< prev index next >

src/jdk.jfr/share/classes/jdk/jfr/internal/WriteableUserPath.java

Print this page




  33 import java.security.AccessControlContext;
  34 import java.security.AccessController;
  35 import java.security.PrivilegedExceptionAction;
  36 import java.util.concurrent.Callable;
  37 
  38 /**
  39  * Purpose of this class is to simplify analysis of security risks.
  40  * <p>
  41  * Paths in the public API should be wrapped in this class so we
  42  * at all time know what kind of paths we are dealing with.
  43  * <p>
  44  * A user supplied path must never be used in an unsafe context, such as a
  45  * shutdown hook or any other thread created by JFR.
  46  * <p>
  47  * All operation using this path must happen in {@link #doPriviligedIO(Callable)}
  48  */
  49 public final class WriteableUserPath {
  50     private final AccessControlContext controlContext;
  51     private final Path original;
  52     private final Path real;
  53     private final String realPathText;
  54     private final String originalText;
  55 
  56     // Not to ensure security, but to help
  57     // against programming errors
  58     private volatile boolean inPrivileged;
  59 
  60     public WriteableUserPath(Path path) throws IOException {
  61         controlContext = AccessController.getContext();
  62         // verify that the path is writeable
  63         if (Files.exists(path) && !Files.isWritable(path)) {
  64             // throw same type of exception as FileOutputStream
  65             // constructor, if file can't be opened.
  66             throw new FileNotFoundException("Could not write to file: " + path.toAbsolutePath());
  67         }
  68         // will throw if non-writeable
  69         BufferedWriter fw = Files.newBufferedWriter(path);
  70         fw.close();
  71         this.original = path;
  72         this.originalText = path.toString();
  73         this.real = path.toRealPath();
  74         this.realPathText = real.toString();
  75     }
  76 
  77     /**
  78      * Returns a potentially malicious path where the user may have implemented
  79      * their own version of Path. This method should never be called in an
  80      * unsafe context and the Path value should never be passed along to other
  81      * methods.
  82      *
  83      * @return path from a potentially malicious user
  84      */
  85     public Path getPotentiallyMaliciousOriginal() {
  86         return original;
  87     }
  88 
  89     /**
  90      * Returns a string representation of the real path.
  91      *
  92      * @return path as text
  93      */
  94     public String getRealPathText() {
  95         return realPathText;
  96     }
  97 
  98     /**
  99      * Returns a string representation of the original path.
 100      *
 101      * @return path as text
 102      */
 103     public String getOriginalText() {
 104         return originalText;
 105     }
 106 
 107 
 108     /**
 109      * Returns a potentially malicious path where the user may have implemented
 110      * their own version of Path. This method should never be called in an
 111      * unsafe context and the Path value should never be passed along to other
 112      * methods.
 113      *
 114      * @return path from a potentially malicious user
 115      */
 116     public Path getReal() {
 117         if (!inPrivileged) {
 118             throw new InternalError("A user path was accessed outside the context it was supplied in");
 119         }
 120         return real;
 121     }
 122 
 123     public void doPriviligedIO(Callable<?> function) throws IOException {
 124         try {
 125             inPrivileged = true;
 126             AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {


  33 import java.security.AccessControlContext;
  34 import java.security.AccessController;
  35 import java.security.PrivilegedExceptionAction;
  36 import java.util.concurrent.Callable;
  37 
  38 /**
  39  * Purpose of this class is to simplify analysis of security risks.
  40  * <p>
  41  * Paths in the public API should be wrapped in this class so we
  42  * at all time know what kind of paths we are dealing with.
  43  * <p>
  44  * A user supplied path must never be used in an unsafe context, such as a
  45  * shutdown hook or any other thread created by JFR.
  46  * <p>
  47  * All operation using this path must happen in {@link #doPriviligedIO(Callable)}
  48  */
  49 public final class WriteableUserPath {
  50     private final AccessControlContext controlContext;
  51     private final Path original;
  52     private final Path real;
  53     private final String text;

  54 
  55     // Not to ensure security, but to help
  56     // against programming errors
  57     private volatile boolean inPrivileged;
  58 
  59     public WriteableUserPath(Path path) throws IOException {
  60         controlContext = AccessController.getContext();
  61         // verify that the path is writeable
  62         if (Files.exists(path) && !Files.isWritable(path)) {
  63             // throw same type of exception as FileOutputStream
  64             // constructor, if file can't be opened.
  65             throw new FileNotFoundException("Could not write to file: " + path.toAbsolutePath());
  66         }
  67         // will throw if non-writeable
  68         BufferedWriter fw = Files.newBufferedWriter(path);
  69         fw.close();
  70         this.original = path;

  71         this.real = path.toRealPath();
  72         this.text = real.toString();
  73     }
  74 
  75     /**
  76      * Returns a potentially malicious path where the user may have implemented
  77      * their own version of Path. This method should never be called in an
  78      * unsafe context and the Path value should never be passed along to other
  79      * methods.
  80      *
  81      * @return path from a potentially malicious user
  82      */
  83     public Path getPotentiallyMaliciousOriginal() {
  84         return original;
  85     }
  86 
  87     /**
  88      * Returns a string representation of the path.
  89      *
  90      * @return path as text
  91      */
  92     public String getText() {
  93         return text;
  94     }










  95 
  96     /**
  97      * Returns a potentially malicious path where the user may have implemented
  98      * their own version of Path. This method should never be called in an
  99      * unsafe context and the Path value should never be passed along to other
 100      * methods.
 101      *
 102      * @return path from a potentially malicious user
 103      */
 104     public Path getReal() {
 105         if (!inPrivileged) {
 106             throw new InternalError("A user path was accessed outside the context it was supplied in");
 107         }
 108         return real;
 109     }
 110 
 111     public void doPriviligedIO(Callable<?> function) throws IOException {
 112         try {
 113             inPrivileged = true;
 114             AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
< prev index next >