Uploaded image for project: 'Weld'
  1. Weld
  2. WELD-2705

Use secure actions for getting the constructor in LiteExtensionTranslator

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • 5.0.0.Beta1
    • 5.0.0.CR1
    • Extensions
    • None
    • Hide

      Bean interface:

      public interface TestBean {
          public String getName();
      }
      

       

      Build compatible extension:

      public class BasicBCEExtension implements BuildCompatibleExtension {
          @Synthesis
          public void synthesizeBean(SyntheticComponents synth) {
              synth.addBean(TestBean.class)
                   .type(TestBean.class)
                   .scope(ApplicationScoped.class)
                   .createWith(SyntheticCreator.class);
          }
      
          public static class SyntheticCreator implements SyntheticBeanCreator<TestBean> {
              @Override
              public TestBean create(Instance<Object> lookup, Parameters params) {
                  return () -> "synthetic";
              }
          }
      }
      

       

      Application code:

      @Inject TestBean testbean;
      
      public void test() {
          testbean.getName();
      }

       

      Show
      Bean interface: public interface TestBean {   public String getName(); }   Build compatible extension: public class BasicBCEExtension implements BuildCompatibleExtension {   @Synthesis     public void synthesizeBean(SyntheticComponents synth) {         synth.addBean(TestBean.class)              .type(TestBean.class)              .scope(ApplicationScoped.class)              .createWith(SyntheticCreator.class);     }     public static class SyntheticCreator implements SyntheticBeanCreator<TestBean> {         @Override         public TestBean create(Instance< Object > lookup, Parameters params) {             return () -> "synthetic" ;         }     } }   Application code: @Inject TestBean testbean; public void test() { testbean.getName(); }  

    Description

      Class.getDeclaredConstructor(...) does a security check and some of the places that LiteExtensionTranslator calls it can be called with application code on the stack.

       

      The one I hit was here: https://github.com/weld/core/blob/aef557fbd544bed87ac1ae9cc6ee3f6e0f5fd63d/weld-lite-extension-translator/src/main/java/org/jboss/weld/lite/extension/translator/LiteExtensionTranslator.java#L156

       

      In my scenario, an application class called a method on a proxy for an ApplicationScoped synthetic bean which resulted in this code being called to create the bean instance.

      Attachments

        Activity

          People

            manovotn Matěj Novotný
            azquelt Andrew Rouse
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: