XWIKI-5168: Don't allow some methods in velocity introspector

Author: surli

xwiki-commons-core/xwiki-commons-velocity/pom.xml

@@ -35,6 +35,7 @@
     <xwiki.jacoco.instructionRatio>0.74</xwiki.jacoco.instructionRatio>
     <!-- Name to display by the Extension Manager -->
     <xwiki.extension.name>Velocity API</xwiki.extension.name>
+    <checkstyle.suppressions.location>${basedir}/src/main/checkstyle/checkstyle-suppressions.xml</checkstyle.suppressions.location>
   </properties>
   <dependencies>
     <dependency>

xwiki-commons-core/xwiki-commons-velocity/src/main/checkstyle/checkstyle-suppressions.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+-->
+
+<!DOCTYPE suppressions PUBLIC
+    "-//Puppy Crawl//DTD Suppressions 1.0//EN"
+    "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
+
+<suppressions>
+  <!-- The default whitelists of accepted method are too long for this check -->
+  <suppress checks="ExecutableStatementCount" files="SecureIntrospector.java"/>
+</suppressions>

xwiki-commons-core/xwiki-commons-velocity/src/main/java/org/xwiki/velocity/introspection/SecureIntrospector.java

@@ -19,7 +19,10 @@
  */
 package org.xwiki.velocity.introspection;
 
+import java.io.File;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 
 import org.apache.velocity.util.introspection.SecureIntrospectorImpl;
@@ -33,7 +36,8 @@
  */
 public class SecureIntrospector extends SecureIntrospectorImpl
 {
-    private final Set<String> secureClassMethods = new HashSet<>();
+    private static final String GETNAME = "getname";
+    private final Map<Class, Set<String>> whitelistedMethods;
 
     /**
      * @param badClasses forbidden classes
@@ -44,41 +48,80 @@ public SecureIntrospector(String[] badClasses, String[] badPackages, Logger log)
     {
         super(badClasses, badPackages, log);
 
-        this.secureClassMethods.add("getname");
-        this.secureClassMethods.add("getName");
-        this.secureClassMethods.add("getsimpleName");
-        this.secureClassMethods.add("getSimpleName");
+        this.whitelistedMethods = new HashMap<>();
+        this.prepareWhitelistClass();
+        this.prepareWhiteListFile();
+    }
 
-        this.secureClassMethods.add("isarray");
-        this.secureClassMethods.add("isArray");
-        this.secureClassMethods.add("isassignablefrom");
-        this.secureClassMethods.add("isAssignableFrom");
-        this.secureClassMethods.add("isenum");
-        this.secureClassMethods.add("isEnum");
-        this.secureClassMethods.add("isinstance");
-        this.secureClassMethods.add("isInstance");
-        this.secureClassMethods.add("isinterface");
-        this.secureClassMethods.add("isInterface");
-        this.secureClassMethods.add("islocalClass");
-        this.secureClassMethods.add("isLocalClass");
-        this.secureClassMethods.add("ismemberclass");
-        this.secureClassMethods.add("isMemberClass");
-        this.secureClassMethods.add("isprimitive");
-        this.secureClassMethods.add("isPrimitive");
-        this.secureClassMethods.add("issynthetic");
-        this.secureClassMethods.add("isSynthetic");
-        this.secureClassMethods.add("getEnumConstants");
+    private void prepareWhitelistClass()
+    {
+        Set<String> whitelist = new HashSet<>();
+        whitelist.add(GETNAME);
+        whitelist.add("getsimpleName");
+        whitelist.add("isarray");
+        whitelist.add("isassignablefrom");
+        whitelist.add("isenum");
+        whitelist.add("isinstance");
+        whitelist.add("isinterface");
+        whitelist.add("islocalclass");
+        whitelist.add("ismemberclass");
+        whitelist.add("isprimitive");
+        whitelist.add("issynthetic");
+        whitelist.add("getenumconstants");
+        this.whitelistedMethods.put(Class.class, whitelist);
+    }
 
-        // TODO: add more when needed
+    private void prepareWhiteListFile()
+    {
+        Set<String> whitelist = new HashSet<>();
+        whitelist.add("canexecute");
+        whitelist.add("canread");
+        whitelist.add("canwrite");
+        whitelist.add("compareto");
+        whitelist.add("createtempfile");
+        whitelist.add("equals");
+        whitelist.add("getabsolutefile");
+        whitelist.add("getabsolutePath");
+        whitelist.add("getcanonicalfile");
+        whitelist.add("getcanonicalpath");
+        whitelist.add("getfreespace");
+        whitelist.add(GETNAME);
+        whitelist.add("getparent");
+        whitelist.add("getparentFile");
+        whitelist.add("getpath");
+        whitelist.add("gettotalspace");
+        whitelist.add("getusablespace");
+        whitelist.add("hashcode");
+        whitelist.add("isabsolute");
+        whitelist.add("isdirectory");
+        whitelist.add("isfile");
+        whitelist.add("ishidden");
+        whitelist.add("lastmodified");
+        whitelist.add("length");
+        whitelist.add("topath");
+        whitelist.add("tostring");
+        whitelist.add("touri");
+        whitelist.add("tourl");
+        whitelist.add("getclass");
+        this.whitelistedMethods.put(File.class, whitelist);
     }
 
     @Override
     public boolean checkObjectExecutePermission(Class clazz, String methodName)
     {
-        if (Class.class.isAssignableFrom(clazz) && methodName != null && this.secureClassMethods.contains(methodName)) {
-            return true;
-        } else {
-            return super.checkObjectExecutePermission(clazz, methodName);
+        Boolean result = null;
+        if (methodName != null) {
+            for (Map.Entry<Class, Set<String>> classSetEntry : this.whitelistedMethods.entrySet()) {
+                if (classSetEntry.getKey().isAssignableFrom(clazz)) {
+                    result = classSetEntry.getValue().contains(methodName.toLowerCase());
+                    break;
+                }
+            }
+        }
+
+        if (result == null) {
+            result = super.checkObjectExecutePermission(clazz, methodName);
         }
+        return result;
     }
 }

xwiki-commons-core/xwiki-commons-velocity/src/test/java/org/xwiki/velocity/introspection/SecureIntrospectorTest.java

@@ -0,0 +1,79 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.velocity.introspection;
+
+import java.io.File;
+import java.util.ArrayList;
+
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.slf4j.Logger;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * Tests for {@link SecureIntrospector}.
+ *
+ * @version $Id$
+ */
+public class SecureIntrospectorTest
+{
+    @Mock
+    private Logger logger;
+
+    class CustomFile extends File {
+        public CustomFile(String s)
+        {
+            super(s);
+        }
+    }
+
+    @Test
+    void checkObjectExecutePermissionWithClass()
+    {
+        SecureIntrospector secureIntrospector = new SecureIntrospector(new String[] {}, new String[] {}, this.logger);
+        assertTrue(secureIntrospector.checkObjectExecutePermission(Class.class, "isLocalClass"));
+    }
+
+    @Test
+    void checkObjectExecutePermissionWithFile()
+    {
+        SecureIntrospector secureIntrospector = new SecureIntrospector(new String[] {}, new String[] {}, this.logger);
+        assertTrue(secureIntrospector.checkObjectExecutePermission(File.class, "toString"));
+        assertFalse(secureIntrospector.checkObjectExecutePermission(File.class, "mkdir"));
+
+        assertTrue(secureIntrospector.checkObjectExecutePermission(File.class, "tostring"));
+        assertFalse(secureIntrospector.checkObjectExecutePermission(File.class, "renameto"));
+        assertFalse(secureIntrospector.checkObjectExecutePermission(File.class, "renameTo"));
+
+        assertTrue(secureIntrospector.checkObjectExecutePermission(CustomFile.class, "toString"));
+        assertFalse(secureIntrospector.checkObjectExecutePermission(CustomFile.class, "mkdir"));
+    }
+
+    @Test
+    void checkObjectExecutePermissionBlacklistedClass()
+    {
+        SecureIntrospector secureIntrospector = new SecureIntrospector(
+            new String[] { "java.util.ArrayList" }, new String[] {}, this.logger);
+        assertTrue(secureIntrospector.checkObjectExecutePermission(File.class, "toString"));
+        assertFalse(secureIntrospector.checkObjectExecutePermission(ArrayList.class, "toString"));
+    }
+}