[asterixdb] branch master updated: [NO ISSUE] Check if Java UDF classes are assignable to IFunctionFactory

Mon, 07 Dec 2020 14:58:17 -0800 

This is an automated email from the ASF dual-hosted git repository.

imaxon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/asterixdb.git


The following commit(s) were added to refs/heads/master by this push:
     new d5ca10b  [NO ISSUE] Check if Java UDF classes are assignable to 
IFunctionFactory
d5ca10b is described below

commit d5ca10bfc2599373cc348f87388ccb915b953b5d
Author: Ian Maxon <ian.ma...@couchbase.com>
AuthorDate: Tue Nov 24 17:35:01 2020 -0800

    [NO ISSUE] Check if Java UDF classes are assignable to IFunctionFactory
    
    As of now, we instantiate whatever class is specified in an external UDF 
upon
    invocation before checking if it can be cast to an IFunctionFactory.
    
    This might be dangerous if some class in our classloaders contains 
exploitable
    code in static intializers. So we should check if the class is assignable to
    IFunctionFactory before attempting to instantiate it.
    
    Change-Id: Id14581cca775b54de6f3fd8c0cf032d7c352bbbe
    Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/9043
    Integration-Tests: Jenkins <jenk...@fulliautomatix.ics.uci.edu>
    Tested-by: Jenkins <jenk...@fulliautomatix.ics.uci.edu>
    Reviewed-by: Dmitry Lychagin <dmitry.lycha...@couchbase.com>
---
 .../library/ExternalScalarJavaFunctionEvaluator.java        | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git 
a/asterixdb/asterix-external-data/src/main/java/org/apache/asterix/external/library/ExternalScalarJavaFunctionEvaluator.java
 
b/asterixdb/asterix-external-data/src/main/java/org/apache/asterix/external/library/ExternalScalarJavaFunctionEvaluator.java
index 33b0369..a8d246e 100755
--- 
a/asterixdb/asterix-external-data/src/main/java/org/apache/asterix/external/library/ExternalScalarJavaFunctionEvaluator.java
+++ 
b/asterixdb/asterix-external-data/src/main/java/org/apache/asterix/external/library/ExternalScalarJavaFunctionEvaluator.java
@@ -53,9 +53,16 @@ class ExternalScalarJavaFunctionEvaluator extends 
ExternalScalarFunctionEvaluato
 
         String classname = finfo.getExternalIdentifier().get(0);
         try {
-            Class<?> clazz = Class.forName(classname, true, 
library.getClassLoader());
-            IFunctionFactory externalFunctionFactory = (IFunctionFactory) 
clazz.newInstance();
-            externalFunctionInstance = (IExternalScalarFunction) 
externalFunctionFactory.getExternalFunction();
+            //first, check if this class is assignable to the correct 
interface before running static initializers that
+            //may be dangerous
+            Class<?> clazz = Class.forName(classname, false, 
library.getClassLoader());
+            if (IFunctionFactory.class.isAssignableFrom(clazz)) {
+                //check if clazz implements IFunctionFactory
+                IFunctionFactory externalFunctionFactory = (IFunctionFactory) 
clazz.newInstance();
+                externalFunctionInstance = (IExternalScalarFunction) 
externalFunctionFactory.getExternalFunction();
+            } else {
+                throw new ClassCastException("Specified class does not 
implement IFunctionFactory");
+            }
         } catch (Exception e) {
             throw new 
RuntimeDataException(ErrorCode.LIBRARY_EXTERNAL_FUNCTION_UNABLE_TO_LOAD_CLASS, 
e, classname);
         }

Reply via email to