[janino-dev] [jira] Created: (JANINO-113) Inner class access to inherited protected violates security

Inner class access to inherited protected violates security
-----------------------------------------------------------

                 Key: JANINO-113
                 URL: http://jira.codehaus.org/browse/JANINO-113
             Project: Janino
          Issue Type: Bug
            Reporter: Matt Fowles
            Assignee: Arno Unkrig
            Priority: Critical


This is similar to but different then: http://jira.codehaus.org/browse/JANINO-112

Consider the following classes:

{code}
public class Parent {
    protected int var = 1;
}

public class Child extends Parent {
    public class Inner {
        public int get() {
            return var;
        }
        public void set() {
            var = 4;
        }
    }
}

public class Main {
    public static void main(String[] args) {
        Child.Inner i = new Child().new Inner();
        System.out.println("before set: " + i.get());
        i.set();
        System.out.println("after set: " + i.get());
    }
}
{code}

If you run this using janinoc as your compiler and java from the command line this will print:

before set: 1
after set: 4

as you would expect.

however, if you do the equivalent thing using SimpleCompiler() the call to get will fail with an "IllegalAccessError".

Janino is generating direct accesses to the protected variable from within the inner class, which violates the JVM's security policy.  The default class loader that runs apps is unsecured but any classes loaded through URLClassLoaders (like ones created by SimpleCompiler) run through secured class loaders.  As a result this will fail.

If you look at the output of javac, you will discover that javac creates specialized accessor methods to handle this case:


fowles@spiceweasel:~/sample/java$ javap test/Child
Compiled from "Child.java"
public class test.Child extends other.Parent{
    public test.Child();
    static int access$000(test.Child);
    static int access$102(test.Child, int);
}


Clearly, janino needs to create these accessors too, but I do not yet have a good sense of how to do this in the code base.  Pointers or solutions would be most welcome as this is a blocker for my company's use of Janino until it is resolved.


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

     [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Fowles updated JANINO-113:
-------------------------------

    Attachment: indirect.patch

Fix access to inherited protected members within nested class by
- add Java.IndirectFieldAccess to represent this case
- change a few resolution methods to create IndirectFieldAccess object as appropriate
- update all the visitors to work with them
- make the compilers generate synthetic getters and setters for IndirectFieldAccess on demand
- add tests


This patch includes in it the fix to Janino-112.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

    [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=134544#action_134544 ]

Matt Fowles commented on JANINO-113:
------------------------------------

I found a verification error when using these synthetic methods in <init> blocks.  More info soon.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

     [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Fowles updated JANINO-113:
-------------------------------

    Attachment: indirect.patch

This patch obsoletes my last one and fixes an extra get of this$0 that was causing verification errors.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

     [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Fowles updated JANINO-113:
-------------------------------

    Attachment:     (was: indirect.patch)

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

    [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=135010#action_135010 ]

Arno Unkrig commented on JANINO-113:
------------------------------------

Why the heck can "test.Top$Inner.get()" legally access "for_sandbox_tests.ProtectedVariable.var", while
"for_sandbox_tests.Top$Inner.get()" can't? I'd have expected it the other way round, if any.

The JLS says:

"access is permitted [ ... ] when  [ ... ] access to the member or constructor occurs from within the package containing the class in which the protected member or constructor is declared."

So, if "Inner" and "ProtectedVariable" are declared in the same package (which is the case in case one, but not in case two), the access should be legal. Results, however, are precisely vice versa.

Can you please give me some inspiration?



--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

    [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=135017#action_135017 ]

Matt Fowles commented on JANINO-113:
------------------------------------

After further testing, I see that you are correct that this is only a problem when crossing package boundaries.

This was also a bug in the java compiler which took them some time to fix.  You can see their discussion of it here.

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4116802

The bug ticket from sun does not include the detail of how they fixed it (using synthetic getter methods), but that can be determined using javap.

Thus this bug can be viewed as a follow on to Janino-112.

The example that I give above, will fail if Child and Parent are in different packages.  Sorry for the confusion.  Regardless, I stand by this patch as a valid fix to the issue.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

    [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=135288#action_135288 ]

Arno Unkrig commented on JANINO-113:
------------------------------------

Nope, it's exactly THE OTHER WAY ROUND: The test fails if base and derived class are INTHE SAME PACKAGE. That's what confuses me so much. Tested with IBM JVM 1.5.0-SR5 and SUN JVM 1.4.2_10, 1.5.0_05 and 1.6.0.

How can this be?

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

    [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=135315#action_135315 ]

Matt Fowles commented on JANINO-113:
------------------------------------

Regardless, the patch that I am offering creates these synthetic field accessors for all cases of accessing an enclosing inherited protected variable and it passes the tests that I have added for it.  It even allows a large chunk of our test at work (which are much more sizeable and onerous) to pass.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

    [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=135658#action_135658 ]

Arno Unkrig commented on JANINO-113:
------------------------------------

Yep, your fix could also be the key form the access to PRIVATE members... stay tuned.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

    [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=136074#action_136074 ]

Matt Fowles commented on JANINO-113:
------------------------------------

Damn, it looks like we need to do something similar to this for protected methods too.

Arno, do you plan on reimplementing this patch, or is it worth while for me to extend it to protected methods as well?

{code:title=EvaluatorTests.java}
public void testProtectedMethodsAcrossPackage() throws Exception {
        SimpleCompiler sc = new SimpleCompiler();
        sc.setParentClassLoader(SimpleCompiler.BOOT_CLASS_LOADER, new Class[] { for_sandbox_tests.ProtectedVariable.class });
        sc.cook("package for_sandbox_tests;\n" +
                "public class Top extends for_sandbox_tests.ProtectedVariable {\n" +
                "    public class Inner {\n" +
                "        public int get() {\n" +
                "            return getVar();\n" +
                "        }\n" +
                "        public int sget() {\n" +
                "            return sgetVar();\n" +
                "        }\n" +
                "    } \n" +
                "    public Inner createInner() {\n" +
                "        return new Inner();\n" +
                "    }\n" +
                "}"
        );
       
        Class topClass = sc.getClassLoader().loadClass("for_sandbox_tests.Top");
        Method createInner = topClass.getDeclaredMethod("createInner", null);
        Object top = topClass.newInstance();
        Object inner = createInner.invoke(top, null);
       
        Class innerClass = inner.getClass();
        Method[] m = new Method[] {
                innerClass.getDeclaredMethod("get", null),
                innerClass.getDeclaredMethod("sget", null),
        };
       
        for(int i = 0; i < m.length; ++i) {
            Object res = m[i].invoke(inner, null);
            assertEquals(Integer.valueOf(i+1), res);
       }
    }
{code}

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

    [ http://jira.codehaus.org/browse/JANINO-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=136075#action_136075 ]

Matt Fowles commented on JANINO-113:
------------------------------------

implied in the above comment but not made explicit is that I added protected methods to ProtectedVariable (sgetVar() is static, getVar is non-static)