Skip to content

Commit

Permalink
Avoid instantiating arbitrary classes
Browse files Browse the repository at this point in the history
This PR avoids the use of `Class#newInstance`, which is
deprecated in Java 9.

In particular, previously you could set the `config.strategy`
system to an arbitrary class that would get instantiated even
if it was not a subclass of `ConfigLoadingStrategy`. This is
now checked before instantiating the class.

The previous behavior could arguably be considered a security
concern when an attacker has write access to system properties,
though in such a scenario there are likely many other ways to
load arbitrary code.
  • Loading branch information
raboof committed Feb 1, 2022
1 parent f92a4ee commit 74bbcff
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
7 changes: 6 additions & 1 deletion config/src/main/java/com/typesafe/config/ConfigFactory.java
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

import java.io.File;
import java.io.Reader;
import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Map;
Expand Down Expand Up @@ -1241,7 +1242,11 @@ private static ConfigLoadingStrategy getConfigLoadingStrategy() {

if (className != null) {
try {
return ConfigLoadingStrategy.class.cast(Class.forName(className).newInstance());
return Class.forName(className).asSubclass(ConfigLoadingStrategy.class).getDeclaredConstructor().newInstance();
} catch (InvocationTargetException e) {
Throwable cause = e.getCause();
if (cause == null) throw new ConfigException.BugOrBroken("Failed to load strategy: " + className, e);
else throw new ConfigException.BugOrBroken("Failed to load strategy: " + className, cause);
} catch (Throwable e) {
throw new ConfigException.BugOrBroken("Failed to load strategy: " + className, e);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ public static <T> T createInternal(Config config, Class<T> clazz) {
}

// Fill in the bean instance
T bean = clazz.newInstance();
T bean = clazz.getDeclaredConstructor().newInstance();
for (PropertyDescriptor beanProp : beanProps) {
Method setter = beanProp.getWriteMethod();
Type parameterType = setter.getGenericParameterTypes()[0];
Expand All @@ -125,8 +125,10 @@ public static <T> T createInternal(Config config, Class<T> clazz) {
setter.invoke(bean, unwrapped);
}
return bean;
} catch (InstantiationException e) {
} catch (NoSuchMethodException e) {
throw new ConfigException.BadBean(clazz.getName() + " needs a public no-args constructor to be used as a bean", e);
} catch (InstantiationException e) {
throw new ConfigException.BadBean(clazz.getName() + " needs to be instantiable to be used as a bean", e);
} catch (IllegalAccessException e) {
throw new ConfigException.BadBean(clazz.getName() + " getters and setters are not accessible, they must be for use as a bean", e);
} catch (InvocationTargetException e) {
Expand Down

0 comments on commit 74bbcff

Please sign in to comment.