Remove usages for forbidden apis or suppress (elastic/elasticsearch#4850)
This is related to elastic/elasticsearchelastic/elasticsearch#22964. Methods that could open socket connections are being made forbidden apis. This commit either replaces usages with URL.openStream() with a call to FileSystemUtils.openFileURLStream(URL url) (in the case of a file url) or adds SuppressForbidden annotations. Original commit: elastic/x-pack-elasticsearch@93b1b11375
This commit is contained in:
parent
bd04b30acd
commit
b59ead91e0
|
@ -14,6 +14,7 @@ import org.elasticsearch.cli.ExitCodes;
|
||||||
import org.elasticsearch.cli.EnvironmentAwareCommand;
|
import org.elasticsearch.cli.EnvironmentAwareCommand;
|
||||||
import org.elasticsearch.cli.Terminal;
|
import org.elasticsearch.cli.Terminal;
|
||||||
import org.elasticsearch.cli.UserException;
|
import org.elasticsearch.cli.UserException;
|
||||||
|
import org.elasticsearch.common.SuppressForbidden;
|
||||||
import org.elasticsearch.common.io.FileSystemUtils;
|
import org.elasticsearch.common.io.FileSystemUtils;
|
||||||
import org.elasticsearch.env.Environment;
|
import org.elasticsearch.env.Environment;
|
||||||
|
|
||||||
|
@ -101,6 +102,7 @@ final class InstallXPackExtensionCommand extends EnvironmentAwareCommand {
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Downloads the extension and returns the file it was downloaded to. */
|
/** Downloads the extension and returns the file it was downloaded to. */
|
||||||
|
@SuppressForbidden(reason = "We use openStream to download extensions")
|
||||||
private Path download(Terminal terminal, String extensionURL, Path tmpDir) throws Exception {
|
private Path download(Terminal terminal, String extensionURL, Path tmpDir) throws Exception {
|
||||||
terminal.println("-> Downloading " + URLDecoder.decode(extensionURL, "UTF-8"));
|
terminal.println("-> Downloading " + URLDecoder.decode(extensionURL, "UTF-8"));
|
||||||
URL url = new URL(extensionURL);
|
URL url = new URL(extensionURL);
|
||||||
|
|
|
@ -25,6 +25,7 @@ import org.elasticsearch.cli.Terminal;
|
||||||
import org.elasticsearch.cli.Terminal.Verbosity;
|
import org.elasticsearch.cli.Terminal.Verbosity;
|
||||||
import org.elasticsearch.common.Nullable;
|
import org.elasticsearch.common.Nullable;
|
||||||
import org.elasticsearch.common.Strings;
|
import org.elasticsearch.common.Strings;
|
||||||
|
import org.elasticsearch.common.SuppressForbidden;
|
||||||
import org.elasticsearch.common.logging.ESLoggerFactory;
|
import org.elasticsearch.common.logging.ESLoggerFactory;
|
||||||
import org.elasticsearch.common.logging.Loggers;
|
import org.elasticsearch.common.logging.Loggers;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
|
@ -134,6 +135,7 @@ public class ESNativeRealmMigrateTool extends MultiCommand {
|
||||||
terminal.println("users and roles imported.");
|
terminal.println("users and roles imported.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressForbidden(reason = "We call connect in doPrivileged and provide SocketPermission")
|
||||||
private String postURL(Settings settings, Environment env, String method, String urlString,
|
private String postURL(Settings settings, Environment env, String method, String urlString,
|
||||||
OptionSet options, @Nullable String bodyString) throws Exception {
|
OptionSet options, @Nullable String bodyString) throws Exception {
|
||||||
URI uri = new URI(urlString);
|
URI uri = new URI(urlString);
|
||||||
|
|
|
@ -7,6 +7,7 @@ package org.elasticsearch.transport;
|
||||||
|
|
||||||
import org.apache.lucene.util.IOUtils;
|
import org.apache.lucene.util.IOUtils;
|
||||||
import org.elasticsearch.action.Action;
|
import org.elasticsearch.action.Action;
|
||||||
|
import org.elasticsearch.common.io.FileSystemUtils;
|
||||||
import org.elasticsearch.common.io.PathUtils;
|
import org.elasticsearch.common.io.PathUtils;
|
||||||
import org.elasticsearch.common.io.Streams;
|
import org.elasticsearch.common.io.Streams;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
|
@ -172,7 +173,7 @@ public class KnownActionsTests extends SecurityIntegTestCase {
|
||||||
// its checkWritable was incorrect and it won't work without write permissions.
|
// its checkWritable was incorrect and it won't work without write permissions.
|
||||||
// if we add the permission, it will open jars r/w, which is too scary! so copy to a safe r-w location.
|
// if we add the permission, it will open jars r/w, which is too scary! so copy to a safe r-w location.
|
||||||
Path tmp = createTempFile(null, ".jar");
|
Path tmp = createTempFile(null, ".jar");
|
||||||
try (InputStream in = codeLocation.openStream()) {
|
try (InputStream in = FileSystemUtils.openFileURLStream(codeLocation)) {
|
||||||
Files.copy(in, tmp, StandardCopyOption.REPLACE_EXISTING);
|
Files.copy(in, tmp, StandardCopyOption.REPLACE_EXISTING);
|
||||||
}
|
}
|
||||||
fileSystem = FileSystems.newFileSystem(new URI("jar:" + tmp.toUri()), Collections.<String,Object>emptyMap());
|
fileSystem = FileSystems.newFileSystem(new URI("jar:" + tmp.toUri()), Collections.<String,Object>emptyMap());
|
||||||
|
|
|
@ -9,6 +9,7 @@ import org.apache.lucene.util.LuceneTestCase;
|
||||||
import org.elasticsearch.Version;
|
import org.elasticsearch.Version;
|
||||||
import org.elasticsearch.cli.MockTerminal;
|
import org.elasticsearch.cli.MockTerminal;
|
||||||
import org.elasticsearch.cli.UserException;
|
import org.elasticsearch.cli.UserException;
|
||||||
|
import org.elasticsearch.common.io.FileSystemUtils;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.env.Environment;
|
import org.elasticsearch.env.Environment;
|
||||||
import org.elasticsearch.test.ESTestCase;
|
import org.elasticsearch.test.ESTestCase;
|
||||||
|
@ -122,7 +123,7 @@ public class InstallXPackExtensionCommandTests extends ESTestCase {
|
||||||
Path extDir = createTempDir();
|
Path extDir = createTempDir();
|
||||||
String extZip = createExtension("fake", extDir);
|
String extZip = createExtension("fake", extDir);
|
||||||
Path extZipWithSpaces = createTempFile("foo bar", ".zip");
|
Path extZipWithSpaces = createTempFile("foo bar", ".zip");
|
||||||
try (InputStream in = new URL(extZip).openStream()) {
|
try (InputStream in = FileSystemUtils.openFileURLStream(new URL(extZip))) {
|
||||||
Files.copy(in, extZipWithSpaces, StandardCopyOption.REPLACE_EXISTING);
|
Files.copy(in, extZipWithSpaces, StandardCopyOption.REPLACE_EXISTING);
|
||||||
}
|
}
|
||||||
installExtension(extZipWithSpaces.toUri().toURL().toString(), home);
|
installExtension(extZipWithSpaces.toUri().toURL().toString(), home);
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
package org.elasticsearch.xpack.security.transport.filter;
|
package org.elasticsearch.xpack.security.transport.filter;
|
||||||
|
|
||||||
import org.elasticsearch.client.Client;
|
import org.elasticsearch.client.Client;
|
||||||
|
import org.elasticsearch.common.SuppressForbidden;
|
||||||
import org.elasticsearch.common.network.NetworkModule;
|
import org.elasticsearch.common.network.NetworkModule;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.transport.TransportAddress;
|
import org.elasticsearch.common.transport.TransportAddress;
|
||||||
|
@ -70,6 +71,7 @@ public class IpFilteringIntegrationTests extends SecurityIntegTestCase {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressForbidden(reason = "Allow opening socket for test")
|
||||||
private void trySocketConnection(Socket socket, InetSocketAddress address) throws IOException {
|
private void trySocketConnection(Socket socket, InetSocketAddress address) throws IOException {
|
||||||
logger.info("connecting to {}", address);
|
logger.info("connecting to {}", address);
|
||||||
SocketAccess.doPrivileged(() -> socket.connect(address, 500));
|
SocketAccess.doPrivileged(() -> socket.connect(address, 500));
|
||||||
|
|
Loading…
Reference in New Issue