Uploaded image for project: 'Weld'
  1. Weld
  2. WELD-2705

Use secure actions for getting the constructor in LiteExtensionTranslator

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 5.0.0.CR1
    • 5.0.0.Beta1
    • Extensions
    • None
    • Hide

      Bean interface:

      public interface TestBean {
    public String getName();
}

       

      Build compatible extension:

      public class BasicBCEExtension implements BuildCompatibleExtension {
    @Synthesis
    public void synthesizeBean(SyntheticComponents synth) {
        synth.addBean(TestBean.class)
             .type(TestBean.class)
             .scope(ApplicationScoped.class)
             .createWith(SyntheticCreator.class);
    }

    public static class SyntheticCreator implements SyntheticBeanCreator<TestBean> {
        @Override
        public TestBean create(Instance<Object> lookup, Parameters params) {
            return () -> "synthetic";
        }
    }
}

       

      Application code:

      @Inject TestBean testbean;

public void test() {
    testbean.getName();
}

       

      Show
      Bean interface: public interface TestBean {   public String getName(); }   Build compatible extension: public class BasicBCEExtension implements BuildCompatibleExtension {   @Synthesis     public void synthesizeBean(SyntheticComponents synth) {         synth.addBean(TestBean.class)              .type(TestBean.class)              .scope(ApplicationScoped.class)              .createWith(SyntheticCreator.class);     }     public static class SyntheticCreator implements SyntheticBeanCreator<TestBean> {         @Override         public TestBean create(Instance< Object > lookup, Parameters params) {             return () -> "synthetic" ;         }     } }   Application code: @Inject TestBean testbean; public void test() { testbean.getName(); }  

      Class.getDeclaredConstructor(...) does a security check and some of the places that LiteExtensionTranslator calls it can be called with application code on the stack.

       

      The one I hit was here: https://github.com/weld/core/blob/aef557fbd544bed87ac1ae9cc6ee3f6e0f5fd63d/weld-lite-extension-translator/src/main/java/org/jboss/weld/lite/extension/translator/LiteExtensionTranslator.java#L156

       

      In my scenario, an application class called a method on a proxy for an ApplicationScoped synthetic bean which resulted in this code being called to create the bean instance.

              manovotn Matěj Novotný
              azquelt Andrew Rouse (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: