可能每款成熟的金融app上架前都会经过层层安全检测才能执行上架,所以我隔三差五就能看到安全检测报告中提到的问题,根据问题的不同级别,处理的优先级也有所不同,此次讲的主要是一个 “轻度问题” ,个人认为属于那种可改不可改的状态
Tip:
因并未重新进行安全检测,尚不确定该方式是否能解决实际提到的问题
人生处处是课堂
所遇问题
漏洞描述:
AccessibleObject
类 允许程序员绕过 由
Java
访问说明符提供的 访问控制(
access control
)检查,特别是他让程序员能够允许反射对象绕过
Java access control
,并反过来更改私有字段或调用私有方法、行为,这些通常情况下都是不允许的 |
漏洞影响:不符合安全准则,绕过部分安全控制
解决建议:建议应用服务器或者应用程序使用
SecurityManager
的。如果存在
System.getSecurityManager
则该方法会必须先经过它的同意才能调用(这条建议是安全中心给出的,然后我全局都搜索不到
SecurityManager
、
System.getSecurityManager
,起初先忽略了,回头看的时候在最后补充了相关内容)
**
触发安全风险的伪代码示例
**
自我求知
解决问题的第一步是明确问题的产生原因,然后针对于此进行逐步解决
结论先行:项目中存在类(对象)操作的相关代码
当编译时,编译器会进行访问(权限)检查
可以通过setAccessible方法屏蔽或者说禁用运行时访问检查
setAccessible
在安全中心给出的风险
代码段
中 ,核心风险代码为
setAccessible(true)
,那么有必要先了解一下此为何物
之前在 java setaccessible 用处 中看到一个简短描述,提示了可能存在潜在风险
按照我看源码的猜想,不论访问权限是(public、private)哪种,
setAccessible
在底层中默认应该都是
false
,意味着都需要接受权限检查,主要区别在于
public
可以通过检查,而
private
通不过
setAccessible(boolean flag)
方法是
AccessibleObject
类中的一个方法,它是
Field
、
Method
、
Constructor
的公共父类。
通过反射Class类后,以下三种都是其内部可反射的范围,当触发这些场景将执行运行时访问检查:
- Field(字段) 设置字段(set(Object obj, Object value))或获取字段(get(Object obj))
- Method(方法) 调用方法(invoke(Object obj, Object… args))
- Constructor(构造函数) 创建和初始化类的新实例(newInstance(Object… initargs))
反射原理
Java反射是一种强大的特性,它允许程序在运行时动态地获取和操作类的信息。通过反射,我们可以创建对象、调用方法和访问字段,而不需要提前知道类的具体定义。
Java反射的原理基于Java的运行时数据区域(Runtime Data Area)和类加载机制。
当Java虚拟机加载一个类时,它将类的字节码文件加载到内存中,并在方法区创建一个Class对象来表示该类
。
因为Class对象包含了类的完整信息,包括类的
构造函数、方法、字段
等;所以可以通过反射提供的一系列方法在运行时来获取Class对象、获取构造函数、获取方法、获取字段等。
解决过程
起初看到这个问题,我认为是没必要解决,所以直接拒了需求方,然后因为工作态度就被上了一课,然后直接给我发了一个别人的处理方式 - field.setAccessible(true);代码扫描有安全漏洞,解决方案
第一阶段
AccessibleObject
类是
Field
、
Method
和
Constructor
对象的基类,
能够允许反射对象修改访问权限修饰符,绕过由Java访问修饰符提供的访问控制检查。它让程序员能够更改私有字段或调用私有方法,这在通常情况下是不允许的!
例如:以下代码片段中,将Field将accessible标记设置为true。
Class clazz =User.class;Field field = clazz.getField("name");
field.setAccessible(true);
如果为false,则其中的私有字段不能够被访问到的,所以不可以注掉。
ReflectionUtils.makeAccessible(field);
个人想法:起初不确定是用
ReflectionUtils.makeAccessible(field)
替换
field.setAccessible(true)
,还行是在尾端加入
ReflectionUtils.makeAccessible(field)
,所以可以先看看源码(后续会提到该类详情),可以看出在
源码中做了权限检查后才确定是否禁用权限检查
调用代码,类似如下
Class clazz =User.class;Field field = clazz.getField("name");ReflectionUtils.makeAccessible(field);
第二阶段
因为这里并未提供
ReflectionUtils
工具类,所以自行搜索到了 ReflectionUtils反射工具:精要介绍与实战应用指南
作者说:org.springframework.util.
ReflectionUtils 是 Spring 框架提供的一个反射工具类
,它封装了 Java 反射 API 的一些常用操作,使得我们能够更加方便、简洁地使用反射功能…
这篇Blog内并不是一无所获,至少我们可以看到这款工具类的相关调用方式!
**那么接了下来我们就去找一下
Android
的
ReflectionUtils
工具类**
最终方案
经自我查证和同事推荐,主要找到俩种方法,处理方式应该是一样的,但是这种方法是否真的能解决问题?我目前对最终结果保持怀疑态度
解决方式
ReflectionUtils
找了半天在 Android反射机制简单理解,ReflectionUtils 反射工具类 看到一个类似的
ReflectionUtils
(可直接copy)
packagexxx;importjava.lang.reflect.Constructor;importjava.lang.reflect.Field;importjava.lang.reflect.InvocationTargetException;importjava.lang.reflect.Method;importjava.lang.reflect.Modifier;importjava.lang.reflect.UndeclaredThrowableException;importjava.sql.SQLException;importjava.util.ArrayList;importjava.util.Arrays;importjava.util.List;importjava.util.regex.Pattern;publicclassReflectionUtils{/**
* Pattern for detecting CGLIB-renamed methods.
* @see #isCglibRenamedMethod
*/privatestaticfinalPatternCGLIB_RENAMED_METHOD_PATTERN=Pattern.compile("CGLIB\\$(.+)\\$\\d+");/**
* Attempt to find a {@link Field field} on the supplied {@link Class} with the
* supplied {@code name}. Searches all superclasses up to {@link Object}.
* @param clazz the class to introspect
* @param name the name of the field
* @return the corresponding Field object, or {@code null} if not found
*/publicstaticFieldfindField(Class<?> clazz,String name){returnfindField(clazz, name,null);}/**
* Attempt to find a {@link Field field} on the supplied {@link Class} with the
* supplied {@code name} and/or {@link Class type}. Searches all superclasses
* up to {@link Object}.
* @param clazz the class to introspect
* @param name the name of the field (may be {@code null} if type is specified)
* @param type the type of the field (may be {@code null} if name is specified)
* @return the corresponding Field object, or {@code null} if not found
*/publicstaticFieldfindField(Class<?> clazz,String name,Class<?> type){//Assert.notNull(clazz, "Class must not be null");//Assert.isTrue(name != null || type != null, "Either name or type of the field must be specified");Class<?> searchType = clazz;while(!Object.class.equals(searchType)&& searchType !=null){Field[] fields = searchType.getDeclaredFields();for(Field field : fields){if((name ==null|| name.equals(field.getName()))&&(type ==null|| type.equals(field.getType()))){return field;}}
searchType = searchType.getSuperclass();}returnnull;}/**
* Set the field represented by the supplied {@link Field field object} on the
* specified {@link Object target object} to the specified {@code value}.
* In accordance with {@link Field#set(Object, Object)} semantics, the new value
* is automatically unwrapped if the underlying field has a primitive type.
* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.
* @param field the field to set
* @param target the target object on which to set the field
* @param value the value to set; may be {@code null}
*/publicstaticvoidsetField(Field field,Object target,Object value){try{
field.set(target, value);}catch(IllegalAccessException ex){handleReflectionException(ex);thrownewIllegalStateException("Unexpected reflection exception - "+ ex.getClass().getName()+": "+ ex.getMessage());}}/**
* Get the field represented by the supplied {@link Field field object} on the
* specified {@link Object target object}. In accordance with {@link Field#get(Object)}
* semantics, the returned value is automatically wrapped if the underlying field
* has a primitive type.
* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.
* @param field the field to get
* @param target the target object from which to get the field
* @return the field's current value
*/publicstaticObjectgetField(Field field,Object target){try{return field.get(target);}catch(IllegalAccessException ex){handleReflectionException(ex);thrownewIllegalStateException("Unexpected reflection exception - "+ ex.getClass().getName()+": "+ ex.getMessage());}}/**
* Attempt to find a {@link Method} on the supplied class with the supplied name
* and no parameters. Searches all superclasses up to {@code Object}.
* <p>Returns {@code null} if no {@link Method} can be found.
* @param clazz the class to introspect
* @param name the name of the method
* @return the Method object, or {@code null} if none found
*/publicstaticMethodfindMethod(Class<?> clazz,String name){returnfindMethod(clazz, name,newClass<?>[0]);}/**
* Attempt to find a {@link Method} on the supplied class with the supplied name
* and parameter types. Searches all superclasses up to {@code Object}.
* <p>Returns {@code null} if no {@link Method} can be found.
* @param clazz the class to introspect
* @param name the name of the method
* @param paramTypes the parameter types of the method
* (may be {@code null} to indicate any signature)
* @return the Method object, or {@code null} if none found
*/publicstaticMethodfindMethod(Class<?> clazz,String name,Class<?>... paramTypes){//Assert.notNull(clazz, "Class must not be null");//Assert.notNull(name, "Method name must not be null");Class<?> searchType = clazz;while(searchType !=null){Method[] methods =(searchType.isInterface()? searchType.getMethods(): searchType.getDeclaredMethods());for(Method method : methods)if(name.equals(method.getName())&&(paramTypes ==null||Arrays.equals(paramTypes, method.getParameterTypes()))){return method;}
searchType = searchType.getSuperclass();}returnnull;}/**
* Invoke the specified {@link Method} against the supplied target object with no arguments.
* The target object can be {@code null} when invoking a static {@link Method}.
* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.
* @param method the method to invoke
* @param target the target object to invoke the method on
* @return the invocation result, if any
* @see #invokeMethod(Method, Object, Object[])
*/publicstaticObjectinvokeMethod(Method method,Object target){returninvokeMethod(method, target,newObject[0]);}/**
* Invoke the specified {@link Method} against the supplied target object with the
* supplied arguments. The target object can be {@code null} when invoking a
* static {@link Method}.
* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.
* @param method the method to invoke
* @param target the target object to invoke the method on
* @param args the invocation arguments (may be {@code null})
* @return the invocation result, if any
*/publicstaticObjectinvokeMethod(Method method,Object target,Object... args){try{return method.invoke(target, args);}catch(Exception ex){handleReflectionException(ex);}thrownewIllegalStateException("Should never get here");}/**
* Invoke the specified JDBC API {@link Method} against the supplied target
* object with no arguments.
* @param method the method to invoke
* @param target the target object to invoke the method on
* @return the invocation result, if any
* @throws SQLException the JDBC API SQLException to rethrow (if any)
* @see #invokeJdbcMethod(Method, Object, Object[])
*/publicstaticObjectinvokeJdbcMethod(Method method,Object target)throwsSQLException{returninvokeJdbcMethod(method, target,newObject[0]);}/**
* Invoke the specified JDBC API {@link Method} against the supplied target
* object with the supplied arguments.
* @param method the method to invoke
* @param target the target object to invoke the method on
* @param args the invocation arguments (may be {@code null})
* @return the invocation result, if any
* @throws SQLException the JDBC API SQLException to rethrow (if any)
* @see #invokeMethod(Method, Object, Object[])
*/publicstaticObjectinvokeJdbcMethod(Method method,Object target,Object... args)throwsSQLException{try{return method.invoke(target, args);}catch(IllegalAccessException ex){handleReflectionException(ex);}catch(InvocationTargetException ex){if(ex.getTargetException()instanceofSQLException){throw(SQLException) ex.getTargetException();}handleInvocationTargetException(ex);}thrownewIllegalStateException("Should never get here");}/**
* Handle the given reflection exception. Should only be called if no
* checked exception is expected to be thrown by the target method.
* <p>Throws the underlying RuntimeException or Error in case of an
* InvocationTargetException with such a root cause. Throws an
* IllegalStateException with an appropriate message else.
* @param ex the reflection exception to handle
*/publicstaticvoidhandleReflectionException(Exception ex){if(ex instanceofNoSuchMethodException){thrownewIllegalStateException("Method not found: "+ ex.getMessage());}if(ex instanceofIllegalAccessException){thrownewIllegalStateException("Could not access method: "+ ex.getMessage());}if(ex instanceofInvocationTargetException){handleInvocationTargetException((InvocationTargetException) ex);}if(ex instanceofRuntimeException){throw(RuntimeException) ex;}thrownewUndeclaredThrowableException(ex);}/**
* Handle the given invocation target exception. Should only be called if no
* checked exception is expected to be thrown by the target method.
* <p>Throws the underlying RuntimeException or Error in case of such a root
* cause. Throws an IllegalStateException else.
* @param ex the invocation target exception to handle
*/publicstaticvoidhandleInvocationTargetException(InvocationTargetException ex){rethrowRuntimeException(ex.getTargetException());}/**
* Rethrow the given {@link Throwable exception}, which is presumably the
* <em>target exception</em> of an {@link InvocationTargetException}. Should
* only be called if no checked exception is expected to be thrown by the
* target method.
* <p>Rethrows the underlying exception cast to an {@link RuntimeException} or
* {@link Error} if appropriate; otherwise, throws an
* {@link IllegalStateException}.
* @param ex the exception to rethrow
* @throws RuntimeException the rethrown exception
*/publicstaticvoidrethrowRuntimeException(Throwable ex){if(ex instanceofRuntimeException){throw(RuntimeException) ex;}if(ex instanceofError){throw(Error) ex;}thrownewUndeclaredThrowableException(ex);}/**
* Rethrow the given {@link Throwable exception}, which is presumably the
* <em>target exception</em> of an {@link InvocationTargetException}. Should
* only be called if no checked exception is expected to be thrown by the
* target method.
* <p>Rethrows the underlying exception cast to an {@link Exception} or
* {@link Error} if appropriate; otherwise, throws an
* {@link IllegalStateException}.
* @param ex the exception to rethrow
* @throws Exception the rethrown exception (in case of a checked exception)
*/publicstaticvoidrethrowException(Throwable ex)throwsException{if(ex instanceofException){throw(Exception) ex;}if(ex instanceofError){throw(Error) ex;}thrownewUndeclaredThrowableException(ex);}/**
* Determine whether the given method explicitly declares the given
* exception or one of its superclasses, which means that an exception of
* that type can be propagated as-is within a reflective invocation.
* @param method the declaring method
* @param exceptionType the exception to throw
* @return {@code true} if the exception can be thrown as-is;
* {@code false} if it needs to be wrapped
*/publicstaticbooleandeclaresException(Method method,Class<?> exceptionType){//Assert.notNull(method, "Method must not be null");Class<?>[] declaredExceptions = method.getExceptionTypes();for(Class<?> declaredException : declaredExceptions){if(declaredException.isAssignableFrom(exceptionType)){returntrue;}}returnfalse;}/**
* Determine whether the given field is a "public static final" constant.
* @param field the field to check
*/publicstaticbooleanisPublicStaticFinal(Field field){int modifiers = field.getModifiers();return(Modifier.isPublic(modifiers)&&Modifier.isStatic(modifiers)&&Modifier.isFinal(modifiers));}/**
* Determine whether the given method is an "equals" method.
* @see Object#equals(Object)
*/publicstaticbooleanisEqualsMethod(Method method){if(method ==null||!method.getName().equals("equals")){returnfalse;}Class<?>[] paramTypes = method.getParameterTypes();return(paramTypes.length ==1&& paramTypes[0]==Object.class);}/**
* Determine whether the given method is a "hashCode" method.
* @see Object#hashCode()
*/publicstaticbooleanisHashCodeMethod(Method method){return(method !=null&& method.getName().equals("hashCode")&& method.getParameterTypes().length ==0);}/**
* Determine whether the given method is a "toString" method.
* @see Object#toString()
*/publicstaticbooleanisToStringMethod(Method method){return(method !=null&& method.getName().equals("toString")&& method.getParameterTypes().length ==0);}/**
* Determine whether the given method is originally declared by {@link Object}.
*/publicstaticbooleanisObjectMethod(Method method){if(method ==null){returnfalse;}try{Object.class.getDeclaredMethod(method.getName(), method.getParameterTypes());returntrue;}catch(Exception ex){returnfalse;}}/**
* Determine whether the given method is a CGLIB 'renamed' method,
* following the pattern "CGLIB$methodName$0".
* @param renamedMethod the method to check
* @see //org.springframework.cglib.proxy.Enhancer#rename
*/publicstaticbooleanisCglibRenamedMethod(Method renamedMethod){returnCGLIB_RENAMED_METHOD_PATTERN.matcher(renamedMethod.getName()).matches();}/**
* Make the given field accessible, explicitly setting it accessible if
* necessary. The {@code setAccessible(true)} method is only called
* when actually necessary, to avoid unnecessary conflicts with a JVM
* SecurityManager (if active).
* @param field the field to make accessible
* @see Field#setAccessible
*/publicstaticvoidmakeAccessible(Field field){if((!Modifier.isPublic(field.getModifiers())||!Modifier.isPublic(field.getDeclaringClass().getModifiers())||Modifier.isFinal(field.getModifiers()))&&!field.isAccessible()){
field.setAccessible(true);}}/**
* Make the given method accessible, explicitly setting it accessible if
* necessary. The {@code setAccessible(true)} method is only called
* when actually necessary, to avoid unnecessary conflicts with a JVM
* SecurityManager (if active).
* @param method the method to make accessible
* @see Method#setAccessible
*/publicstaticvoidmakeAccessible(Method method){if((!Modifier.isPublic(method.getModifiers())||!Modifier.isPublic(method.getDeclaringClass().getModifiers()))&&!method.isAccessible()){
method.setAccessible(true);}}/**
* Make the given constructor accessible, explicitly setting it accessible
* if necessary. The {@code setAccessible(true)} method is only called
* when actually necessary, to avoid unnecessary conflicts with a JVM
* SecurityManager (if active).
* @param ctor the constructor to make accessible
* @see Constructor#setAccessible
*/publicstaticvoidmakeAccessible(Constructor<?> ctor){if((!Modifier.isPublic(ctor.getModifiers())||!Modifier.isPublic(ctor.getDeclaringClass().getModifiers()))&&!ctor.isAccessible()){
ctor.setAccessible(true);}}/**
* Perform the given callback operation on all matching methods of the given
* class and superclasses.
* <p>The same named method occurring on subclass and superclass will appear
* twice, unless excluded by a {@link MethodFilter}.
* @param clazz class to start looking at
* @param mc the callback to invoke for each method
* @see #doWithMethods(Class, MethodCallback, MethodFilter)
*/publicstaticvoiddoWithMethods(Class<?> clazz,MethodCallback mc)throwsIllegalArgumentException{doWithMethods(clazz, mc,null);}/**
* Perform the given callback operation on all matching methods of the given
* class and superclasses (or given interface and super-interfaces).
* <p>The same named method occurring on subclass and superclass will appear
* twice, unless excluded by the specified {@link MethodFilter}.
* @param clazz class to start looking at
* @param mc the callback to invoke for each method
* @param mf the filter that determines the methods to apply the callback to
*/publicstaticvoiddoWithMethods(Class<?> clazz,MethodCallback mc,MethodFilter mf)throwsIllegalArgumentException{// Keep backing up the inheritance hierarchy.Method[] methods = clazz.getDeclaredMethods();for(Method method : methods){if(mf !=null&&!mf.matches(method)){continue;}try{
mc.doWith(method);}catch(IllegalAccessException ex){thrownewIllegalStateException("Shouldn't be illegal to access method '"+ method.getName()+"': "+ ex);}}if(clazz.getSuperclass()!=null){doWithMethods(clazz.getSuperclass(), mc, mf);}elseif(clazz.isInterface()){for(Class<?> superIfc : clazz.getInterfaces()){doWithMethods(superIfc, mc, mf);}}}/**
* Get all declared methods on the leaf class and all superclasses. Leaf
* class methods are included first.
*/publicstaticMethod[]getAllDeclaredMethods(Class<?> leafClass)throwsIllegalArgumentException{finalList<Method> methods =newArrayList<Method>(32);doWithMethods(leafClass,newMethodCallback(){publicvoiddoWith(Method method){
methods.add(method);}});return methods.toArray(newMethod[methods.size()]);}/**
* Get the unique set of declared methods on the leaf class and all superclasses. Leaf
* class methods are included first and while traversing the superclass hierarchy any methods found
* with signatures matching a method already included are filtered out.
*/publicstaticMethod[]getUniqueDeclaredMethods(Class<?> leafClass)throwsIllegalArgumentException{finalList<Method> methods =newArrayList<Method>(32);doWithMethods(leafClass,newMethodCallback(){publicvoiddoWith(Method method){boolean knownSignature =false;Method methodBeingOverriddenWithCovariantReturnType =null;for(Method existingMethod : methods){if(method.getName().equals(existingMethod.getName())&&Arrays.equals(method.getParameterTypes(), existingMethod.getParameterTypes())){// Is this a covariant return type situation?if(existingMethod.getReturnType()!= method.getReturnType()&&
existingMethod.getReturnType().isAssignableFrom(method.getReturnType())){
methodBeingOverriddenWithCovariantReturnType = existingMethod;}else{
knownSignature =true;}break;}}if(methodBeingOverriddenWithCovariantReturnType !=null){
methods.remove(methodBeingOverriddenWithCovariantReturnType);}if(!knownSignature &&!isCglibRenamedMethod(method)){
methods.add(method);}}});return methods.toArray(newMethod[methods.size()]);}/**
* Invoke the given callback on all fields in the target class, going up the
* class hierarchy to get all declared fields.
* @param clazz the target class to analyze
* @param fc the callback to invoke for each field
*/publicstaticvoiddoWithFields(Class<?> clazz,FieldCallback fc)throwsIllegalArgumentException{doWithFields(clazz, fc,null);}/**
* Invoke the given callback on all fields in the target class, going up the
* class hierarchy to get all declared fields.
* @param clazz the target class to analyze
* @param fc the callback to invoke for each field
* @param ff the filter that determines the fields to apply the callback to
*/publicstaticvoiddoWithFields(Class<?> clazz,FieldCallback fc,FieldFilter ff)throwsIllegalArgumentException{// Keep backing up the inheritance hierarchy.Class<?> targetClass = clazz;do{Field[] fields = targetClass.getDeclaredFields();for(Field field : fields){// Skip static and final fields.if(ff !=null&&!ff.matches(field)){continue;}try{
fc.doWith(field);}catch(IllegalAccessException ex){thrownewIllegalStateException("Shouldn't be illegal to access field '"+ field.getName()+"': "+ ex);}}
targetClass = targetClass.getSuperclass();}while(targetClass !=null&& targetClass !=Object.class);}/**
* Given the source object and the destination, which must be the same class
* or a subclass, copy all fields, including inherited fields. Designed to
* work on objects with public no-arg constructors.
* @throws IllegalArgumentException if the arguments are incompatible
*/publicstaticvoidshallowCopyFieldState(finalObject src,finalObject dest)throwsIllegalArgumentException{if(src ==null){thrownewIllegalArgumentException("Source for field copy cannot be null");}if(dest ==null){thrownewIllegalArgumentException("Destination for field copy cannot be null");}if(!src.getClass().isAssignableFrom(dest.getClass())){thrownewIllegalArgumentException("Destination class ["+ dest.getClass().getName()+"] must be same or subclass as source class ["+ src.getClass().getName()+"]");}doWithFields(src.getClass(),newFieldCallback(){publicvoiddoWith(Field field)throwsIllegalArgumentException,IllegalAccessException{makeAccessible(field);Object srcValue = field.get(src);
field.set(dest, srcValue);}},COPYABLE_FIELDS);}/**
* Action to take on each method.
*/publicinterfaceMethodCallback{/**
* Perform an operation using the given method.
* @param method the method to operate on
*/voiddoWith(Method method)throwsIllegalArgumentException,IllegalAccessException;}/**
* Callback optionally used to filter methods to be operated on by a method callback.
*/publicinterfaceMethodFilter{/**
* Determine whether the given method matches.
* @param method the method to check
*/booleanmatches(Method method);}/**
* Callback interface invoked on each field in the hierarchy.
*/publicinterfaceFieldCallback{/**
* Perform an operation using the given field.
* @param field the field to operate on
*/voiddoWith(Field field)throwsIllegalArgumentException,IllegalAccessException;}/**
* Callback optionally used to filter fields to be operated on by a field callback.
*/publicinterfaceFieldFilter{/**
* Determine whether the given field matches.
* @param field the field to check
*/booleanmatches(Field field);}/**
* Pre-built FieldFilter that matches all non-static, non-final fields.
*/publicstaticFieldFilterCOPYABLE_FIELDS=newFieldFilter(){publicbooleanmatches(Field field){return!(Modifier.isStatic(field.getModifiers())||Modifier.isFinal(field.getModifiers()));}};/**
* Pre-built MethodFilter that matches all non-bridge methods.
*/publicstaticMethodFilterNON_BRIDGED_METHODS=newMethodFilter(){publicbooleanmatches(Method method){return!method.isBridge();}};/**
* Pre-built MethodFilter that matches all non-bridge methods
* which are not declared on {@code java.lang.Object}.
*/publicstaticMethodFilterUSER_DECLARED_METHODS=newMethodFilter(){publicbooleanmatches(Method method){return(!method.isBridge()&& method.getDeclaringClass()!=Object.class);}};}
ReflectionHelper
ReflectionHelper
是
google.gson
提供的一个类,有需要的话可以引入
gson
依赖,不确定copy后是否可直接使用(如果有包内关联类的话,最好是引入依赖)
packagecom.google.gson.internal.reflect;importcom.google.gson.JsonIOException;importcom.google.gson.internal.GsonBuildConfig;importjava.lang.reflect.AccessibleObject;importjava.lang.reflect.Constructor;importjava.lang.reflect.Field;importjava.lang.reflect.Method;publicclassReflectionHelper{privatestaticfinalRecordHelperRECORD_HELPER;static{RecordHelper instance;try{// Try to construct the RecordSupportedHelper, if this fails, records are not supported on this JVM.
instance =newRecordSupportedHelper();}catch(NoSuchMethodException e){
instance =newRecordNotSupportedHelper();}RECORD_HELPER= instance;}privateReflectionHelper(){}/**
* Internal implementation of making an {@link AccessibleObject} accessible.
*
* @param object the object that {@link AccessibleObject#setAccessible(boolean)} should be called on.
* @throws JsonIOException if making the object accessible fails
*/publicstaticvoidmakeAccessible(AccessibleObject object)throwsJsonIOException{try{
object.setAccessible(true);}catch(Exception exception){String description =getAccessibleObjectDescription(object,false);thrownewJsonIOException("Failed making "+ description +" accessible; either increase its visibility"+" or write a custom TypeAdapter for its declaring type.", exception);}}/**
* Returns a short string describing the {@link AccessibleObject} in a human-readable way.
* The result is normally shorter than {@link AccessibleObject#toString()} because it omits
* modifiers (e.g. {@code final}) and uses simple names for constructor and method parameter
* types.
*
* @param object object to describe
* @param uppercaseFirstLetter whether the first letter of the description should be uppercased
*/publicstaticStringgetAccessibleObjectDescription(AccessibleObject object,boolean uppercaseFirstLetter){String description;if(object instanceofField){
description ="field '"+fieldToString((Field) object)+"'";}elseif(object instanceofMethod){Method method =(Method) object;StringBuilder methodSignatureBuilder =newStringBuilder(method.getName());appendExecutableParameters(method, methodSignatureBuilder);String methodSignature = methodSignatureBuilder.toString();
description ="method '"+ method.getDeclaringClass().getName()+"#"+ methodSignature +"'";}elseif(object instanceofConstructor){
description ="constructor '"+constructorToString((Constructor<?>) object)+"'";}else{
description ="<unknown AccessibleObject> "+ object.toString();}if(uppercaseFirstLetter &&Character.isLowerCase(description.charAt(0))){
description =Character.toUpperCase(description.charAt(0))+ description.substring(1);}return description;}/**
* Creates a string representation for a field, omitting modifiers and
* the field type.
*/publicstaticStringfieldToString(Field field){return field.getDeclaringClass().getName()+"#"+ field.getName();}/**
* Creates a string representation for a constructor.
* E.g.: {@code java.lang.String(char[], int, int)}
*/publicstaticStringconstructorToString(Constructor<?> constructor){StringBuilder stringBuilder =newStringBuilder(constructor.getDeclaringClass().getName());appendExecutableParameters(constructor, stringBuilder);return stringBuilder.toString();}// Note: Ideally parameter type would be java.lang.reflect.Executable, but that was added in Java 8privatestaticvoidappendExecutableParameters(AccessibleObject executable,StringBuilder stringBuilder){
stringBuilder.append('(');Class<?>[] parameters =(executable instanceofMethod)?((Method) executable).getParameterTypes():((Constructor<?>) executable).getParameterTypes();for(int i =0; i < parameters.length; i++){if(i >0){
stringBuilder.append(", ");}
stringBuilder.append(parameters[i].getSimpleName());}
stringBuilder.append(')');}/**
* Tries making the constructor accessible, returning an exception message
* if this fails.
*
* @param constructor constructor to make accessible
* @return exception message; {@code null} if successful, non-{@code null} if
* unsuccessful
*/publicstaticStringtryMakeAccessible(Constructor<?> constructor){try{
constructor.setAccessible(true);returnnull;}catch(Exception exception){return"Failed making constructor '"+constructorToString(constructor)+"' accessible;"+" either increase its visibility or write a custom InstanceCreator or TypeAdapter for"// Include the message since it might contain more detailed information+" its declaring type: "+ exception.getMessage();}}/** If records are supported on the JVM, this is equivalent to a call to Class.isRecord() */publicstaticbooleanisRecord(Class<?> raw){returnRECORD_HELPER.isRecord(raw);}publicstaticString[]getRecordComponentNames(Class<?> raw){returnRECORD_HELPER.getRecordComponentNames(raw);}/** Looks up the record accessor method that corresponds to the given record field */publicstaticMethodgetAccessor(Class<?> raw,Field field){returnRECORD_HELPER.getAccessor(raw, field);}publicstatic<T>Constructor<T>getCanonicalRecordConstructor(Class<T> raw){returnRECORD_HELPER.getCanonicalRecordConstructor(raw);}publicstaticRuntimeExceptioncreateExceptionForUnexpectedIllegalAccess(IllegalAccessException exception){thrownewRuntimeException("Unexpected IllegalAccessException occurred (Gson "+GsonBuildConfig.VERSION+")."+" Certain ReflectionAccessFilter features require Java >= 9 to work correctly. If you are not using"+" ReflectionAccessFilter, report this to the Gson maintainers.",
exception);}privatestaticRuntimeExceptioncreateExceptionForRecordReflectionException(ReflectiveOperationException exception){thrownewRuntimeException("Unexpected ReflectiveOperationException occurred"+" (Gson "+GsonBuildConfig.VERSION+")."+" To support Java records, reflection is utilized to read out information"+" about records. All these invocations happens after it is established"+" that records exist in the JVM. This exception is unexpected behavior.",
exception);}/**
* Internal abstraction over reflection when Records are supported.
*/privateabstractstaticclassRecordHelper{abstractbooleanisRecord(Class<?> clazz);abstractString[]getRecordComponentNames(Class<?> clazz);abstract<T>Constructor<T>getCanonicalRecordConstructor(Class<T> raw);publicabstractMethodgetAccessor(Class<?> raw,Field field);}privatestaticclassRecordSupportedHelperextendsRecordHelper{privatefinalMethod isRecord;privatefinalMethod getRecordComponents;privatefinalMethod getName;privatefinalMethod getType;privateRecordSupportedHelper()throwsNoSuchMethodException{
isRecord =Class.class.getMethod("isRecord");
getRecordComponents =Class.class.getMethod("getRecordComponents");// Class java.lang.reflect.RecordComponentClass<?> classRecordComponent = getRecordComponents.getReturnType().getComponentType();
getName = classRecordComponent.getMethod("getName");
getType = classRecordComponent.getMethod("getType");}@OverridebooleanisRecord(Class<?> raw){try{return(boolean) isRecord.invoke(raw);}catch(ReflectiveOperationException e){throwcreateExceptionForRecordReflectionException(e);}}@OverrideString[]getRecordComponentNames(Class<?> raw){try{Object[] recordComponents =(Object[]) getRecordComponents.invoke(raw);String[] componentNames =newString[recordComponents.length];for(int i =0; i < recordComponents.length; i++){
componentNames[i]=(String) getName.invoke(recordComponents[i]);}return componentNames;}catch(ReflectiveOperationException e){throwcreateExceptionForRecordReflectionException(e);}}@Overridepublic<T>Constructor<T>getCanonicalRecordConstructor(Class<T> raw){try{Object[] recordComponents =(Object[]) getRecordComponents.invoke(raw);Class<?>[] recordComponentTypes =newClass<?>[recordComponents.length];for(int i =0; i < recordComponents.length; i++){
recordComponentTypes[i]=(Class<?>) getType.invoke(recordComponents[i]);}// Uses getDeclaredConstructor because implicit constructor has same visibility as record and might// therefore not be publicreturn raw.getDeclaredConstructor(recordComponentTypes);}catch(ReflectiveOperationException e){throwcreateExceptionForRecordReflectionException(e);}}@OverridepublicMethodgetAccessor(Class<?> raw,Field field){try{// Records consists of record components, each with a unique name, a corresponding field and accessor method// with the same name. Ref.: https://docs.oracle.com/javase/specs/jls/se17/html/jls-8.html#jls-8.10.3return raw.getMethod(field.getName());}catch(ReflectiveOperationException e){throwcreateExceptionForRecordReflectionException(e);}}}/**
* Instance used when records are not supported
*/privatestaticclassRecordNotSupportedHelperextendsRecordHelper{@OverridebooleanisRecord(Class<?> clazz){returnfalse;}@OverrideString[]getRecordComponentNames(Class<?> clazz){thrownewUnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}@Override<T>Constructor<T>getCanonicalRecordConstructor(Class<T> raw){thrownewUnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}@OverridepublicMethodgetAccessor(Class<?> raw,Field field){thrownewUnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}}}
使用方式
仅需在原
setAccessible(true)
处采用
ReflectionHelper.makeAccessible(xxx)
或
ReflectionUtils.makeAccessible(xxx)
替换即可
SecurityManager 相关思考
在此之前我应该没了解过 SecurityManager ,这次应该是首次,以下主要是我的一些答疑
如何规避 setAccessible 风险?
Hint:伪代码其实就已经做了
try、catch
操作
SecurityManager 如何给 setAccessible 授权?
**我理解的:根据结果来看就是不建议使用
setAccessible
,如果要使用就用
SecurityManager
授权,但即使这样也不保证就能解决安全风险?**
SecurityManager 如何使用?
版权归原作者 远方那座山 所有, 如有侵权,请联系我们删除。