Mercurial Mercurial > jdk-sandbox / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
src/jdk.jfr/share/classes/jdk/jfr/internal/WriteableUserPath.java
author egahlin
Tue, 15 May 2018 20:24:34 +0200
changeset 50113 caf115bb98ad
child 55256 3b22c7e00573
permissions -rw-r--r--
8199712: Flight Recorder Reviewed-by: coleenp, ihse, erikj, dsamersoff, mseledtsov, egahlin, mgronlun Contributed-by: erik.gahlin@oracle.com, markus.gronlund@oracle.com

/*
 * Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package jdk.jfr.internal;

import java.io.BufferedWriter;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.concurrent.Callable;

/**
 * Purpose of this class is to simplify analysis of security risks.
 * <p>
 * Paths in the public API should be wrapped in this class so we
 * at all time know what kind of paths we are dealing with.
 * <p>
 * A user supplied path must never be used in an unsafe context, such as a
 * shutdown hook or any other thread created by JFR.
 * <p>
 * All operation using this path must happen in {@link #doPriviligedIO(Callable)}
 */
public final class WriteableUserPath {
    private final AccessControlContext controlContext;
    private final Path original;
    private final Path real;
    private final String text;

    // Not to ensure security, but to help
    // against programming errors
    private volatile boolean inPrivileged;

    public WriteableUserPath(Path path) throws IOException {
        controlContext = AccessController.getContext();
        // verify that the path is writeable
        if (Files.exists(path) && !Files.isWritable(path)) {
            // throw same type of exception as FileOutputStream
            // constructor, if file can't be opened.
            throw new FileNotFoundException("Could not write to file: " + path.toAbsolutePath());
        }
        // will throw if non-writeable
        BufferedWriter fw = Files.newBufferedWriter(path);
        fw.close();
        this.original = path;
        this.real = path.toRealPath();
        this.text = real.toString();
    }

    /**
     * Returns a potentially malicious path where the user may have implemented
     * their own version of Path. This method should never be called in an
     * unsafe context and the Path value should never be passed along to other
     * methods.
     *
     * @return path from a potentially malicious user
     */
    public Path getPotentiallyMaliciousOriginal() {
        return original;
    }

    /**
     * Returns a string representation of the path.
     *
     * @return path as text
     */
    public String getText() {
        return text;
    }

    /**
     * Returns a potentially malicious path where the user may have implemented
     * their own version of Path. This method should never be called in an
     * unsafe context and the Path value should never be passed along to other
     * methods.
     *
     * @return path from a potentially malicious user
     */
    public Path getReal() {
        if (!inPrivileged) {
            throw new InternalError("A user path was accessed outside the context it was supplied in");
        }
        return real;
    }

    public void doPriviligedIO(Callable<?> function) throws IOException {
        try {
            inPrivileged = true;
            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
                @Override
                public Void run() throws Exception {
                    function.call();
                    return null;
                }
            }, controlContext);
        } catch (Throwable t) {
            // prevent malicious user to propagate exception callback
            // in the wrong context
            throw new IOException("Unexpected error during I/O operation");
        } finally {
            inPrivileged = false;
        }
    }
}
jdk-sandbox