Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct permissions of jackson-databind "the correct way" #5767

Conversation

uschindler
Copy link
Contributor

Description

[Describe what this change achieves]

Issues Resolved

This is to demonstrate how to fix #5504 the "correct way"

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@@ -462,6 +463,7 @@ public void testVersionSetting() throws IOException {
}
}

@Ignore("https://github.com/opensearch-project/OpenSearch/issues/5504")
Copy link
Contributor Author

@uschindler uschindler Jan 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test of course fails as it uses setAccessible and also adds SuppressForbidden!? There was a reason why the forbiddenapis forbids setAccessible()!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're saying that this is by design. Let's rewrite the test as such!

Copy link
Contributor Author

@uschindler uschindler Jan 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See other PR #5768, I made a proposal. Alternatively remove the test. Because if the fields are "final" theres no need to test any other value than the final value.

@@ -79,6 +79,12 @@ grant codeBase "${codebase.jna}" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
};

grant codeBase "${codebase.jackson-databind}" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately this is not working for jackson-databind, so we need a workaround or we should look at the new PR #5768.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 9, 2023

Gradle Check (Jenkins) Run Completed with:

@uschindler
Copy link
Contributor Author

I will close this as we have #5768, removing the dependency from server core.

In general this approach is the correct one to limit permissions to specific JAR files, but the downside is that the JAR file must implement AccessController#doPrivileged() whenever calling secrurity-critical APIs.

@uschindler uschindler closed this Jan 10, 2023
@uschindler uschindler deleted the draft/fix-permissions-jackson branch January 10, 2023 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Evaluate the permission change for jackson-databind
3 participants