Skip to content

✨ Add compatibility with Java modules#9

Merged
ryandens merged 37 commits intomainfrom
ryandens/java-module-compatibility
Sep 28, 2023
Merged

✨ Add compatibility with Java modules#9
ryandens merged 37 commits intomainfrom
ryandens/java-module-compatibility

Conversation

@ryandens
Copy link
Copy Markdown
Member

@ryandens ryandens commented Sep 26, 2023
edited
Loading

@ryandens ryandens changed the title Add compatibility with Java modules ✨ Add compatibility with Java modules Sep 26, 2023
ryandens and others added 18 commits September 26, 2023 09:41
@ryandens ryandens force-pushed the ryandens/java-module-compatibility branch from 1cb7643 to 150e0e4 Compare September 28, 2023 18:18
@ryandens ryandens marked this pull request as ready for review September 28, 2023 18:22
@ryandens ryandens requested a review from nahsra September 28, 2023 18:22
nahsra
nahsra requested changes Sep 28, 2023
View reviewed changes
Comment thread src/main/java/io/github/pixee/security/HtmlEncoder.java
public static String encode(final String s) {
return Escape.html(s);
}

Copy link
Copy Markdown
Contributor

@nahsra nahsra Sep 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't leave a comment on it, but the createSafeObjectInputStream() from this type I assumed would be in the Java 8 version of this class for the JAR, so that we could use it. This seems like it will be only available in Java 11.

I see a couple solutions, but it seems like we should create a new type, SandboxingObjectInputStream that contains just that particular method, and leave this file as is. That way, everyone can access SandboxingObjectInputStream, and the ObjectInputFilter-related will only be in the 11 binary.

Copy link
Copy Markdown
Member Author

@ryandens ryandens Sep 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I hadn't noticed that, i saw the class name on ObjectInputFilters and just assumed the whole class was a a java 8 thing. I'll fix with the new type

Comment thread test-apps/hello-world-modules/src/main/java/io/github/pixee/testapp/Main.java Outdated
Comment thread build.gradle.kts
jacoco
`jvm-test-suite`
id("com.netflix.nebula.contacts") version "7.0.1"
id("com.netflix.nebula.source-jar") version "20.3.0"
Copy link
Copy Markdown
Contributor

@nahsra nahsra Sep 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmmhmm. I definitely understand this. Nice!

Copy link
Copy Markdown
Member Author

@ryandens ryandens Sep 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

haha - just the netflix cocktail of plugins for creating a maven release that passes sonatype validation

@ryandens ryandens requested a review from nahsra September 28, 2023 19:46
nahsra
nahsra requested changes Sep 28, 2023
View reviewed changes
Comment thread src/main/java/io/github/pixee/security/SafeObjectInputStream.java Outdated
* href="https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html">OWASP
* Cheat Sheet</a>.
*/
public final class SafeObjectInputStream {
Copy link
Copy Markdown
Contributor

@nahsra nahsra Sep 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This API now feels pretty clunky:

ObjectInputStream ois = SafeObjectInputStream.createSafeObjectInputStream(is);

I feel like it should be one of these:

ObjectInputStream ois = LimitingObjectInputStream.from(is);
ObjectInputStream ois = ObjectInputStreams.disallowDangerousTypes(is);

I tried to avoid Safe* as a prefix for everything because although it may be "safe", if the developer doesn't understand how it's making it safe, I think there's less chance of them using it.

See the # Type and method names section in CONTRIBUTING.md.

Copy link
Copy Markdown
Member Author

@ryandens ryandens Sep 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I renamed to ObjectInputStreams to better align with ObjectInputFilters, but I want to limit the scope of this PR beyond what's necessary as we're already changing build system, adding multiple test suites, and introducing the multi-release JAR

@ryandens ryandens requested a review from nahsra September 28, 2023 20:58
@nahsra nahsra mentioned this pull request Sep 28, 2023
Closed
@ryandens ryandens force-pushed the ryandens/java-module-compatibility branch from 11616e7 to 82333fe Compare September 28, 2023 21:56
@ryandens ryandens merged commit af9a1a3 into main Sep 28, 2023
@ryandens ryandens deleted the ryandens/java-module-compatibility branch September 28, 2023 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nahsra nahsra nahsra approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryandens @nahsra