aboutsummaryrefslogtreecommitdiffstats
path: root/server/sonar-process
diff options
context:
space:
mode:
authorZipeng WU <zipeng.wu@sonarsource.com>2021-04-29 08:53:54 +0200
committersonartech <sonartech@sonarsource.com>2021-04-29 20:03:32 +0000
commit1476a48fea64574ca131df89e31ccb62fee8a49d (patch)
treeed7b08b68121cef5abef6c516f289a68bef4db3d /server/sonar-process
parent8e115cd61790c03dfcd91183fd6424cab0b03631 (diff)
downloadsonarqube-1476a48fea64574ca131df89e31ccb62fee8a49d.tar.gz
sonarqube-1476a48fea64574ca131df89e31ccb62fee8a49d.zip
SONAR-14253 fix Authenticated JMX remote access not working with Compute Engine
SecurityManagement is introduced to prevent code injection from community plugins by denying access to our core's classloaders realm, and is not intended to block anything else. AccesscController will return a ProtectionDomain with null classloader when requested for a MBeanPermission.
Diffstat (limited to 'server/sonar-process')
-rw-r--r--server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java3
-rw-r--r--server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java10
2 files changed, 12 insertions, 1 deletions
diff --git a/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java b/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java
index 79674ad17bc..7a2d32f4fc5 100644
--- a/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java
+++ b/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java
@@ -89,7 +89,8 @@ public class SecurityManagement {
}
String getDomainClassLoaderName(ProtectionDomain domain) {
- return domain.getClassLoader().getClass().getName();
+ ClassLoader classLoader = domain.getClassLoader();
+ return classLoader != null ? classLoader.getClass().getName() : null;
}
}
}
diff --git a/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java b/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java
index 9bf0afaf57c..b3def5ce1b6 100644
--- a/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java
+++ b/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java
@@ -22,6 +22,7 @@ package org.sonar.process;
import java.security.Permission;
import java.security.ProtectionDomain;
import java.security.SecurityPermission;
+import javax.management.MBeanPermission;
import org.junit.Test;
import static org.assertj.core.api.Assertions.assertThat;
@@ -66,4 +67,13 @@ public class SecurityManagementTest {
assertThat(policy.implies(pd, allowedRuntime)).isTrue();
assertThat(policy.implies(pd, deniedRuntime)).isTrue();
}
+
+ @Test
+ public void protection_domain_can_have_no_classloader() {
+ SecurityManagement.CustomPolicy policy = new SecurityManagement.CustomPolicy();
+ ProtectionDomain domain = new ProtectionDomain(null, null, null, null);
+ Permission permission = new MBeanPermission("com.sun.management.internal.HotSpotThreadImpl", "getMBeanInfo");
+
+ assertThat(policy.implies(domain, permission)).isTrue();
+ }
}