Skip to content

Fix StackCallerClassChainExtractor and respectively RuntimeHaltInterceptor, SystemExitInterceptor #17793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 4, 2025
Merged

Fix StackCallerClassChainExtractor and respectively RuntimeHaltInterceptor, SystemExitInterceptor #17793

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@

import java.lang.StackWalker.Option;
import java.security.Policy;
import java.util.stream.Stream;
import java.util.Collection;

import net.bytebuddy.asm.Advice;

Expand Down Expand Up @@ -40,7 +40,7 @@

final StackWalker walker = StackWalker.getInstance(Option.RETAIN_CLASS_REFERENCE);
final Class<?> caller = walker.getCallerClass();
final Stream<Class<?>> chain = walker.walk(StackCallerClassChainExtractor.INSTANCE);
final Collection<Class<?>> chain = walker.walk(StackCallerClassChainExtractor.INSTANCE);

Check warning on line 43 in libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/RuntimeHaltInterceptor.java#L43 

Added line #L43 was not covered by tests

if (AgentPolicy.isChainThatCanExit(caller, chain) == false) {
throw new SecurityException("The class " + caller + " is not allowed to call Runtime::halt(" + code + ")");
Expand Down
11 changes: 7 additions & 4 deletions ...agent-sm/agent/src/main/java/org/opensearch/javaagent/StackCallerClassChainExtractor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,16 @@
package org.opensearch.javaagent;

import java.lang.StackWalker.StackFrame;
import java.util.Collection;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/**
* Stack Caller Class Chain Extractor
*/
public final class StackCallerClassChainExtractor implements Function<Stream<StackFrame>, Stream<Class<?>>> {
public final class StackCallerClassChainExtractor implements Function<Stream<StackFrame>, Collection<Class<?>>> {
/**
* Single instance of stateless class.
*/
Expand All @@ -31,12 +34,12 @@ private StackCallerClassChainExtractor() {}
* @param frames stack frames
*/
@Override
public Stream<Class<?>> apply(Stream<StackFrame> frames) {
public Collection<Class<?>> apply(Stream<StackFrame> frames) {
return cast(frames);
}

@SuppressWarnings("unchecked")
private static <A> Stream<A> cast(Stream<StackFrame> frames) {
return (Stream<A>) frames.map(StackFrame::getDeclaringClass).filter(c -> !c.isHidden()).distinct();
private static <A> Set<A> cast(Stream<StackFrame> frames) {
return (Set<A>) frames.map(StackFrame::getDeclaringClass).filter(c -> !c.isHidden()).collect(Collectors.toSet());
}
}
4 changes: 2 additions & 2 deletions libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@

import java.lang.StackWalker.Option;
import java.security.Policy;
import java.util.stream.Stream;
import java.util.Collection;

import net.bytebuddy.asm.Advice;

Expand Down Expand Up @@ -40,7 +40,7 @@

final StackWalker walker = StackWalker.getInstance(Option.RETAIN_CLASS_REFERENCE);
final Class<?> caller = walker.getCallerClass();
final Stream<Class<?>> chain = walker.walk(StackCallerClassChainExtractor.INSTANCE);
final Collection<Class<?>> chain = walker.walk(StackCallerClassChainExtractor.INSTANCE);

Check warning on line 43 in libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/SystemExitInterceptor.java#L43 

Added line #L43 was not covered by tests

if (AgentPolicy.isChainThatCanExit(caller, chain) == false) {
throw new SecurityException("The class " + caller + " is not allowed to call System::exit(" + code + ")");
Expand Down
21 changes: 11 additions & 10 deletions libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AgentPolicy.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import java.security.Permission;
import java.security.Policy;
import java.security.ProtectionDomain;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;
Expand All @@ -29,12 +30,12 @@
private static final Logger LOGGER = Logger.getLogger(AgentPolicy.class.getName());
private static volatile Policy policy;
private static volatile Set<String> trustedHosts;
private static volatile BiFunction<Class<?>, Stream<Class<?>>, Boolean> classesThatCanExit;
private static volatile BiFunction<Class<?>, Collection<Class<?>>, Boolean> classesThatCanExit;

/**
* None of the classes is allowed to call {@link System#exit} or {@link Runtime#halt}
*/
public static final class NoneCanExit implements BiFunction<Class<?>, Stream<Class<?>>, Boolean> {
public static final class NoneCanExit implements BiFunction<Class<?>, Collection<Class<?>>, Boolean> {
/**
* NoneCanExit
*/
Expand All @@ -47,7 +48,7 @@
* @return is class allowed to call {@link System#exit}, {@link Runtime#halt} or not
*/
@Override
public Boolean apply(Class<?> caller, Stream<Class<?>> chain) {
public Boolean apply(Class<?> caller, Collection<Class<?>> chain) {
return true;
}
}
Expand Down Expand Up @@ -86,7 +87,7 @@
/**
* Any caller in the chain is allowed to call {@link System#exit} or {@link Runtime#halt}
*/
public static final class AnyCanExit implements BiFunction<Class<?>, Stream<Class<?>>, Boolean> {
public static final class AnyCanExit implements BiFunction<Class<?>, Collection<Class<?>>, Boolean> {
private final String[] classesThatCanExit;

/**
Expand All @@ -104,15 +105,15 @@
* @return is class allowed to call {@link System#exit}, {@link Runtime#halt} or not
*/
@Override
public Boolean apply(Class<?> caller, Stream<Class<?>> chain) {
return chain.anyMatch(clazz -> {
public Boolean apply(Class<?> caller, Collection<Class<?>> chain) {
for (final Class<?> clazz : chain) {
for (final String classThatCanExit : classesThatCanExit) {
if (clazz.getName().matches(classThatCanExit)) {
return true;
}
}
return false;
});
}
return false;

Check warning on line 116 in libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AgentPolicy.java

View check run for this annotation

Codecov / codecov/patch

libs/agent-sm/bootstrap/src/main/java/org/opensearch/javaagent/bootstrap/AgentPolicy.java#L115-L116 

Added lines #L115 - L116 were not covered by tests
}
}

Expand All @@ -135,7 +136,7 @@
public static void setPolicy(
Policy policy,
final Set<String> trustedHosts,
final BiFunction<Class<?>, Stream<Class<?>>, Boolean> classesThatCanExit
final BiFunction<Class<?>, Collection<Class<?>>, Boolean> classesThatCanExit
) {
if (AgentPolicy.policy == null) {
AgentPolicy.policy = policy;
Expand Down Expand Up @@ -187,7 +188,7 @@
* @param chain chain of call classes
* @return is class allowed to call {@link System#exit}, {@link Runtime#halt} or not
*/
public static boolean isChainThatCanExit(Class<?> caller, Stream<Class<?>> chain) {
public static boolean isChainThatCanExit(Class<?> caller, Collection<Class<?>> chain) {
return classesThatCanExit.apply(caller, chain);
}
}
Loading