Add methods requiring connect to forbidden apis (#22964)

This is related to #22116. This commit adds calls that require SocketPermission connect to forbidden APIs. The following calls are now forbidden: - java.net.URL#openStream() - java.net.URLConnection#connect() - java.net.URLConnection#getInputStream() - java.net.Socket#connect(java.net.SocketAddress) - java.net.Socket#connect(java.net.SocketAddress, int) - java.nio.channels.SocketChannel#open(java.net.SocketAddress) - java.nio.channels.SocketChannel#connect(java.net.SocketAddress)
2025-02-22 12:56:53 +00:00 · 2017-02-07 14:41:50 -06:00 · 2017-02-07 14:41:50 -06:00 · fcc568fd8d
commit fcc568fd8d
parent ba06c14a97
6 changed files with 20 additions and 0 deletions
--- a/buildSrc/src/main/resources/forbidden/es-all-signatures.txt
+++ b/buildSrc/src/main/resources/forbidden/es-all-signatures.txt
@ -36,3 +36,12 @@ org.apache.lucene.document.FieldType#numericType()
 java.lang.invoke.MethodHandle#invoke(java.lang.Object[])
 java.lang.invoke.MethodHandle#invokeWithArguments(java.lang.Object[])
 java.lang.invoke.MethodHandle#invokeWithArguments(java.util.List)
+
+@defaultMessage Don't open socket connections
+java.net.URL#openStream()
+java.net.URLConnection#connect()
+java.net.URLConnection#getInputStream()
+java.net.Socket#connect(java.net.SocketAddress)
+java.net.Socket#connect(java.net.SocketAddress, int)
+java.nio.channels.SocketChannel#open(java.net.SocketAddress)
+java.nio.channels.SocketChannel#connect(java.net.SocketAddress)
--- a/core/src/main/java/org/elasticsearch/common/io/FileSystemUtils.java
+++ b/core/src/main/java/org/elasticsearch/common/io/FileSystemUtils.java
@ -22,6 +22,7 @@ package org.elasticsearch.common.io;
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.util.IOUtils;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.SuppressForbidden;

 import java.io.IOException;
 import java.io.InputStream;
@ -119,6 +120,7 @@ public final class FileSystemUtils {
    /**
     * Returns an InputStream the given url if the url has a protocol of 'file' or 'jar', no host, and no port.
     */
+    @SuppressForbidden(reason = "Will only open url streams for local files")
    public static InputStream openFileURLStream(URL url) throws IOException {
        String protocol = url.getProtocol();
        if ("file".equals(protocol) == false && "jar".equals(protocol) == false) {
--- a/core/src/main/java/org/elasticsearch/plugins/InstallPluginCommand.java
+++ b/core/src/main/java/org/elasticsearch/plugins/InstallPluginCommand.java
@ -30,6 +30,7 @@ import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.EnvironmentAwareCommand;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.cli.UserException;
+import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.hash.MessageDigests;
 import org.elasticsearch.common.io.FileSystemUtils;
@ -265,6 +266,7 @@ class InstallPluginCommand extends EnvironmentAwareCommand {
    }

    /** Downloads a zip from the url, into a temp file under the given temp dir. */
+    @SuppressForbidden(reason = "We use getInputStream to download plugins")
    private Path downloadZip(Terminal terminal, String urlString, Path tmpDir) throws IOException {
        terminal.println(VERBOSE, "Retrieving zip from " + urlString);
        URL url = new URL(urlString);
@ -314,6 +316,7 @@ class InstallPluginCommand extends EnvironmentAwareCommand {
    }

    /** Downloads a zip from the url, as well as a SHA1 checksum, and checks the checksum. */
+    @SuppressForbidden(reason = "We use openStream to download plugins")
    private Path downloadZipAndChecksum(Terminal terminal, String urlString, Path tmpDir) throws Exception {
        Path zip = downloadZip(terminal, urlString, tmpDir);
        pathsToDeleteOnShutdown.add(zip);
--- a/modules/repository-url/src/main/java/org/elasticsearch/common/blobstore/url/URLBlobContainer.java
+++ b/modules/repository-url/src/main/java/org/elasticsearch/common/blobstore/url/URLBlobContainer.java
@ -19,6 +19,7 @@

 package org.elasticsearch.common.blobstore.url;

+import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.blobstore.BlobMetaData;
 import org.elasticsearch.common.blobstore.BlobPath;
 import org.elasticsearch.common.blobstore.support.AbstractBlobContainer;
@ -116,6 +117,7 @@ public class URLBlobContainer extends AbstractBlobContainer {
        throw new UnsupportedOperationException("URL repository doesn't support this operation");
    }

+    @SuppressForbidden(reason = "We call connect in doPrivileged and provide SocketPermission")
    private static InputStream getInputStream(URL url) throws IOException {
        try {
            return AccessController.doPrivileged((PrivilegedExceptionAction<InputStream>) url::openStream);
--- a/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/network/Ec2NameResolver.java
+++ b/plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/network/Ec2NameResolver.java
@ -22,6 +22,7 @@ package org.elasticsearch.cloud.aws.network;
 import org.apache.lucene.util.IOUtils;
 import org.elasticsearch.cloud.aws.AwsEc2ServiceImpl;
 import org.elasticsearch.cloud.aws.util.SocketAccess;
+import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.component.AbstractComponent;
 import org.elasticsearch.common.network.NetworkService.CustomNameResolver;
 import org.elasticsearch.common.settings.Settings;
@ -92,6 +93,7 @@ public class Ec2NameResolver extends AbstractComponent implements CustomNameReso
     * @return the appropriate host resolved from ec2 meta-data, or null if it cannot be obtained.
     * @see CustomNameResolver#resolveIfPossible(String)
     */
+    @SuppressForbidden(reason = "We call getInputStream in doPrivileged and provide SocketPermission")
    public InetAddress[] resolve(Ec2HostnameType type) throws IOException {
        InputStream in = null;
        String metadataUrl = AwsEc2ServiceImpl.EC2_METADATA_URL + type.ec2Name;
--- a/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java
+++ b/plugins/discovery-ec2/src/main/java/org/elasticsearch/plugin/discovery/ec2/Ec2DiscoveryPlugin.java
@ -46,6 +46,7 @@ import org.elasticsearch.cloud.aws.AwsEc2ServiceImpl;
 import org.elasticsearch.cloud.aws.network.Ec2NameResolver;
 import org.elasticsearch.cloud.aws.util.SocketAccess;
 import org.elasticsearch.cluster.service.ClusterService;
+import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.logging.DeprecationLogger;
 import org.elasticsearch.common.logging.Loggers;
@ -179,6 +180,7 @@ public class Ec2DiscoveryPlugin extends Plugin implements DiscoveryPlugin, Close
    }

    // pkg private for testing
+    @SuppressForbidden(reason = "We call getInputStream in doPrivileged and provide SocketPermission")
    static Settings getAvailabilityZoneNodeAttributes(Settings settings, String azMetadataUrl) {
        if (AwsEc2Service.AUTO_ATTRIBUTE_SETTING.get(settings) == false) {
            return Settings.EMPTY;