diff options
author | Zipeng WU <zipeng.wu@sonarsource.com> | 2021-04-29 08:53:54 +0200 |
---|---|---|
committer | sonartech <sonartech@sonarsource.com> | 2021-04-29 20:03:32 +0000 |
commit | 1476a48fea64574ca131df89e31ccb62fee8a49d (patch) | |
tree | ed7b08b68121cef5abef6c516f289a68bef4db3d /server/sonar-process | |
parent | 8e115cd61790c03dfcd91183fd6424cab0b03631 (diff) | |
download | sonarqube-1476a48fea64574ca131df89e31ccb62fee8a49d.tar.gz sonarqube-1476a48fea64574ca131df89e31ccb62fee8a49d.zip |
SONAR-14253 fix Authenticated JMX remote access not working with Compute Engine
SecurityManagement is introduced to prevent code injection from community plugins by denying access to our core's classloaders realm, and is not intended to block anything else. AccesscController will return a ProtectionDomain with null classloader when requested for a MBeanPermission.
Diffstat (limited to 'server/sonar-process')
-rw-r--r-- | server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java | 3 | ||||
-rw-r--r-- | server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java | 10 |
2 files changed, 12 insertions, 1 deletions
diff --git a/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java b/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java index 79674ad17bc..7a2d32f4fc5 100644 --- a/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java +++ b/server/sonar-process/src/main/java/org/sonar/process/SecurityManagement.java @@ -89,7 +89,8 @@ public class SecurityManagement { } String getDomainClassLoaderName(ProtectionDomain domain) { - return domain.getClassLoader().getClass().getName(); + ClassLoader classLoader = domain.getClassLoader(); + return classLoader != null ? classLoader.getClass().getName() : null; } } } diff --git a/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java b/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java index 9bf0afaf57c..b3def5ce1b6 100644 --- a/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java +++ b/server/sonar-process/src/test/java/org/sonar/process/SecurityManagementTest.java @@ -22,6 +22,7 @@ package org.sonar.process; import java.security.Permission; import java.security.ProtectionDomain; import java.security.SecurityPermission; +import javax.management.MBeanPermission; import org.junit.Test; import static org.assertj.core.api.Assertions.assertThat; @@ -66,4 +67,13 @@ public class SecurityManagementTest { assertThat(policy.implies(pd, allowedRuntime)).isTrue(); assertThat(policy.implies(pd, deniedRuntime)).isTrue(); } + + @Test + public void protection_domain_can_have_no_classloader() { + SecurityManagement.CustomPolicy policy = new SecurityManagement.CustomPolicy(); + ProtectionDomain domain = new ProtectionDomain(null, null, null, null); + Permission permission = new MBeanPermission("com.sun.management.internal.HotSpotThreadImpl", "getMBeanInfo"); + + assertThat(policy.implies(domain, permission)).isTrue(); + } } |