvider implements FeatureProvider { private Cache> cache; private ProviderState state = ProviderState.NOT_READY; + protected final void finalize() { + // DO NOT REMOVE, spotbugs: CT_CONSTRUCTOR_THROW + } + /** * Constructor of the provider. * diff --git a/providers/go-feature-flag/src/main/java/dev/openfeature/contrib/providers/gofeatureflag/hook/DataCollectorHook.java b/providers/go-feature-flag/src/main/java/dev/openfeature/contrib/providers/gofeatureflag/hook/DataCollectorHook.java index 7022a88c7..94a2c0f27 100644 --- a/providers/go-feature-flag/src/main/java/dev/openfeature/contrib/providers/gofeatureflag/hook/DataCollectorHook.java +++ b/providers/go-feature-flag/src/main/java/dev/openfeature/contrib/providers/gofeatureflag/hook/DataCollectorHook.java @@ -33,6 +33,7 @@ * DataCollectorHook is an OpenFeature Hook in charge of sending the usage of the flag to GO Feature Flag. */ @Slf4j +@SuppressWarnings({"checkstyle:NoFinalizer"}) public class DataCollectorHook implements Hook { public static final long DEFAULT_FLUSH_INTERVAL_MS = Duration.ofMinutes(1).toMillis(); public static final int DEFAULT_MAX_PENDING_EVENTS = 10000; @@ -45,6 +46,10 @@ public class DataCollectorHook implements Hook { */ private final EventsPublisher eventsPublisher; + protected final void finalize() { + // DO NOT REMOVE, spotbugs: CT_CONSTRUCTOR_THROW + } + /** * Constructor of the hook. * diff --git a/providers/jsonlogic-eval-provider/src/main/java/dev/openfeature/contrib/providers/jsonlogic/FileBasedFetcher.java b/providers/jsonlogic-eval-provider/src/main/java/dev/openfeature/contrib/providers/jsonlogic/FileBasedFetcher.java index 7def40764..4186bd516 100644 --- a/providers/jsonlogic-eval-provider/src/main/java/dev/openfeature/contrib/providers/jsonlogic/FileBasedFetcher.java +++ b/providers/jsonlogic-eval-provider/src/main/java/dev/openfeature/contrib/providers/jsonlogic/FileBasedFetcher.java @@ -19,10 +19,15 @@ value = "PATH_TRAVERSAL_IN", justification = "This is expected to read files based on user input" ) +@SuppressWarnings({"checkstyle:NoFinalizer"}) public class FileBasedFetcher implements RuleFetcher { private static final Logger log = Logger.getLogger(String.valueOf(FileBasedFetcher.class)); private final JSONObject rules; + protected final void finalize() { + // DO NOT REMOVE, spotbugs: CT_CONSTRUCTOR_THROW + } + /** * Create a file based fetcher give a file URI. * @param filename URI to a given file.