1 /*
   2  * Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package jdk.jfr.internal;
  27 
  28 import java.io.BufferedWriter;
  29 import java.io.FileNotFoundException;
  30 import java.io.IOException;
  31 import java.nio.file.Files;
  32 import java.nio.file.Path;
  33 import java.security.AccessControlContext;
  34 import java.security.AccessController;
  35 import java.security.PrivilegedExceptionAction;
  36 import java.util.concurrent.Callable;
  37 
  38 /**
  39  * Purpose of this class is to simplify analysis of security risks.
  40  * <p>
  41  * Paths in the public API should be wrapped in this class so we
  42  * at all time know what kind of paths we are dealing with.
  43  * <p>
  44  * A user supplied path must never be used in an unsafe context, such as a
  45  * shutdown hook or any other thread created by JFR.
  46  * <p>
  47  * All operation using this path must happen in {@link #doPriviligedIO(Callable)}
  48  */
  49 public final class WriteableUserPath {
  50     private final AccessControlContext controlContext;
  51     private final Path original;
  52     private final Path real;
  53     private final String realPathText;
  54     private final String originalText;
  55 
  56     // Not to ensure security, but to help
  57     // against programming errors
  58     private volatile boolean inPrivileged;
  59 
  60     public WriteableUserPath(Path path) throws IOException {
  61         controlContext = AccessController.getContext();
  62         // verify that the path is writeable
  63         if (Files.exists(path) && !Files.isWritable(path)) {
  64             // throw same type of exception as FileOutputStream
  65             // constructor, if file can't be opened.
  66             throw new FileNotFoundException("Could not write to file: " + path.toAbsolutePath());
  67         }
  68         // will throw if non-writeable
  69         BufferedWriter fw = Files.newBufferedWriter(path);
  70         fw.close();
  71         this.original = path;
  72         this.originalText = path.toString();
  73         this.real = path.toRealPath();
  74         this.realPathText = real.toString();
  75     }
  76 
  77     /**
  78      * Returns a potentially malicious path where the user may have implemented
  79      * their own version of Path. This method should never be called in an
  80      * unsafe context and the Path value should never be passed along to other
  81      * methods.
  82      *
  83      * @return path from a potentially malicious user
  84      */
  85     public Path getPotentiallyMaliciousOriginal() {
  86         return original;
  87     }
  88 
  89     /**
  90      * Returns a string representation of the real path.
  91      *
  92      * @return path as text
  93      */
  94     public String getRealPathText() {
  95         return realPathText;
  96     }
  97 
  98     /**
  99      * Returns a string representation of the original path.
 100      *
 101      * @return path as text
 102      */
 103     public String getOriginalText() {
 104         return originalText;
 105     }
 106 
 107 
 108     /**
 109      * Returns a potentially malicious path where the user may have implemented
 110      * their own version of Path. This method should never be called in an
 111      * unsafe context and the Path value should never be passed along to other
 112      * methods.
 113      *
 114      * @return path from a potentially malicious user
 115      */
 116     public Path getReal() {
 117         if (!inPrivileged) {
 118             throw new InternalError("A user path was accessed outside the context it was supplied in");
 119         }
 120         return real;
 121     }
 122 
 123     public void doPriviligedIO(Callable<?> function) throws IOException {
 124         try {
 125             inPrivileged = true;
 126             AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
 127                 @Override
 128                 public Void run() throws Exception {
 129                     function.call();
 130                     return null;
 131                 }
 132             }, controlContext);
 133         } catch (Throwable t) {
 134             // prevent malicious user to propagate exception callback
 135             // in the wrong context
 136             throw new IOException("Unexpected error during I/O operation");
 137         } finally {
 138             inPrivileged = false;
 139         }
 140     }
 141 }