Add new rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS (#1537)

* Add new rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS SEI CERT rule SEC07-J requires that the superclass's getPermissions() is called when writing a custom class loader. This method is defined in class java.net.URLClassLoader. Thus any class inheriting directly or indirectly form URLClassLoader and overriding its getPermissions() method must call the superclass's getPermissions() method in this method. It is not enoguh to just call it but the the return value (an instance of java.security.PermissionCollection) must be initialized by calling the superclass's method instead of creating a new instance from scratch. This patch adds a new detector to check this rule. * Debug printouts removed and other fixes * Header comment fixed from FindBugs to SpotBugs * Updated based on the review comments by @KengoTODA * Updated according to the comments of @KengoTODA * Grammar fix * Checking for all ancestors instead of the direct superclass * Minor fix * Changelog updated after the merge * Update spotbugs/src/main/java/edu/umd/cs/findbugs/detect/PermissionsSuper.java Co-authored-by: Kengo TODA <skypencil+github@gmail.com> * Merge `master` into `PermissionsSuper` Co-authored-by: Kengo TODA <skypencil+github@gmail.com>
spotbugs · Mar 15, 2022 · 7c1ddfa · 7c1ddfa
1 parent 6a0dc03
commit 7c1ddfa
Show file tree

Hide file tree

Showing 6 changed files with 175 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
 
 ### Added
 * New detector `FindInstanceLockOnSharedStaticData` for new bug type `SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA`. This detector reports a bug if an instance level lock is used to modify a shared static data. (See [SEI CERT rule LCK06-J](https://wiki.sei.cmu.edu/confluence/display/java/LCK06-J.+Do+not+use+an+instance+lock+to+protect+shared+static+data))
+* New rule `PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS` to warn for custom class loaders who do not call their superclasses' `getPermissions()` in their `getPermissions()` method. This rule based on the SEI CERT rule *SEC07-J Call the superclass's getPermissions() method when writing a custom class loader*. ([#SEC07-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC07-J.+Call+the+superclass%27s+getPermissions%28%29+method+when+writing+a+custom+class+loader))
 
 ## 4.5.3 - 2022-01-04
 ### Security

diff --git a/spotbugs/etc/findbugs.xml b/spotbugs/etc/findbugs.xml
@@ -659,6 +659,8 @@
                     reports="MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR,MC_OVERRIDABLE_METHOD_CALL_IN_CLONE"/>
           <Detector class="edu.umd.cs.findbugs.detect.FindInstanceLockOnSharedStaticData" speed="fast"
                     reports="SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA"/>
+          <Detector class="edu.umd.cs.findbugs.detect.PermissionsSuper"
+                    reports="PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS"/>
             <!-- Bug Categories -->
            <BugCategory category="NOISE" hidden="true"/>
 
@@ -1269,4 +1271,5 @@
           <BugPattern abbrev="MC" type="MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR" category="MALICIOUS_CODE" />
           <BugPattern abbrev="MC" type="MC_OVERRIDABLE_METHOD_CALL_IN_CLONE" category="MALICIOUS_CODE" />
           <BugPattern abbrev="SSD" type="SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA" category="CORRECTNESS" />
+          <BugPattern abbrev="PERM" type="PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS" category="MALICIOUS_CODE" />
 </FindbugsPlugin>
diff --git a/spotbugs/etc/messages.xml b/spotbugs/etc/messages.xml
@@ -1733,6 +1733,17 @@ factory pattern to create these objects.</p>
       ]]>
     </Details>
   </Detector>
+  <Detector class="edu.umd.cs.findbugs.detect.PermissionsSuper">
+    <Details>
+      <![CDATA[
+            <p>Checks method getPermissions() of classes implementing interface
+               java.security.SecureClassLoader. The methods must always call
+               super.getPermissions() to get the initial value of the object
+               which they return at the end.
+              </p>
+              ]]>
+    </Details>
+  </Detector>
   <!--
   **********************************************************************
   BugPatterns
@@ -8627,6 +8638,7 @@ after the call to initLogging, the logger configuration is lost
       </p>]]>
     </Details>
   </BugPattern>
+
   <BugPattern type="SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA">
     <ShortDescription>Instance level lock was used on a shared static data</ShortDescription>
     <LongDescription>Static field "{1}" is modified by an instance level {2}.</LongDescription>
@@ -8641,6 +8653,21 @@ after the call to initLogging, the logger configuration is lost
       </p>]]>
     </Details>
   </BugPattern>
+
+  <BugPattern type="PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS">
+    <ShortDescription>Custom class loader does not call its superclass's getPermissions()</ShortDescription>
+    <LongDescription>Custom class loader {1} does not call its superclass's getPermissions()</LongDescription>
+    <Details>
+      <![CDATA[
+       <p>
+       <a href="https://wiki.sei.cmu.edu/confluence/display/java/SEC07-J.+Call+the+superclass%27s+getPermissions%28%29+method+when+writing+a+custom+class+loader">SEI CERT rule SEC07-J</a> requires that custom class loaders must always call their superclass's getPermissions()
+       method in their own getPermissions() method to initialize the object they return at the end. Omitting it means
+       that a class defined using this custom class loader has permissions that are completely independent of those
+       specified in the systemwide policy file. In effect, the class's permissions override them.
+       </p>
+      ]]>
+    </Details>
+  </BugPattern>
   <!--
   **********************************************************************
    BugCodes
@@ -8791,4 +8818,5 @@ after the call to initLogging, the logger configuration is lost
   <BugCode abbrev="REFLF">Reflection increasing accessibility of fields</BugCode>
   <BugCode abbrev="MC">Dangerous call to overridable method</BugCode>
   <BugCode abbrev="SSD">Do not use an instance lock to protect shared static data</BugCode>
+  <BugCode abbrev="PERM">Custom class loader does not call its superclass's getPermissions()</BugCode>
 </MessageCollection>
diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/PermissionsSuper.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/PermissionsSuper.java
@@ -0,0 +1,98 @@
+/*
+ * SpotBugs - Find bugs in Java programs
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+package edu.umd.cs.findbugs.detect;
+
+import java.util.Arrays;
+
+import org.apache.bcel.Const;
+import org.apache.bcel.Repository;
+import org.apache.bcel.classfile.Code;
+import org.apache.bcel.classfile.JavaClass;
+import org.apache.bcel.classfile.Method;
+
+import edu.umd.cs.findbugs.BugAccumulator;
+import edu.umd.cs.findbugs.BugInstance;
+import edu.umd.cs.findbugs.BugReporter;
+import edu.umd.cs.findbugs.ba.AnalysisContext;
+import edu.umd.cs.findbugs.ba.XMethod;
+import edu.umd.cs.findbugs.bcel.OpcodeStackDetector;
+
+public class PermissionsSuper extends OpcodeStackDetector {
+    private boolean checkClass = false;
+    private boolean checkMethod = false;
+
+    private final BugAccumulator bugAccumulator;
+
+    public PermissionsSuper(BugReporter bugReporter) {
+        this.bugAccumulator = new BugAccumulator(bugReporter);
+    }
+
+    @Override
+    public void visit(JavaClass obj) {
+        checkClass = false;
+        try {
+            checkClass = obj.instanceOf(Repository.lookupClass("java.security.SecureClassLoader"));
+        } catch (ClassNotFoundException e) {
+            AnalysisContext.reportMissingClass(e);
+        }
+        super.visit(obj);
+    }
+
+    @Override
+    public void visitAfter(JavaClass obj) {
+        bugAccumulator.reportAccumulatedBugs();
+    }
+
+    @Override
+    public void visit(Method met) {
+        checkMethod = checkClass &&
+                "(Ljava/security/CodeSource;)Ljava/security/PermissionCollection;"
+                        .equals(met.getSignature());
+        super.visit(met);
+    }
+
+    @Override
+    public void visit(Code obj) {
+        if (checkMethod) {
+            super.visit(obj);
+        }
+    }
+
+    @Override
+    public void sawOpcode(int seen) {
+        if (seen == Const.ARETURN) {
+            XMethod origin = stack.getStackItem(0).getReturnValueOf();
+            if (origin != null) {
+                try {
+                    if (Arrays.stream(getThisClass().getSuperClasses())
+                            .anyMatch(cls -> cls.getClassName().equals(origin.getClassName())) &&
+                            getMethod().getName().equals(origin.getName()) &&
+                            getMethod().getSignature().equals(origin.getSignature())) {
+                        return;
+                    }
+                } catch (ClassNotFoundException e) {
+                    AnalysisContext.reportMissingClass(e);
+                }
+            }
+            bugAccumulator.accumulateBug(new BugInstance(this,
+                    "PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS", NORMAL_PRIORITY)
+                            .addClassAndMethod(this), this);
+        }
+    }
+}
diff --git a/spotbugsTestCases/src/java/PermissionsSuperNegativeTest.java b/spotbugsTestCases/src/java/PermissionsSuperNegativeTest.java
@@ -0,0 +1,25 @@
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.security.CodeSource;
+import java.security.PermissionCollection;
+
+import edu.umd.cs.findbugs.annotations.NoWarning;
+
+public class PermissionsSuperNegativeTest extends MyClassLoader {
+    PermissionsSuperNegativeTest(URL[] urls) {
+        super(urls);
+    }
+
+    @NoWarning("PERM")
+    protected PermissionCollection getPermissions(CodeSource cs) {
+        PermissionCollection pc = super.getPermissions(cs);
+        pc.add(new RuntimePermission("exitVM"));
+        return pc;
+    }
+}
+
+class MyClassLoader extends URLClassLoader {
+    MyClassLoader(URL[] urls) {
+        super(urls);
+    }
+}
diff --git a/spotbugsTestCases/src/java/PermissionsSuperTest.java b/spotbugsTestCases/src/java/PermissionsSuperTest.java
@@ -0,0 +1,20 @@
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.security.CodeSource;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+
+import edu.umd.cs.findbugs.annotations.ExpectWarning;
+
+class PermissionsSuperTest extends URLClassLoader {
+    PermissionsSuperTest(URL[] urls) {
+        super(urls);
+    }
+
+    @ExpectWarning("PERM")
+    protected PermissionCollection getPermissions(CodeSource cs) {
+        PermissionCollection pc = new Permissions();
+        pc.add(new RuntimePermission("exitVM"));
+        return pc;
+    }
+}