honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/plugins/discovery-azure/licenses
History
Robert Muir 6692e42d9a thirdPartyAudit round 2 
This fixes the `lenient` parameter to be `missingClasses`. I will remove this boolean and we can handle them via the normal whitelist.
It also adds a check for sheisty classes (jar hell with the jdk).
This is inspired by the lucene "sheisty" classes check, but it has false positives. This check is more evil, it validates every class file against the extension classloader as a resource, to see if it exists there. If so: jar hell.

This jar hell is a problem for several reasons:

1. causes insanely-hard-to-debug problems (like bugs in forbidden-apis)
2. hides problems (like internal api access)
3. the code you think is executing, is not really executing
4. security permissions are not what you think they are
5. brings in unnecessary dependencies
6. its jar hell

The more difficult problems are stuff like jython, where these classes are simply 'uberjared' directly in, so you cant just fix them by removing a bogus dependency. And there is a legit reason for them to do that, they want to support java 1.4.
 		2015-12-17 02:35:00 -05:00
..
azure-LICENSE.txt
azure-NOTICE.txt
azure-core-0.9.0.jar.sha1 Update Azure Service Management API to 0.9.0 2015-12-04 17:32:11 +01:00
azure-svc-mgmt-compute-0.9.0.jar.sha1 Update Azure Service Management API to 0.9.0 2015-12-04 17:32:11 +01:00
commons-codec-1.10.jar.sha1
commons-codec-LICENSE.txt
commons-codec-NOTICE.txt
commons-io-2.4.jar.sha1 Update Azure Service Management API to 0.9.0 2015-12-04 17:32:11 +01:00
commons-io-LICENSE.txt Update Azure Service Management API to 0.9.0 2015-12-04 17:32:11 +01:00
commons-io-NOTICE.txt Update Azure Service Management API to 0.9.0 2015-12-04 17:32:11 +01:00
commons-lang-2.6.jar.sha1 Update Azure Service Management API to 0.9.0 2015-12-04 17:32:11 +01:00
commons-lang-LICENSE.txt Update Azure Service Management API to 0.9.0 2015-12-04 17:32:11 +01:00
commons-lang-NOTICE.txt Update Azure Service Management API to 0.9.0 2015-12-04 17:32:11 +01:00
commons-logging-1.1.3.jar.sha1
commons-logging-LICENSE.txt
commons-logging-NOTICE.txt
httpclient-4.3.6.jar.sha1
httpclient-LICENSE.txt
httpclient-NOTICE.txt
httpcore-4.3.3.jar.sha1
httpcore-LICENSE.txt
httpcore-NOTICE.txt
jackson-LICENSE
jackson-NOTICE
jackson-core-asl-1.9.2.jar.sha1
jackson-jaxrs-1.9.2.jar.sha1
jackson-mapper-asl-1.9.2.jar.sha1
jackson-xc-1.9.2.jar.sha1
javax.inject-1.jar.sha1
javax.inject-LICENSE.txt
javax.inject-NOTICE.txt
jaxb-LICENSE.txt
jaxb-NOTICE.txt
jaxb-impl-2.2.3-1.jar.sha1
jersey-LICENSE.txt
jersey-NOTICE.txt
jersey-client-1.13.jar.sha1
jersey-core-1.13.jar.sha1
jersey-json-1.13.jar.sha1
jettison-1.1.jar.sha1
jettison-LICENSE.txt
jettison-NOTICE.txt
mail-1.4.5.jar.sha1
mail-LICENSE.txt
mail-NOTICE.txt