Re: [PR] OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes (opennlp)

via GitHub Sun, 26 Apr 2026 04:33:37 -0700


subbudvk commented on code in PR #1021:
URL: https://github.com/apache/opennlp/pull/1021#discussion_r3143409417



##########
opennlp-api/src/main/java/opennlp/tools/util/ext/ExtensionLoader.java:
##########
@@ -51,11 +119,22 @@ private ExtensionLoader() {
    *
    * @return the instance of the extension class
    *
-   * @throws ExtensionNotLoadedException Thrown if the load operation failed.
+   * @throws ExtensionNotLoadedException Thrown if the load operation failed or
+   *         the class is not in an allowed package.
    */
   @SuppressWarnings("unchecked")
   public static <T> T instantiateExtension(Class<T> clazz, String 
extensionClassName) {
 
+    // Validate BEFORE Class.forName() — static initializers execute during 
forName(),
+    // so this check must precede the load to prevent gadget-chain RCE via 
static init.
+    boolean allowed = 
ALLOWED_PREFIXES.stream().anyMatch(extensionClassName::startsWith);

Review Comment:
   Handled



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes (opennlp)

Reply via email to