[
https://issues.apache.org/jira/browse/ARTEMIS-4763?focusedWorklogId=918290&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918290
]
ASF GitHub Bot logged work on ARTEMIS-4763:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 08/May/24 10:25
Start Date: 08/May/24 10:25
Worklog Time Spent: 10m
Work Description: gtully commented on PR #4924:
URL:
https://github.com/apache/activemq-artemis/pull/4924#issuecomment-2100259018
I don't know that it helps, the values in question come from configuration.
We have no choice but to trust configuration, i.e: the file system, where our
sources live. These are exiting extension points, where the config provides the
implementation. Any malicious intervention will implement any required
interface if that is enforced. Any allow list gate will have to be configured
in some way, probably on the file system.
For an existing gadget to be exploited via this mechanism, the config has to
be compromised, which is the file system, on that same file system can be any
jar etc... so anything we do can be compromised unless we go down the route of
signed jars etc. even then if the file system is compromised....
in short, I am not convinced of an interface check being of any great value
when the threat is from file system compromise.
Having said that, if there is value in the additional check, and I guess the
value is that it makes it a little harder (if that makes any difference) it
would need to be done before every newInstance of this sort to be effective.
The xml parser does the same thing for one, in support of the same use case.
Again, it is trusting config.
Issue Time Tracking
-------------------
Worklog Id: (was: 918290)
Time Spent: 50m (was: 40m)
> properties config - support metrics plugin, conversion of .class for non
> string attributes and empty init
> ----------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-4763
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4763
> Project: ActiveMQ Artemis
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.33.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 50m
> Remaining Estimate: 0h
>
> the metrics plugin is not a broker plugin, so cannot be initialised via the
> broker plugins collection. We can only add .class instances to collections.
> The metrics instance is an attribute that needs a class type argument on the
> metrics configuration.
> supporting a conversion to any non string scalar type using a .class value
> will work nicely.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
