db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6648) Application code should not be able to call ContextService.getContextOrNull()
Date Tue, 26 Aug 2014 14:50:58 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14110773#comment-14110773
] 

Knut Anders Hatlen commented on DERBY-6648:
-------------------------------------------

I was wondering if one possibility is to have a doPrivileged() call on all public entry-points.
Essentially all methods that currently have a setupContextStack()/restoreContextStack() pair.
That'd make sure that the protected internal calls could only be called if the Derby code
base was entered via our public API. If we have the doPrivileged() calls further down, it
may be more difficult to convince oneself that no caller can reach that point after entering
the Derby code base via some internal API.

If we did that, I guess we would want to limit the top-level doPrivileged() calls to only
enable this particular SystemPermission. Unfortunately, it looks like the doPrivileged() overloads
that allow you to limit the scope to certain privileges, are only available in Java 8 and
higher. (Look for the doPrivileged() methods in AccessController that take a {{Permission...
perms}} vararg.)

> Application code should not be able to call ContextService.getContextOrNull()
> -----------------------------------------------------------------------------
>
>                 Key: DERBY-6648
>                 URL: https://issues.apache.org/jira/browse/DERBY-6648
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.1.1
>            Reporter: Rick Hillegas
>         Attachments: derby-6648-01-aa-oneActionList.diff
>
>
> By calling ContextService.getContextOrNull() (and its relatives), application code can
get its hands on all sorts of internal Derby contexts, factories, and managers. This allows
application code to bypass SQL authorization checks and perform sensitive or data-corrupting
actions.
> For instance, right now an application can use this method to get its hands on the language
connection context. From the lcc, the application can get its hands on the data dictionary
and the execution transaction. Armed with those objects, the application can bypass authorization
checks and create schema objects, users, and permissions.
> Only Derby code should be able to call this powerful method.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message