Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct permissions of jackson-databind "the correct way" #5767

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,12 @@ grant codeBase "${codebase.jna}" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
};

grant codeBase "${codebase.jackson-databind}" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately this is not working for jackson-databind, so we need a workaround or we should look at the new PR #5768.

// Jackson Databind needs access to declared members and makes them visible
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

//// Everything else:

grant {
Expand All @@ -100,9 +106,6 @@ grant {
permission jdk.net.NetworkPermission "getOption.TCP_KEEPCOUNT";
permission jdk.net.NetworkPermission "setOption.TCP_KEEPCOUNT";

permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

// Allow read access to all system properties
permission java.util.PropertyPermission "*", "read";

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
package org.opensearch.common.settings;

import org.junit.Before;
import org.junit.Ignore;
import org.opensearch.Version;
import org.opensearch.common.SuppressForbidden;
import org.opensearch.common.bytes.BytesReference;
Expand Down Expand Up @@ -462,6 +463,7 @@ public void testVersionSetting() throws IOException {
}
}

@Ignore("https://github.com/opensearch-project/OpenSearch/issues/5504")
Copy link
Contributor Author

@uschindler uschindler Jan 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test of course fails as it uses setAccessible and also adds SuppressForbidden!? There was a reason why the forbiddenapis forbids setAccessible()!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're saying that this is by design. Let's rewrite the test as such!

Copy link
Contributor Author

@uschindler uschindler Jan 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See other PR #5768, I made a proposal. Alternatively remove the test. Because if the fields are "final" theres no need to test any other value than the final value.

@SuppressForbidden(reason = "The only way to test these is via reflection")
public void testExceptionHandling() throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
// abuse reflection to change default value, no way to do this with given Setting class
Expand Down