英文:
Block instances of a class at the JVM level?
问题
有没有一种方法可以配置JVM以阻止创建某个类的实例?
我希望这样做是为了确保在JVM中运行的任何服务都不被允许创建被识别为安全风险的类的实例,比如我们称之为BadClass的类。
注意:我正在寻找一种通用的解决方案,因此以下内容纯粹是额外信息。通常我会通过切换库或将其升级到没有漏洞的版本来解决这个问题,但它是一个较大库的一部分,不会在一段时间内解决这个问题。因此,虽然我并没有在任何地方使用BadClass,但我希望彻底阻止它。
英文:
Is there a way to configure the JVM to block instances of a class being created?
I'd like to do this to ensure no service running in the JVM is allowed to create instances of a class that has been identified as a security risk in a CVE, lets call that class BadClass.
NOTE: I'm looking for a general solution, so the following is purely additional information. I would normally address this by switching the library out, or upgrading it to a version that doesn't have the exploit, but it's part of a larger library that wont be addressing the issue for some time. So I'm not even using BadClass anywhere, but want to completely block it.
答案1
得分: 2
一个明显的非回答:甚至不要尝试!
如果拥有这个依赖关系的较大库想要调用那个方法怎么办?那么接下来应该发生什么?
换句话说,你的阻塞应该做什么?
- 抛出一些
Error实例,导致JVM的拆除? - 返回null,以便(可能在以后的时间里)其他代码遇到空指针异常(NPE)?
请记住:那个类不是孤立存在的。还有其他代码在调用它。那些代码并没有为你的介入做好准备,那么你又在做什么呢?
我认为对这些问题没有好的答案。
因此,如果你真的想要“操纵”事物:
尝试在类路径中偷偷插入该特定类的不同版本。可以是官方版本,没有安全问题,或者是符合所需接口且执行的操作较少的版本。或者,如果你敢于走这条路,可以像另一个回答建议的那样,涉足“我的自定义类加载器”领域。
无论如何,你的第一个目标是:弄清楚你在这里的需求是什么?阻塞是什么意思?
英文:
A distinct non-answer: Do not even try!
What if that larger library that has this dependency wants to call that method? What should happen then?
In other words, what is your blocking supposed to do?
- Throw some
Errorinstance, that leads to a teardown of the JVM? - Return null, so that (maybe much later) other code runs into a NPE?
Remember: that class doesn't exist in a void. There is other code invoking it. That code isn't prepared for you coming in, and well, doing what again?!
I think there are no good answers to these questions.
So, if you really want to "manipulate" things:
Try sneaking in a different version of that specific class into your classpath instead. Either an official one, that doesn't have the security issue, or something that complies to the required interface and that does something less harmful. Or, if you dare going down that path, do as the other answer suggests and get into "my own classloader" business.
In any case, your first objective: get clean on your requirements here. What does blocking mean?!
答案2
得分: 2
我不知道一个JVM参数,但这里有一些可能使您处于解决要求的位置的替代方案:
-
您可以编写一个CustomClassLoader,它可以让您对要执行的操作进行精细控制。正常的使用情况可能包括插件加载等。在您的情况下,这更多地是在DevOps层面上进行安全治理。
-
如果您有一个带有集成测试的CICD流水线,您还可以使用
-verbose:class参数启动JVM,并查看运行测试时加载了哪些类。这似乎有点狡猾,但也许适合您的用例。只是将所有可能的方法都考虑进来,选择最合适的方式由您来判断。 -
根据您的构建系统(Maven?),您可以限制只在私有缓存库上构建应用程序。这样,您应该对其拥有完全控制,并在其中放置一个库审查层。这也会在开发人员和存储库管理员之间共享责任。
英文:
I do not know a JVM parameter, but here's some alternatives that might pout you in a position that solve your requirements:
-
You can write a CustomClassLoader that gives you fine control on what to do. Normal use cases would be plugin loading etc. In your case this is more security governance on devops level.
-
If you have a CICD pipeline with integration tests you could also start the JVM with
-verbose:classparameter and see which classes are loaded when running your tests. Seem a bit hacky, but maybe suits your use case. Just throwing everything into the game, it's up to you judging about the best fit. -
Depending on your build system (Maven?) you could restrict building applications just on your private cached libs. So you should have full control on it and put a library - review layer in between. This would also share responsibility between devs and the repository admins.
答案3
得分: 0
你考虑过使用Java 代理吗?
它可以拦截任何类加载器中的类加载,并在实际加载类之前操纵其内容。然后,您可以修改类以消除/修复其错误,或者返回一个在静态初始化程序中引发错误的虚拟类。
英文:
Have you considered using Java Agent?
It can intercept class loading in any classloader, and manipulate it's content before the class is actually loaded. Then, you may either modify the class to remove/fix it's bugs, or return dummy class that would throw error in static initializer.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论