From 1476a48fea64574ca131df89e31ccb62fee8a49d Mon Sep 17 00:00:00 2001
From: Zipeng WU <zipeng.wu@sonarsource.com>
Date: Thu, 29 Apr 2021 08:53:54 +0200
Subject: [PATCH] SONAR-14253 fix Authenticated JMX remote access not working
 with Compute Engine

SecurityManagement is introduced to prevent code injection from community plugins by denying access to our core's classloaders realm, and is not intended to block anything else. AccesscController will return a ProtectionDomain with null classloader when requested for a MBeanPermission.
---
 .../java/org/sonar/process/SecurityManagement.java     |  3 ++-
 .../java/org/sonar/process/SecurityManagementTest.java | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java b/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java
index 79674ad17bc..7a2d32f4fc5 100644
--- a/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java
+++ b/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java
@@ -89,7 +89,8 @@ public class SecurityManagement {
     }
 
     String getDomainClassLoaderName(ProtectionDomain domain) {
-      return domain.getClassLoader().getClass().getName();
+      ClassLoader classLoader = domain.getClassLoader();
+      return classLoader != null ? classLoader.getClass().getName() : null;
     }
   }
 }
diff --git a/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java b/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java
index 9bf0afaf57c..b3def5ce1b6 100644
--- a/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java
+++ b/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java
@@ -22,6 +22,7 @@ package org.sonar.process;
 import java.security.Permission;
 import java.security.ProtectionDomain;
 import java.security.SecurityPermission;
+import javax.management.MBeanPermission;
 import org.junit.Test;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -66,4 +67,13 @@ public class SecurityManagementTest {
     assertThat(policy.implies(pd, allowedRuntime)).isTrue();
     assertThat(policy.implies(pd, deniedRuntime)).isTrue();
   }
+
+  @Test
+  public void protection_domain_can_have_no_classloader() {
+    SecurityManagement.CustomPolicy policy = new SecurityManagement.CustomPolicy();
+    ProtectionDomain domain = new ProtectionDomain(null, null, null, null);
+    Permission permission = new MBeanPermission("com.sun.management.internal.HotSpotThreadImpl", "getMBeanInfo");
+
+    assertThat(policy.implies(domain, permission)).isTrue();
+  }
 }
-- 
2.39.5