0


安全风险 - 如何解决 setAccessible(true) 带来的安全风险?

可能每款成熟的金融app上架前都会经过层层安全检测才能执行上架,所以我隔三差五就能看到安全检测报告中提到的问题,根据问题的不同级别,处理的优先级也有所不同,此次讲的主要是一个 “轻度问题” ,个人认为属于那种可改不可改的状态

Tip

因并未重新进行安全检测,尚不确定该方式是否能解决实际提到的问题

人生处处是课堂

所遇问题

漏洞描述

AccessibleObject

类 允许程序员绕过 由

Java

访问说明符提供的 访问控制(

access control

)检查,特别是他让程序员能够允许反射对象绕过

Java access control

,并反过来更改私有字段或调用私有方法、行为,这些通常情况下都是不允许的 |

漏洞影响:不符合安全准则,绕过部分安全控制

解决建议:建议应用服务器或者应用程序使用

SecurityManager

的。如果存在

System.getSecurityManager

则该方法会必须先经过它的同意才能调用(这条建议是安全中心给出的,然后我全局都搜索不到

SecurityManager

System.getSecurityManager

,起初先忽略了,回头看的时候在最后补充了相关内容)

**

触发安全风险的伪代码示例

**

在这里插入图片描述


自我求知

解决问题的第一步是明确问题的产生原因,然后针对于此进行逐步解决

结论先行:项目中存在类(对象)操作的相关代码

  • 当编译时,编译器会进行访问(权限)检查
  • 可以通过setAccessible方法屏蔽或者说禁用运行时访问检查

setAccessible

在安全中心给出的风险

代码段

中 ,核心风险代码为

setAccessible(true)

,那么有必要先了解一下此为何物

之前在 java setaccessible 用处 中看到一个简短描述,提示了可能存在潜在风险

在这里插入图片描述

按照我看源码的猜想,不论访问权限是(public、private)哪种,

setAccessible

在底层中默认应该都是

false

,意味着都需要接受权限检查,主要区别在于

public

可以通过检查,而

private

通不过

setAccessible(boolean flag)

方法是

AccessibleObject

类中的一个方法,它是

Field

Method

Constructor

的公共父类。

在这里插入图片描述

通过反射Class类后,以下三种都是其内部可反射的范围,当触发这些场景将执行运行时访问检查:

  • Field(字段) 设置字段(set(Object obj, Object value))或获取字段(get(Object obj))
  • Method(方法) 调用方法(invoke(Object obj, Object… args))
  • Constructor(构造函数) 创建和初始化类的新实例(newInstance(Object… initargs))

反射原理

Java反射是一种强大的特性,它允许程序在运行时动态地获取和操作类的信息。通过反射,我们可以创建对象、调用方法和访问字段,而不需要提前知道类的具体定义。

Java反射的原理基于Java的运行时数据区域(Runtime Data Area)和类加载机制。

当Java虚拟机加载一个类时,它将类的字节码文件加载到内存中,并在方法区创建一个Class对象来表示该类

因为Class对象包含了类的完整信息,包括类的

构造函数、方法、字段

等;所以可以通过反射提供的一系列方法在运行时来获取Class对象、获取构造函数、获取方法、获取字段等。


解决过程

起初看到这个问题,我认为是没必要解决,所以直接拒了需求方,然后因为工作态度就被上了一课,然后直接给我发了一个别人的处理方式 - field.setAccessible(true);代码扫描有安全漏洞,解决方案

第一阶段

AccessibleObject

类是

Field

Method

Constructor

对象的基类,

能够允许反射对象修改访问权限修饰符,绕过由Java访问修饰符提供的访问控制检查。它让程序员能够更改私有字段或调用私有方法,这在通常情况下是不允许的!

例如:以下代码片段中,将Field将accessible标记设置为true。

Class clazz =User.class;Field field = clazz.getField("name");
 field.setAccessible(true);

如果为false,则其中的私有字段不能够被访问到的,所以不可以注掉。

ReflectionUtils.makeAccessible(field);

个人想法:起初不确定是用

ReflectionUtils.makeAccessible(field)

替换

field.setAccessible(true) 

,还行是在尾端加入

ReflectionUtils.makeAccessible(field)

,所以可以先看看源码(后续会提到该类详情),可以看出在

源码中做了权限检查后才确定是否禁用权限检查

在这里插入图片描述

调用代码,类似如下

Class clazz =User.class;Field field = clazz.getField("name");ReflectionUtils.makeAccessible(field);

第二阶段

因为这里并未提供

ReflectionUtils

工具类,所以自行搜索到了 ReflectionUtils反射工具:精要介绍与实战应用指南

作者说:org.springframework.util.

ReflectionUtils 是 Spring 框架提供的一个反射工具类

,它封装了 Java 反射 API 的一些常用操作,使得我们能够更加方便、简洁地使用反射功能…

这篇Blog内并不是一无所获,至少我们可以看到这款工具类的相关调用方式!

在这里插入图片描述
**那么接了下来我们就去找一下

Android

ReflectionUtils

工具类**


最终方案

经自我查证和同事推荐,主要找到俩种方法,处理方式应该是一样的,但是这种方法是否真的能解决问题?我目前对最终结果保持怀疑态度

解决方式

ReflectionUtils

找了半天在 Android反射机制简单理解,ReflectionUtils 反射工具类 看到一个类似的

ReflectionUtils

(可直接copy)

packagexxx;importjava.lang.reflect.Constructor;importjava.lang.reflect.Field;importjava.lang.reflect.InvocationTargetException;importjava.lang.reflect.Method;importjava.lang.reflect.Modifier;importjava.lang.reflect.UndeclaredThrowableException;importjava.sql.SQLException;importjava.util.ArrayList;importjava.util.Arrays;importjava.util.List;importjava.util.regex.Pattern;publicclassReflectionUtils{/**
     * Pattern for detecting CGLIB-renamed methods.
     * @see #isCglibRenamedMethod
     */privatestaticfinalPatternCGLIB_RENAMED_METHOD_PATTERN=Pattern.compile("CGLIB\\$(.+)\\$\\d+");/**
     * Attempt to find a {@link Field field} on the supplied {@link Class} with the
     * supplied {@code name}. Searches all superclasses up to {@link Object}.
     * @param clazz the class to introspect
     * @param name the name of the field
     * @return the corresponding Field object, or {@code null} if not found
     */publicstaticFieldfindField(Class<?> clazz,String name){returnfindField(clazz, name,null);}/**
     * Attempt to find a {@link Field field} on the supplied {@link Class} with the
     * supplied {@code name} and/or {@link Class type}. Searches all superclasses
     * up to {@link Object}.
     * @param clazz the class to introspect
     * @param name the name of the field (may be {@code null} if type is specified)
     * @param type the type of the field (may be {@code null} if name is specified)
     * @return the corresponding Field object, or {@code null} if not found
     */publicstaticFieldfindField(Class<?> clazz,String name,Class<?> type){//Assert.notNull(clazz, "Class must not be null");//Assert.isTrue(name != null || type != null, "Either name or type of the field must be specified");Class<?> searchType = clazz;while(!Object.class.equals(searchType)&& searchType !=null){Field[] fields = searchType.getDeclaredFields();for(Field field : fields){if((name ==null|| name.equals(field.getName()))&&(type ==null|| type.equals(field.getType()))){return field;}}
            searchType = searchType.getSuperclass();}returnnull;}/**
     * Set the field represented by the supplied {@link Field field object} on the
     * specified {@link Object target object} to the specified {@code value}.
     * In accordance with {@link Field#set(Object, Object)} semantics, the new value
     * is automatically unwrapped if the underlying field has a primitive type.
     * <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.
     * @param field the field to set
     * @param target the target object on which to set the field
     * @param value the value to set; may be {@code null}
     */publicstaticvoidsetField(Field field,Object target,Object value){try{
            field.set(target, value);}catch(IllegalAccessException ex){handleReflectionException(ex);thrownewIllegalStateException("Unexpected reflection exception - "+ ex.getClass().getName()+": "+ ex.getMessage());}}/**
     * Get the field represented by the supplied {@link Field field object} on the
     * specified {@link Object target object}. In accordance with {@link Field#get(Object)}
     * semantics, the returned value is automatically wrapped if the underlying field
     * has a primitive type.
     * <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.
     * @param field the field to get
     * @param target the target object from which to get the field
     * @return the field's current value
     */publicstaticObjectgetField(Field field,Object target){try{return field.get(target);}catch(IllegalAccessException ex){handleReflectionException(ex);thrownewIllegalStateException("Unexpected reflection exception - "+ ex.getClass().getName()+": "+ ex.getMessage());}}/**
     * Attempt to find a {@link Method} on the supplied class with the supplied name
     * and no parameters. Searches all superclasses up to {@code Object}.
     * <p>Returns {@code null} if no {@link Method} can be found.
     * @param clazz the class to introspect
     * @param name the name of the method
     * @return the Method object, or {@code null} if none found
     */publicstaticMethodfindMethod(Class<?> clazz,String name){returnfindMethod(clazz, name,newClass<?>[0]);}/**
     * Attempt to find a {@link Method} on the supplied class with the supplied name
     * and parameter types. Searches all superclasses up to {@code Object}.
     * <p>Returns {@code null} if no {@link Method} can be found.
     * @param clazz the class to introspect
     * @param name the name of the method
     * @param paramTypes the parameter types of the method
     * (may be {@code null} to indicate any signature)
     * @return the Method object, or {@code null} if none found
     */publicstaticMethodfindMethod(Class<?> clazz,String name,Class<?>... paramTypes){//Assert.notNull(clazz, "Class must not be null");//Assert.notNull(name, "Method name must not be null");Class<?> searchType = clazz;while(searchType !=null){Method[] methods =(searchType.isInterface()? searchType.getMethods(): searchType.getDeclaredMethods());for(Method method : methods)if(name.equals(method.getName())&&(paramTypes ==null||Arrays.equals(paramTypes, method.getParameterTypes()))){return method;}
            searchType = searchType.getSuperclass();}returnnull;}/**
     * Invoke the specified {@link Method} against the supplied target object with no arguments.
     * The target object can be {@code null} when invoking a static {@link Method}.
     * <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.
     * @param method the method to invoke
     * @param target the target object to invoke the method on
     * @return the invocation result, if any
     * @see #invokeMethod(Method, Object, Object[])
     */publicstaticObjectinvokeMethod(Method method,Object target){returninvokeMethod(method, target,newObject[0]);}/**
     * Invoke the specified {@link Method} against the supplied target object with the
     * supplied arguments. The target object can be {@code null} when invoking a
     * static {@link Method}.
     * <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.
     * @param method the method to invoke
     * @param target the target object to invoke the method on
     * @param args the invocation arguments (may be {@code null})
     * @return the invocation result, if any
     */publicstaticObjectinvokeMethod(Method method,Object target,Object... args){try{return method.invoke(target, args);}catch(Exception ex){handleReflectionException(ex);}thrownewIllegalStateException("Should never get here");}/**
     * Invoke the specified JDBC API {@link Method} against the supplied target
     * object with no arguments.
     * @param method the method to invoke
     * @param target the target object to invoke the method on
     * @return the invocation result, if any
     * @throws SQLException the JDBC API SQLException to rethrow (if any)
     * @see #invokeJdbcMethod(Method, Object, Object[])
     */publicstaticObjectinvokeJdbcMethod(Method method,Object target)throwsSQLException{returninvokeJdbcMethod(method, target,newObject[0]);}/**
     * Invoke the specified JDBC API {@link Method} against the supplied target
     * object with the supplied arguments.
     * @param method the method to invoke
     * @param target the target object to invoke the method on
     * @param args the invocation arguments (may be {@code null})
     * @return the invocation result, if any
     * @throws SQLException the JDBC API SQLException to rethrow (if any)
     * @see #invokeMethod(Method, Object, Object[])
     */publicstaticObjectinvokeJdbcMethod(Method method,Object target,Object... args)throwsSQLException{try{return method.invoke(target, args);}catch(IllegalAccessException ex){handleReflectionException(ex);}catch(InvocationTargetException ex){if(ex.getTargetException()instanceofSQLException){throw(SQLException) ex.getTargetException();}handleInvocationTargetException(ex);}thrownewIllegalStateException("Should never get here");}/**
     * Handle the given reflection exception. Should only be called if no
     * checked exception is expected to be thrown by the target method.
     * <p>Throws the underlying RuntimeException or Error in case of an
     * InvocationTargetException with such a root cause. Throws an
     * IllegalStateException with an appropriate message else.
     * @param ex the reflection exception to handle
     */publicstaticvoidhandleReflectionException(Exception ex){if(ex instanceofNoSuchMethodException){thrownewIllegalStateException("Method not found: "+ ex.getMessage());}if(ex instanceofIllegalAccessException){thrownewIllegalStateException("Could not access method: "+ ex.getMessage());}if(ex instanceofInvocationTargetException){handleInvocationTargetException((InvocationTargetException) ex);}if(ex instanceofRuntimeException){throw(RuntimeException) ex;}thrownewUndeclaredThrowableException(ex);}/**
     * Handle the given invocation target exception. Should only be called if no
     * checked exception is expected to be thrown by the target method.
     * <p>Throws the underlying RuntimeException or Error in case of such a root
     * cause. Throws an IllegalStateException else.
     * @param ex the invocation target exception to handle
     */publicstaticvoidhandleInvocationTargetException(InvocationTargetException ex){rethrowRuntimeException(ex.getTargetException());}/**
     * Rethrow the given {@link Throwable exception}, which is presumably the
     * <em>target exception</em> of an {@link InvocationTargetException}. Should
     * only be called if no checked exception is expected to be thrown by the
     * target method.
     * <p>Rethrows the underlying exception cast to an {@link RuntimeException} or
     * {@link Error} if appropriate; otherwise, throws an
     * {@link IllegalStateException}.
     * @param ex the exception to rethrow
     * @throws RuntimeException the rethrown exception
     */publicstaticvoidrethrowRuntimeException(Throwable ex){if(ex instanceofRuntimeException){throw(RuntimeException) ex;}if(ex instanceofError){throw(Error) ex;}thrownewUndeclaredThrowableException(ex);}/**
     * Rethrow the given {@link Throwable exception}, which is presumably the
     * <em>target exception</em> of an {@link InvocationTargetException}. Should
     * only be called if no checked exception is expected to be thrown by the
     * target method.
     * <p>Rethrows the underlying exception cast to an {@link Exception} or
     * {@link Error} if appropriate; otherwise, throws an
     * {@link IllegalStateException}.
     * @param ex the exception to rethrow
     * @throws Exception the rethrown exception (in case of a checked exception)
     */publicstaticvoidrethrowException(Throwable ex)throwsException{if(ex instanceofException){throw(Exception) ex;}if(ex instanceofError){throw(Error) ex;}thrownewUndeclaredThrowableException(ex);}/**
     * Determine whether the given method explicitly declares the given
     * exception or one of its superclasses, which means that an exception of
     * that type can be propagated as-is within a reflective invocation.
     * @param method the declaring method
     * @param exceptionType the exception to throw
     * @return {@code true} if the exception can be thrown as-is;
     * {@code false} if it needs to be wrapped
     */publicstaticbooleandeclaresException(Method method,Class<?> exceptionType){//Assert.notNull(method, "Method must not be null");Class<?>[] declaredExceptions = method.getExceptionTypes();for(Class<?> declaredException : declaredExceptions){if(declaredException.isAssignableFrom(exceptionType)){returntrue;}}returnfalse;}/**
     * Determine whether the given field is a "public static final" constant.
     * @param field the field to check
     */publicstaticbooleanisPublicStaticFinal(Field field){int modifiers = field.getModifiers();return(Modifier.isPublic(modifiers)&&Modifier.isStatic(modifiers)&&Modifier.isFinal(modifiers));}/**
     * Determine whether the given method is an "equals" method.
     * @see Object#equals(Object)
     */publicstaticbooleanisEqualsMethod(Method method){if(method ==null||!method.getName().equals("equals")){returnfalse;}Class<?>[] paramTypes = method.getParameterTypes();return(paramTypes.length ==1&& paramTypes[0]==Object.class);}/**
     * Determine whether the given method is a "hashCode" method.
     * @see Object#hashCode()
     */publicstaticbooleanisHashCodeMethod(Method method){return(method !=null&& method.getName().equals("hashCode")&& method.getParameterTypes().length ==0);}/**
     * Determine whether the given method is a "toString" method.
     * @see Object#toString()
     */publicstaticbooleanisToStringMethod(Method method){return(method !=null&& method.getName().equals("toString")&& method.getParameterTypes().length ==0);}/**
     * Determine whether the given method is originally declared by {@link Object}.
     */publicstaticbooleanisObjectMethod(Method method){if(method ==null){returnfalse;}try{Object.class.getDeclaredMethod(method.getName(), method.getParameterTypes());returntrue;}catch(Exception ex){returnfalse;}}/**
     * Determine whether the given method is a CGLIB 'renamed' method,
     * following the pattern "CGLIB$methodName$0".
     * @param renamedMethod the method to check
     * @see //org.springframework.cglib.proxy.Enhancer#rename
     */publicstaticbooleanisCglibRenamedMethod(Method renamedMethod){returnCGLIB_RENAMED_METHOD_PATTERN.matcher(renamedMethod.getName()).matches();}/**
     * Make the given field accessible, explicitly setting it accessible if
     * necessary. The {@code setAccessible(true)} method is only called
     * when actually necessary, to avoid unnecessary conflicts with a JVM
     * SecurityManager (if active).
     * @param field the field to make accessible
     * @see Field#setAccessible
     */publicstaticvoidmakeAccessible(Field field){if((!Modifier.isPublic(field.getModifiers())||!Modifier.isPublic(field.getDeclaringClass().getModifiers())||Modifier.isFinal(field.getModifiers()))&&!field.isAccessible()){
            field.setAccessible(true);}}/**
     * Make the given method accessible, explicitly setting it accessible if
     * necessary. The {@code setAccessible(true)} method is only called
     * when actually necessary, to avoid unnecessary conflicts with a JVM
     * SecurityManager (if active).
     * @param method the method to make accessible
     * @see Method#setAccessible
     */publicstaticvoidmakeAccessible(Method method){if((!Modifier.isPublic(method.getModifiers())||!Modifier.isPublic(method.getDeclaringClass().getModifiers()))&&!method.isAccessible()){
            method.setAccessible(true);}}/**
     * Make the given constructor accessible, explicitly setting it accessible
     * if necessary. The {@code setAccessible(true)} method is only called
     * when actually necessary, to avoid unnecessary conflicts with a JVM
     * SecurityManager (if active).
     * @param ctor the constructor to make accessible
     * @see Constructor#setAccessible
     */publicstaticvoidmakeAccessible(Constructor<?> ctor){if((!Modifier.isPublic(ctor.getModifiers())||!Modifier.isPublic(ctor.getDeclaringClass().getModifiers()))&&!ctor.isAccessible()){
            ctor.setAccessible(true);}}/**
     * Perform the given callback operation on all matching methods of the given
     * class and superclasses.
     * <p>The same named method occurring on subclass and superclass will appear
     * twice, unless excluded by a {@link MethodFilter}.
     * @param clazz class to start looking at
     * @param mc the callback to invoke for each method
     * @see #doWithMethods(Class, MethodCallback, MethodFilter)
     */publicstaticvoiddoWithMethods(Class<?> clazz,MethodCallback mc)throwsIllegalArgumentException{doWithMethods(clazz, mc,null);}/**
     * Perform the given callback operation on all matching methods of the given
     * class and superclasses (or given interface and super-interfaces).
     * <p>The same named method occurring on subclass and superclass will appear
     * twice, unless excluded by the specified {@link MethodFilter}.
     * @param clazz class to start looking at
     * @param mc the callback to invoke for each method
     * @param mf the filter that determines the methods to apply the callback to
     */publicstaticvoiddoWithMethods(Class<?> clazz,MethodCallback mc,MethodFilter mf)throwsIllegalArgumentException{// Keep backing up the inheritance hierarchy.Method[] methods = clazz.getDeclaredMethods();for(Method method : methods){if(mf !=null&&!mf.matches(method)){continue;}try{
                mc.doWith(method);}catch(IllegalAccessException ex){thrownewIllegalStateException("Shouldn't be illegal to access method '"+ method.getName()+"': "+ ex);}}if(clazz.getSuperclass()!=null){doWithMethods(clazz.getSuperclass(), mc, mf);}elseif(clazz.isInterface()){for(Class<?> superIfc : clazz.getInterfaces()){doWithMethods(superIfc, mc, mf);}}}/**
     * Get all declared methods on the leaf class and all superclasses. Leaf
     * class methods are included first.
     */publicstaticMethod[]getAllDeclaredMethods(Class<?> leafClass)throwsIllegalArgumentException{finalList<Method> methods =newArrayList<Method>(32);doWithMethods(leafClass,newMethodCallback(){publicvoiddoWith(Method method){
                methods.add(method);}});return methods.toArray(newMethod[methods.size()]);}/**
     * Get the unique set of declared methods on the leaf class and all superclasses. Leaf
     * class methods are included first and while traversing the superclass hierarchy any methods found
     * with signatures matching a method already included are filtered out.
     */publicstaticMethod[]getUniqueDeclaredMethods(Class<?> leafClass)throwsIllegalArgumentException{finalList<Method> methods =newArrayList<Method>(32);doWithMethods(leafClass,newMethodCallback(){publicvoiddoWith(Method method){boolean knownSignature =false;Method methodBeingOverriddenWithCovariantReturnType =null;for(Method existingMethod : methods){if(method.getName().equals(existingMethod.getName())&&Arrays.equals(method.getParameterTypes(), existingMethod.getParameterTypes())){// Is this a covariant return type situation?if(existingMethod.getReturnType()!= method.getReturnType()&&
                                existingMethod.getReturnType().isAssignableFrom(method.getReturnType())){
                            methodBeingOverriddenWithCovariantReturnType = existingMethod;}else{
                            knownSignature =true;}break;}}if(methodBeingOverriddenWithCovariantReturnType !=null){
                    methods.remove(methodBeingOverriddenWithCovariantReturnType);}if(!knownSignature &&!isCglibRenamedMethod(method)){
                    methods.add(method);}}});return methods.toArray(newMethod[methods.size()]);}/**
     * Invoke the given callback on all fields in the target class, going up the
     * class hierarchy to get all declared fields.
     * @param clazz the target class to analyze
     * @param fc the callback to invoke for each field
     */publicstaticvoiddoWithFields(Class<?> clazz,FieldCallback fc)throwsIllegalArgumentException{doWithFields(clazz, fc,null);}/**
     * Invoke the given callback on all fields in the target class, going up the
     * class hierarchy to get all declared fields.
     * @param clazz the target class to analyze
     * @param fc the callback to invoke for each field
     * @param ff the filter that determines the fields to apply the callback to
     */publicstaticvoiddoWithFields(Class<?> clazz,FieldCallback fc,FieldFilter ff)throwsIllegalArgumentException{// Keep backing up the inheritance hierarchy.Class<?> targetClass = clazz;do{Field[] fields = targetClass.getDeclaredFields();for(Field field : fields){// Skip static and final fields.if(ff !=null&&!ff.matches(field)){continue;}try{
                    fc.doWith(field);}catch(IllegalAccessException ex){thrownewIllegalStateException("Shouldn't be illegal to access field '"+ field.getName()+"': "+ ex);}}
            targetClass = targetClass.getSuperclass();}while(targetClass !=null&& targetClass !=Object.class);}/**
     * Given the source object and the destination, which must be the same class
     * or a subclass, copy all fields, including inherited fields. Designed to
     * work on objects with public no-arg constructors.
     * @throws IllegalArgumentException if the arguments are incompatible
     */publicstaticvoidshallowCopyFieldState(finalObject src,finalObject dest)throwsIllegalArgumentException{if(src ==null){thrownewIllegalArgumentException("Source for field copy cannot be null");}if(dest ==null){thrownewIllegalArgumentException("Destination for field copy cannot be null");}if(!src.getClass().isAssignableFrom(dest.getClass())){thrownewIllegalArgumentException("Destination class ["+ dest.getClass().getName()+"] must be same or subclass as source class ["+ src.getClass().getName()+"]");}doWithFields(src.getClass(),newFieldCallback(){publicvoiddoWith(Field field)throwsIllegalArgumentException,IllegalAccessException{makeAccessible(field);Object srcValue = field.get(src);
                field.set(dest, srcValue);}},COPYABLE_FIELDS);}/**
     * Action to take on each method.
     */publicinterfaceMethodCallback{/**
         * Perform an operation using the given method.
         * @param method the method to operate on
         */voiddoWith(Method method)throwsIllegalArgumentException,IllegalAccessException;}/**
     * Callback optionally used to filter methods to be operated on by a method callback.
     */publicinterfaceMethodFilter{/**
         * Determine whether the given method matches.
         * @param method the method to check
         */booleanmatches(Method method);}/**
     * Callback interface invoked on each field in the hierarchy.
     */publicinterfaceFieldCallback{/**
         * Perform an operation using the given field.
         * @param field the field to operate on
         */voiddoWith(Field field)throwsIllegalArgumentException,IllegalAccessException;}/**
     * Callback optionally used to filter fields to be operated on by a field callback.
     */publicinterfaceFieldFilter{/**
         * Determine whether the given field matches.
         * @param field the field to check
         */booleanmatches(Field field);}/**
     * Pre-built FieldFilter that matches all non-static, non-final fields.
     */publicstaticFieldFilterCOPYABLE_FIELDS=newFieldFilter(){publicbooleanmatches(Field field){return!(Modifier.isStatic(field.getModifiers())||Modifier.isFinal(field.getModifiers()));}};/**
     * Pre-built MethodFilter that matches all non-bridge methods.
     */publicstaticMethodFilterNON_BRIDGED_METHODS=newMethodFilter(){publicbooleanmatches(Method method){return!method.isBridge();}};/**
     * Pre-built MethodFilter that matches all non-bridge methods
     * which are not declared on {@code java.lang.Object}.
     */publicstaticMethodFilterUSER_DECLARED_METHODS=newMethodFilter(){publicbooleanmatches(Method method){return(!method.isBridge()&& method.getDeclaringClass()!=Object.class);}};}
ReflectionHelper
ReflectionHelper

google.gson

提供的一个类,有需要的话可以引入

gson

依赖,不确定copy后是否可直接使用(如果有包内关联类的话,最好是引入依赖)

packagecom.google.gson.internal.reflect;importcom.google.gson.JsonIOException;importcom.google.gson.internal.GsonBuildConfig;importjava.lang.reflect.AccessibleObject;importjava.lang.reflect.Constructor;importjava.lang.reflect.Field;importjava.lang.reflect.Method;publicclassReflectionHelper{privatestaticfinalRecordHelperRECORD_HELPER;static{RecordHelper instance;try{// Try to construct the RecordSupportedHelper, if this fails, records are not supported on this JVM.
      instance =newRecordSupportedHelper();}catch(NoSuchMethodException e){
      instance =newRecordNotSupportedHelper();}RECORD_HELPER= instance;}privateReflectionHelper(){}/**
   * Internal implementation of making an {@link AccessibleObject} accessible.
   *
   * @param object the object that {@link AccessibleObject#setAccessible(boolean)} should be called on.
   * @throws JsonIOException if making the object accessible fails
   */publicstaticvoidmakeAccessible(AccessibleObject object)throwsJsonIOException{try{
      object.setAccessible(true);}catch(Exception exception){String description =getAccessibleObjectDescription(object,false);thrownewJsonIOException("Failed making "+ description +" accessible; either increase its visibility"+" or write a custom TypeAdapter for its declaring type.", exception);}}/**
   * Returns a short string describing the {@link AccessibleObject} in a human-readable way.
   * The result is normally shorter than {@link AccessibleObject#toString()} because it omits
   * modifiers (e.g. {@code final}) and uses simple names for constructor and method parameter
   * types.
   *
   * @param object object to describe
   * @param uppercaseFirstLetter whether the first letter of the description should be uppercased
   */publicstaticStringgetAccessibleObjectDescription(AccessibleObject object,boolean uppercaseFirstLetter){String description;if(object instanceofField){
      description ="field '"+fieldToString((Field) object)+"'";}elseif(object instanceofMethod){Method method =(Method) object;StringBuilder methodSignatureBuilder =newStringBuilder(method.getName());appendExecutableParameters(method, methodSignatureBuilder);String methodSignature = methodSignatureBuilder.toString();

      description ="method '"+ method.getDeclaringClass().getName()+"#"+ methodSignature +"'";}elseif(object instanceofConstructor){
      description ="constructor '"+constructorToString((Constructor<?>) object)+"'";}else{
      description ="<unknown AccessibleObject> "+ object.toString();}if(uppercaseFirstLetter &&Character.isLowerCase(description.charAt(0))){
      description =Character.toUpperCase(description.charAt(0))+ description.substring(1);}return description;}/**
   * Creates a string representation for a field, omitting modifiers and
   * the field type.
   */publicstaticStringfieldToString(Field field){return field.getDeclaringClass().getName()+"#"+ field.getName();}/**
   * Creates a string representation for a constructor.
   * E.g.: {@code java.lang.String(char[], int, int)}
   */publicstaticStringconstructorToString(Constructor<?> constructor){StringBuilder stringBuilder =newStringBuilder(constructor.getDeclaringClass().getName());appendExecutableParameters(constructor, stringBuilder);return stringBuilder.toString();}// Note: Ideally parameter type would be java.lang.reflect.Executable, but that was added in Java 8privatestaticvoidappendExecutableParameters(AccessibleObject executable,StringBuilder stringBuilder){
    stringBuilder.append('(');Class<?>[] parameters =(executable instanceofMethod)?((Method) executable).getParameterTypes():((Constructor<?>) executable).getParameterTypes();for(int i =0; i < parameters.length; i++){if(i >0){
        stringBuilder.append(", ");}
      stringBuilder.append(parameters[i].getSimpleName());}

    stringBuilder.append(')');}/**
   * Tries making the constructor accessible, returning an exception message
   * if this fails.
   *
   * @param constructor constructor to make accessible
   * @return exception message; {@code null} if successful, non-{@code null} if
   *    unsuccessful
   */publicstaticStringtryMakeAccessible(Constructor<?> constructor){try{
      constructor.setAccessible(true);returnnull;}catch(Exception exception){return"Failed making constructor '"+constructorToString(constructor)+"' accessible;"+" either increase its visibility or write a custom InstanceCreator or TypeAdapter for"// Include the message since it might contain more detailed information+" its declaring type: "+ exception.getMessage();}}/** If records are supported on the JVM, this is equivalent to a call to Class.isRecord() */publicstaticbooleanisRecord(Class<?> raw){returnRECORD_HELPER.isRecord(raw);}publicstaticString[]getRecordComponentNames(Class<?> raw){returnRECORD_HELPER.getRecordComponentNames(raw);}/** Looks up the record accessor method that corresponds to the given record field */publicstaticMethodgetAccessor(Class<?> raw,Field field){returnRECORD_HELPER.getAccessor(raw, field);}publicstatic<T>Constructor<T>getCanonicalRecordConstructor(Class<T> raw){returnRECORD_HELPER.getCanonicalRecordConstructor(raw);}publicstaticRuntimeExceptioncreateExceptionForUnexpectedIllegalAccess(IllegalAccessException exception){thrownewRuntimeException("Unexpected IllegalAccessException occurred (Gson "+GsonBuildConfig.VERSION+")."+" Certain ReflectionAccessFilter features require Java >= 9 to work correctly. If you are not using"+" ReflectionAccessFilter, report this to the Gson maintainers.",
        exception);}privatestaticRuntimeExceptioncreateExceptionForRecordReflectionException(ReflectiveOperationException exception){thrownewRuntimeException("Unexpected ReflectiveOperationException occurred"+" (Gson "+GsonBuildConfig.VERSION+")."+" To support Java records, reflection is utilized to read out information"+" about records. All these invocations happens after it is established"+" that records exist in the JVM. This exception is unexpected behavior.",
            exception);}/**
   * Internal abstraction over reflection when Records are supported.
   */privateabstractstaticclassRecordHelper{abstractbooleanisRecord(Class<?> clazz);abstractString[]getRecordComponentNames(Class<?> clazz);abstract<T>Constructor<T>getCanonicalRecordConstructor(Class<T> raw);publicabstractMethodgetAccessor(Class<?> raw,Field field);}privatestaticclassRecordSupportedHelperextendsRecordHelper{privatefinalMethod isRecord;privatefinalMethod getRecordComponents;privatefinalMethod getName;privatefinalMethod getType;privateRecordSupportedHelper()throwsNoSuchMethodException{
      isRecord =Class.class.getMethod("isRecord");
      getRecordComponents =Class.class.getMethod("getRecordComponents");// Class java.lang.reflect.RecordComponentClass<?> classRecordComponent = getRecordComponents.getReturnType().getComponentType();
      getName = classRecordComponent.getMethod("getName");
      getType = classRecordComponent.getMethod("getType");}@OverridebooleanisRecord(Class<?> raw){try{return(boolean) isRecord.invoke(raw);}catch(ReflectiveOperationException e){throwcreateExceptionForRecordReflectionException(e);}}@OverrideString[]getRecordComponentNames(Class<?> raw){try{Object[] recordComponents =(Object[]) getRecordComponents.invoke(raw);String[] componentNames =newString[recordComponents.length];for(int i =0; i < recordComponents.length; i++){
          componentNames[i]=(String) getName.invoke(recordComponents[i]);}return componentNames;}catch(ReflectiveOperationException e){throwcreateExceptionForRecordReflectionException(e);}}@Overridepublic<T>Constructor<T>getCanonicalRecordConstructor(Class<T> raw){try{Object[] recordComponents =(Object[]) getRecordComponents.invoke(raw);Class<?>[] recordComponentTypes =newClass<?>[recordComponents.length];for(int i =0; i < recordComponents.length; i++){
          recordComponentTypes[i]=(Class<?>) getType.invoke(recordComponents[i]);}// Uses getDeclaredConstructor because implicit constructor has same visibility as record and might// therefore not be publicreturn raw.getDeclaredConstructor(recordComponentTypes);}catch(ReflectiveOperationException e){throwcreateExceptionForRecordReflectionException(e);}}@OverridepublicMethodgetAccessor(Class<?> raw,Field field){try{// Records consists of record components, each with a unique name, a corresponding field and accessor method// with the same name. Ref.: https://docs.oracle.com/javase/specs/jls/se17/html/jls-8.html#jls-8.10.3return raw.getMethod(field.getName());}catch(ReflectiveOperationException e){throwcreateExceptionForRecordReflectionException(e);}}}/**
   * Instance used when records are not supported
   */privatestaticclassRecordNotSupportedHelperextendsRecordHelper{@OverridebooleanisRecord(Class<?> clazz){returnfalse;}@OverrideString[]getRecordComponentNames(Class<?> clazz){thrownewUnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}@Override<T>Constructor<T>getCanonicalRecordConstructor(Class<T> raw){thrownewUnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}@OverridepublicMethodgetAccessor(Class<?> raw,Field field){thrownewUnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}}}

使用方式

仅需在原

setAccessible(true)

处采用

ReflectionHelper.makeAccessible(xxx)

ReflectionUtils.makeAccessible(xxx)

替换即可

在这里插入图片描述


SecurityManager 相关思考

在此之前我应该没了解过 SecurityManager ,这次应该是首次,以下主要是我的一些答疑

如何规避 setAccessible 风险?

Hint:伪代码其实就已经做了

try、catch

操作
在这里插入图片描述

SecurityManager 如何给 setAccessible 授权?

在这里插入图片描述

**我理解的:根据结果来看就是不建议使用

setAccessible

,如果要使用就用

SecurityManager

授权,但即使这样也不保证就能解决安全风险?**

SecurityManager 如何使用?

在这里插入图片描述


本文转载自: https://blog.csdn.net/qq_20451879/article/details/138617586
版权归原作者 远方那座山 所有, 如有侵权,请联系我们删除。

“安全风险 - 如何解决 setAccessible(true) 带来的安全风险?”的评论:

还没有评论