From b59ead91e0e44e4994f7be8712f14e6d17de6892 Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Tue, 7 Feb 2017 12:38:21 -0600 Subject: [PATCH] Remove usages for forbidden apis or suppress (elastic/elasticsearch#4850) This is related to elastic/elasticsearchelastic/elasticsearch#22964. Methods that could open socket connections are being made forbidden apis. This commit either replaces usages with URL.openStream() with a call to FileSystemUtils.openFileURLStream(URL url) (in the case of a file url) or adds SuppressForbidden annotations. Original commit: elastic/x-pack-elasticsearch@93b1b113751b605431b1a9cb91c73741b1efaf4e --- .../xpack/extensions/InstallXPackExtensionCommand.java | 2 ++ .../security/authc/esnative/ESNativeRealmMigrateTool.java | 2 ++ .../java/org/elasticsearch/transport/KnownActionsTests.java | 3 ++- .../xpack/extensions/InstallXPackExtensionCommandTests.java | 3 ++- .../security/transport/filter/IpFilteringIntegrationTests.java | 2 ++ 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java index d7d4100b4d7..b3da5bc308a 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java @@ -14,6 +14,7 @@ import org.elasticsearch.cli.ExitCodes; import org.elasticsearch.cli.EnvironmentAwareCommand; import org.elasticsearch.cli.Terminal; import org.elasticsearch.cli.UserException; +import org.elasticsearch.common.SuppressForbidden; import org.elasticsearch.common.io.FileSystemUtils; import org.elasticsearch.env.Environment; @@ -101,6 +102,7 @@ final class InstallXPackExtensionCommand extends EnvironmentAwareCommand { } /** Downloads the extension and returns the file it was downloaded to. */ + @SuppressForbidden(reason = "We use openStream to download extensions") private Path download(Terminal terminal, String extensionURL, Path tmpDir) throws Exception { terminal.println("-> Downloading " + URLDecoder.decode(extensionURL, "UTF-8")); URL url = new URL(extensionURL); diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java index 93659d108ec..e4590440579 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java @@ -25,6 +25,7 @@ import org.elasticsearch.cli.Terminal; import org.elasticsearch.cli.Terminal.Verbosity; import org.elasticsearch.common.Nullable; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.SuppressForbidden; import org.elasticsearch.common.logging.ESLoggerFactory; import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.settings.Settings; @@ -134,6 +135,7 @@ public class ESNativeRealmMigrateTool extends MultiCommand { terminal.println("users and roles imported."); } + @SuppressForbidden(reason = "We call connect in doPrivileged and provide SocketPermission") private String postURL(Settings settings, Environment env, String method, String urlString, OptionSet options, @Nullable String bodyString) throws Exception { URI uri = new URI(urlString); diff --git a/elasticsearch/src/test/java/org/elasticsearch/transport/KnownActionsTests.java b/elasticsearch/src/test/java/org/elasticsearch/transport/KnownActionsTests.java index 6b1e96f41df..ae6421bbfa9 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/transport/KnownActionsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/transport/KnownActionsTests.java @@ -7,6 +7,7 @@ package org.elasticsearch.transport; import org.apache.lucene.util.IOUtils; import org.elasticsearch.action.Action; +import org.elasticsearch.common.io.FileSystemUtils; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.io.Streams; import org.elasticsearch.common.settings.Settings; @@ -172,7 +173,7 @@ public class KnownActionsTests extends SecurityIntegTestCase { // its checkWritable was incorrect and it won't work without write permissions. // if we add the permission, it will open jars r/w, which is too scary! so copy to a safe r-w location. Path tmp = createTempFile(null, ".jar"); - try (InputStream in = codeLocation.openStream()) { + try (InputStream in = FileSystemUtils.openFileURLStream(codeLocation)) { Files.copy(in, tmp, StandardCopyOption.REPLACE_EXISTING); } fileSystem = FileSystems.newFileSystem(new URI("jar:" + tmp.toUri()), Collections.emptyMap()); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java index 10646506304..4533cedf0cb 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java @@ -9,6 +9,7 @@ import org.apache.lucene.util.LuceneTestCase; import org.elasticsearch.Version; import org.elasticsearch.cli.MockTerminal; import org.elasticsearch.cli.UserException; +import org.elasticsearch.common.io.FileSystemUtils; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.test.ESTestCase; @@ -122,7 +123,7 @@ public class InstallXPackExtensionCommandTests extends ESTestCase { Path extDir = createTempDir(); String extZip = createExtension("fake", extDir); Path extZipWithSpaces = createTempFile("foo bar", ".zip"); - try (InputStream in = new URL(extZip).openStream()) { + try (InputStream in = FileSystemUtils.openFileURLStream(new URL(extZip))) { Files.copy(in, extZipWithSpaces, StandardCopyOption.REPLACE_EXISTING); } installExtension(extZipWithSpaces.toUri().toURL().toString(), home); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/transport/filter/IpFilteringIntegrationTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/transport/filter/IpFilteringIntegrationTests.java index 89ce5887600..30510aed3b9 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/transport/filter/IpFilteringIntegrationTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/transport/filter/IpFilteringIntegrationTests.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.security.transport.filter; import org.elasticsearch.client.Client; +import org.elasticsearch.common.SuppressForbidden; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; @@ -70,6 +71,7 @@ public class IpFilteringIntegrationTests extends SecurityIntegTestCase { } } + @SuppressForbidden(reason = "Allow opening socket for test") private void trySocketConnection(Socket socket, InetSocketAddress address) throws IOException { logger.info("connecting to {}", address); SocketAccess.doPrivileged(() -> socket.connect(address, 500));