可能每款成熟的金融app上架前都会经过层层安全检测才能执行上架,所以我隔三差五就能看到安全检测报告中提到的问题,根据问题的不同级别,处理的优先级也有所不同,此次讲的主要是一个
“轻度问题” ,个人认为属于那种可改不可改的状态
Tip :因并未重新进行安全检测,尚不确定该方式是否能解决实际提到的问题
人生处处是课堂
-
* 所遇问题- 自我求知
-
* setAccessible- 反射原理
- 解决过程
-
* 第一阶段- 第二阶段
- 最终方案
-
* 解决方式-
* ReflectionUtils- ReflectionHelper
- 使用方式
-
- SecurityManager 相关思考
-
* 如何规避 setAccessible 风险?- SecurityManager 如何给 setAccessible 授权?
- SecurityManager 如何使用?
所遇问题
漏洞描述 :AccessibleObject 类 允许程序员绕过 由 Java 访问说明符提供的 访问控制(access control)检查,特别是他让程序员能够允许反射对象绕过 Java access control,并反过来更改私有字段或调用私有方法、行为,这些通常情况下都是不允许的 |
漏洞影响 :不符合安全准则,绕过部分安全控制
解决建议 :建议应用服务器或者应用程序使用
SecurityManager的。如果存在System.getSecurityManager则该方法会必须先经过它的同意才能调用(这条建议是安全中心给出的,然后我全局都搜索不到SecurityManager、System.getSecurityManager,起初先忽略了,回头看的时候在最后补充了相关内容)
触发安全风险的伪代码示例
自我求知
解决问题的第一步是明确问题的产生原因,然后针对于此进行逐步解决
结论先行:项目中存在类(对象)操作的相关代码
当编译时,编译器会进行访问(权限)检查可以通过setAccessible方法屏蔽或者说禁用运行时访问检查
setAccessible
在安全中心给出的风险
代码段中 ,核心风险代码为setAccessible(true),那么有必要先了解一下此为何物
之前在java setaccessible 用处
中看到一个简短描述,提示了可能存在潜在风险
按照我看源码的猜想,不论访问权限是(public、private)哪种,
setAccessible在底层中默认应该都是
false,意味着都需要接受权限检查,主要区别在于public可以通过检查,而private通不过
setAccessible(boolean flag) 方法是 AccessibleObject 类中的一个方法,它是 Field、
Method、Constructor的公共父类。
通过反射Class类后,以下三种都是其内部可反射的范围,当触发这些场景将执行运行时访问检查:
- Field(字段) 设置字段(set(Object obj, Object value))或获取字段(get(Object obj))
- Method(方法) 调用方法(invoke(Object obj, Object… args))
- Constructor(构造函数) 创建和初始化类的新实例(newInstance(Object… initargs))
反射原理
Java反射是一种强大的特性,它允许程序在运行时动态地获取和操作类的信息。通过反射,我们可以创建对象、调用方法和访问字段,而不需要提前知道类的具体定义。
Java反射的原理基于Java的运行时数据区域(Runtime Data
Area)和类加载机制。当Java虚拟机加载一个类时,它将类的字节码文件加载到内存中,并在方法区创建一个Class对象来表示该类。
因为Class对象包含了类的完整信息,包括类的构造函数、方法、字段等;所以可以通过反射提供的一系列方法在运行时来获取Class对象、获取构造函数、获取方法、获取字段等。
解决过程
起初看到这个问题,我认为是没必要解决,所以直接拒了需求方,然后因为工作态度就被上了一课,然后直接给我发了一个别人的处理方式 -
field.setAccessible(true);代码扫描有安全漏洞,解决方案
第一阶段
AccessibleObject类是
Field、Method和Constructor对象的基类,能够允许反射对象修改访问权限修饰符,绕过由Java访问修饰符提供的访问控制检查。它让程序员能够更改私有字段或调用私有方法,这在通常情况下是不允许的!
例如:以下代码片段中,将Field将accessible标记设置为true。
Class clazz = User.class;
Field field = clazz.getField("name");
field.setAccessible(true);
如果为false,则其中的私有字段不能够被访问到的,所以不可以注掉。
ReflectionUtils.makeAccessible(field);
个人想法 :起初不确定是用 ReflectionUtils.makeAccessible(field) 替换
field.setAccessible(true) ,还行是在尾端加入ReflectionUtils.makeAccessible(field)
,所以可以先看看源码(后续会提到该类详情),可以看出在源码中做了权限检查后才确定是否禁用权限检查
调用代码,类似如下
Class clazz = User.class;
Field field = clazz.getField("name");
ReflectionUtils.makeAccessible(field);
第二阶段
因为这里并未提供 ReflectionUtils 工具类,所以自行搜索到了
ReflectionUtils反射工具:精要介绍与实战应用指南
作者说:org.springframework.util.
ReflectionUtils 是 Spring 框架提供的一个反射工具类,它封装了
Java 反射 API 的一些常用操作,使得我们能够更加方便、简洁地使用反射功能…
这篇Blog内并不是一无所获,至少我们可以看到这款工具类的相关调用方式!
那么接了下来我们就去找一下Android 的 ReflectionUtils 工具类
最终方案
经自我查证和同事推荐,主要找到俩种方法,处理方式应该是一样的,但是这种方法是否真的能解决问题?我目前对最终结果保持怀疑态度
解决方式
ReflectionUtils
找了半天在 Android反射机制简单理解,ReflectionUtils
反射工具类 看到一个类似的
ReflectionUtils(可直接copy)
package xxx;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.lang.reflect.UndeclaredThrowableException;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.regex.Pattern;
public class ReflectionUtils {
/**
* Pattern for detecting CGLIB-renamed methods.
* @see #isCglibRenamedMethod
*/
private static final Pattern CGLIB_RENAMED_METHOD_PATTERN = Pattern.compile("CGLIB\\$(.+)\\$\\d+");
/**
* Attempt to find a {@link Field field} on the supplied {@link Class} with the
* supplied {@code name}. Searches all superclasses up to {@link Object}.
* @param clazz the class to introspect
* @param name the name of the field
* @return the corresponding Field object, or {@code null} if not found
*/
public static Field findField(Class<?> clazz, String name) {
return findField(clazz, name, null);
}
/**
* Attempt to find a {@link Field field} on the supplied {@link Class} with the
* supplied {@code name} and/or {@link Class type}. Searches all superclasses
* up to {@link Object}.
* @param clazz the class to introspect
* @param name the name of the field (may be {@code null} if type is specified)
* @param type the type of the field (may be {@code null} if name is specified)
* @return the corresponding Field object, or {@code null} if not found
*/
public static Field findField(Class<?> clazz, String name, Class<?> type) {
//Assert.notNull(clazz, "Class must not be null");
//Assert.isTrue(name != null || type != null, "Either name or type of the field must be specified");
Class<?> searchType = clazz;
while (!Object.class.equals(searchType) && searchType != null) {
Field[] fields = searchType.getDeclaredFields();
for (Field field : fields) {
if ((name == null || name.equals(field.getName())) && (type == null || type.equals(field.getType()))) {
return field;
}
}
searchType = searchType.getSuperclass();
}
return null;
}
/**
* Set the field represented by the supplied {@link Field field object} on the
* specified {@link Object target object} to the specified {@code value}.
* In accordance with {@link Field#set(Object, Object)} semantics, the new value
* is automatically unwrapped if the underlying field has a primitive type.
* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.
* @param field the field to set
* @param target the target object on which to set the field
* @param value the value to set; may be {@code null}
*/
public static void setField(Field field, Object target, Object value) {
try {
field.set(target, value);
}
catch (IllegalAccessException ex) {
handleReflectionException(ex);
throw new IllegalStateException(
"Unexpected reflection exception - " + ex.getClass().getName() + ": " + ex.getMessage());
}
}
/**
* Get the field represented by the supplied {@link Field field object} on the
* specified {@link Object target object}. In accordance with {@link Field#get(Object)}
* semantics, the returned value is automatically wrapped if the underlying field
* has a primitive type.
* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.
* @param field the field to get
* @param target the target object from which to get the field
* @return the field's current value
*/
public static Object getField(Field field, Object target) {
try {
return field.get(target);
}
catch (IllegalAccessException ex) {
handleReflectionException(ex);
throw new IllegalStateException(
"Unexpected reflection exception - " + ex.getClass().getName() + ": " + ex.getMessage());
}
}
/**
* Attempt to find a {@link Method} on the supplied class with the supplied name
* and no parameters. Searches all superclasses up to {@code Object}.
* <p>Returns {@code null} if no {@link Method} can be found.
* @param clazz the class to introspect
* @param name the name of the method
* @return the Method object, or {@code null} if none found
*/
public static Method findMethod(Class<?> clazz, String name) {
return findMethod(clazz, name, new Class<?>[0]);
}
/**
* Attempt to find a {@link Method} on the supplied class with the supplied name
* and parameter types. Searches all superclasses up to {@code Object}.
* <p>Returns {@code null} if no {@link Method} can be found.
* @param clazz the class to introspect
* @param name the name of the method
* @param paramTypes the parameter types of the method
* (may be {@code null} to indicate any signature)
* @return the Method object, or {@code null} if none found
*/
public static Method findMethod(Class<?> clazz, String name, Class<?>... paramTypes) {
//Assert.notNull(clazz, "Class must not be null");
//Assert.notNull(name, "Method name must not be null");
Class<?> searchType = clazz;
while (searchType != null) {
Method[] methods = (searchType.isInterface() ? searchType.getMethods() : searchType.getDeclaredMethods());
for (Method method : methods)
if (name.equals(method.getName()) &&
(paramTypes == null || Arrays.equals(paramTypes, method.getParameterTypes()))) {
return method;
}
searchType = searchType.getSuperclass();
}
return null;
}
/**
* Invoke the specified {@link Method} against the supplied target object with no arguments.
* The target object can be {@code null} when invoking a static {@link Method}.
* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.
* @param method the method to invoke
* @param target the target object to invoke the method on
* @return the invocation result, if any
* @see #invokeMethod(Method, Object, Object[])
*/
public static Object invokeMethod(Method method, Object target) {
return invokeMethod(method, target, new Object[0]);
}
/**
* Invoke the specified {@link Method} against the supplied target object with the
* supplied arguments. The target object can be {@code null} when invoking a
* static {@link Method}.
* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.
* @param method the method to invoke
* @param target the target object to invoke the method on
* @param args the invocation arguments (may be {@code null})
* @return the invocation result, if any
*/
public static Object invokeMethod(Method method, Object target, Object... args) {
try {
return method.invoke(target, args);
}
catch (Exception ex) {
handleReflectionException(ex);
}
throw new IllegalStateException("Should never get here");
}
/**
* Invoke the specified JDBC API {@link Method} against the supplied target
* object with no arguments.
* @param method the method to invoke
* @param target the target object to invoke the method on
* @return the invocation result, if any
* @throws SQLException the JDBC API SQLException to rethrow (if any)
* @see #invokeJdbcMethod(Method, Object, Object[])
*/
public static Object invokeJdbcMethod(Method method, Object target) throws SQLException {
return invokeJdbcMethod(method, target, new Object[0]);
}
/**
* Invoke the specified JDBC API {@link Method} against the supplied target
* object with the supplied arguments.
* @param method the method to invoke
* @param target the target object to invoke the method on
* @param args the invocation arguments (may be {@code null})
* @return the invocation result, if any
* @throws SQLException the JDBC API SQLException to rethrow (if any)
* @see #invokeMethod(Method, Object, Object[])
*/
public static Object invokeJdbcMethod(Method method, Object target, Object... args) throws SQLException {
try {
return method.invoke(target, args);
}
catch (IllegalAccessException ex) {
handleReflectionException(ex);
}
catch (InvocationTargetException ex) {
if (ex.getTargetException() instanceof SQLException) {
throw (SQLException) ex.getTargetException();
}
handleInvocationTargetException(ex);
}
throw new IllegalStateException("Should never get here");
}
/**
* Handle the given reflection exception. Should only be called if no
* checked exception is expected to be thrown by the target method.
* <p>Throws the underlying RuntimeException or Error in case of an
* InvocationTargetException with such a root cause. Throws an
* IllegalStateException with an appropriate message else.
* @param ex the reflection exception to handle
*/
public static void handleReflectionException(Exception ex) {
if (ex instanceof NoSuchMethodException) {
throw new IllegalStateException("Method not found: " + ex.getMessage());
}
if (ex instanceof IllegalAccessException) {
throw new IllegalStateException("Could not access method: " + ex.getMessage());
}
if (ex instanceof InvocationTargetException) {
handleInvocationTargetException((InvocationTargetException) ex);
}
if (ex instanceof RuntimeException) {
throw (RuntimeException) ex;
}
throw new UndeclaredThrowableException(ex);
}
/**
* Handle the given invocation target exception. Should only be called if no
* checked exception is expected to be thrown by the target method.
* <p>Throws the underlying RuntimeException or Error in case of such a root
* cause. Throws an IllegalStateException else.
* @param ex the invocation target exception to handle
*/
public static void handleInvocationTargetException(InvocationTargetException ex) {
rethrowRuntimeException(ex.getTargetException());
}
/**
* Rethrow the given {@link Throwable exception}, which is presumably the
* <em>target exception</em> of an {@link InvocationTargetException}. Should
* only be called if no checked exception is expected to be thrown by the
* target method.
* <p>Rethrows the underlying exception cast to an {@link RuntimeException} or
* {@link Error} if appropriate; otherwise, throws an
* {@link IllegalStateException}.
* @param ex the exception to rethrow
* @throws RuntimeException the rethrown exception
*/
public static void rethrowRuntimeException(Throwable ex) {
if (ex instanceof RuntimeException) {
throw (RuntimeException) ex;
}
if (ex instanceof Error) {
throw (Error) ex;
}
throw new UndeclaredThrowableException(ex);
}
/**
* Rethrow the given {@link Throwable exception}, which is presumably the
* <em>target exception</em> of an {@link InvocationTargetException}. Should
* only be called if no checked exception is expected to be thrown by the
* target method.
* <p>Rethrows the underlying exception cast to an {@link Exception} or
* {@link Error} if appropriate; otherwise, throws an
* {@link IllegalStateException}.
* @param ex the exception to rethrow
* @throws Exception the rethrown exception (in case of a checked exception)
*/
public static void rethrowException(Throwable ex) throws Exception {
if (ex instanceof Exception) {
throw (Exception) ex;
}
if (ex instanceof Error) {
throw (Error) ex;
}
throw new UndeclaredThrowableException(ex);
}
/**
* Determine whether the given method explicitly declares the given
* exception or one of its superclasses, which means that an exception of
* that type can be propagated as-is within a reflective invocation.
* @param method the declaring method
* @param exceptionType the exception to throw
* @return {@code true} if the exception can be thrown as-is;
* {@code false} if it needs to be wrapped
*/
public static boolean declaresException(Method method, Class<?> exceptionType) {
//Assert.notNull(method, "Method must not be null");
Class<?>[] declaredExceptions = method.getExceptionTypes();
for (Class<?> declaredException : declaredExceptions) {
if (declaredException.isAssignableFrom(exceptionType)) {
return true;
}
}
return false;
}
/**
* Determine whether the given field is a "public static final" constant.
* @param field the field to check
*/
public static boolean isPublicStaticFinal(Field field) {
int modifiers = field.getModifiers();
return (Modifier.isPublic(modifiers) && Modifier.isStatic(modifiers) && Modifier.isFinal(modifiers));
}
/**
* Determine whether the given method is an "equals" method.
* @see Object#equals(Object)
*/
public static boolean isEqualsMethod(Method method) {
if (method == null || !method.getName().equals("equals")) {
return false;
}
Class<?>[] paramTypes = method.getParameterTypes();
return (paramTypes.length == 1 && paramTypes[0] == Object.class);
}
/**
* Determine whether the given method is a "hashCode" method.
* @see Object#hashCode()
*/
public static boolean isHashCodeMethod(Method method) {
return (method != null && method.getName().equals("hashCode") && method.getParameterTypes().length == 0);
}
/**
* Determine whether the given method is a "toString" method.
* @see Object#toString()
*/
public static boolean isToStringMethod(Method method) {
return (method != null && method.getName().equals("toString") && method.getParameterTypes().length == 0);
}
/**
* Determine whether the given method is originally declared by {@link Object}.
*/
public static boolean isObjectMethod(Method method) {
if (method == null) {
return false;
}
try {
Object.class.getDeclaredMethod(method.getName(), method.getParameterTypes());
return true;
}
catch (Exception ex) {
return false;
}
}
/**
* Determine whether the given method is a CGLIB 'renamed' method,
* following the pattern "CGLIB$methodName$0".
* @param renamedMethod the method to check
* @see //org.springframework.cglib.proxy.Enhancer#rename
*/
public static boolean isCglibRenamedMethod(Method renamedMethod) {
return CGLIB_RENAMED_METHOD_PATTERN.matcher(renamedMethod.getName()).matches();
}
/**
* Make the given field accessible, explicitly setting it accessible if
* necessary. The {@code setAccessible(true)} method is only called
* when actually necessary, to avoid unnecessary conflicts with a JVM
* SecurityManager (if active).
* @param field the field to make accessible
* @see Field#setAccessible
*/
public static void makeAccessible(Field field) {
if ((!Modifier.isPublic(field.getModifiers()) || !Modifier.isPublic(field.getDeclaringClass().getModifiers()) ||
Modifier.isFinal(field.getModifiers())) && !field.isAccessible()) {
field.setAccessible(true);
}
}
/**
* Make the given method accessible, explicitly setting it accessible if
* necessary. The {@code setAccessible(true)} method is only called
* when actually necessary, to avoid unnecessary conflicts with a JVM
* SecurityManager (if active).
* @param method the method to make accessible
* @see Method#setAccessible
*/
public static void makeAccessible(Method method) {
if ((!Modifier.isPublic(method.getModifiers()) || !Modifier.isPublic(method.getDeclaringClass().getModifiers()))
&& !method.isAccessible()) {
method.setAccessible(true);
}
}
/**
* Make the given constructor accessible, explicitly setting it accessible
* if necessary. The {@code setAccessible(true)} method is only called
* when actually necessary, to avoid unnecessary conflicts with a JVM
* SecurityManager (if active).
* @param ctor the constructor to make accessible
* @see Constructor#setAccessible
*/
public static void makeAccessible(Constructor<?> ctor) {
if ((!Modifier.isPublic(ctor.getModifiers()) || !Modifier.isPublic(ctor.getDeclaringClass().getModifiers()))
&& !ctor.isAccessible()) {
ctor.setAccessible(true);
}
}
/**
* Perform the given callback operation on all matching methods of the given
* class and superclasses.
* <p>The same named method occurring on subclass and superclass will appear
* twice, unless excluded by a {@link MethodFilter}.
* @param clazz class to start looking at
* @param mc the callback to invoke for each method
* @see #doWithMethods(Class, MethodCallback, MethodFilter)
*/
public static void doWithMethods(Class<?> clazz, MethodCallback mc) throws IllegalArgumentException {
doWithMethods(clazz, mc, null);
}
/**
* Perform the given callback operation on all matching methods of the given
* class and superclasses (or given interface and super-interfaces).
* <p>The same named method occurring on subclass and superclass will appear
* twice, unless excluded by the specified {@link MethodFilter}.
* @param clazz class to start looking at
* @param mc the callback to invoke for each method
* @param mf the filter that determines the methods to apply the callback to
*/
public static void doWithMethods(Class<?> clazz, MethodCallback mc, MethodFilter mf)
throws IllegalArgumentException {
// Keep backing up the inheritance hierarchy.
Method[] methods = clazz.getDeclaredMethods();
for (Method method : methods) {
if (mf != null && !mf.matches(method)) {
continue;
}
try {
mc.doWith(method);
}
catch (IllegalAccessException ex) {
throw new IllegalStateException("Shouldn't be illegal to access method '" + method.getName()
+ "': " + ex);
}
}
if (clazz.getSuperclass() != null) {
doWithMethods(clazz.getSuperclass(), mc, mf);
}
else if (clazz.isInterface()) {
for (Class<?> superIfc : clazz.getInterfaces()) {
doWithMethods(superIfc, mc, mf);
}
}
}
/**
* Get all declared methods on the leaf class and all superclasses. Leaf
* class methods are included first.
*/
public static Method[] getAllDeclaredMethods(Class<?> leafClass) throws IllegalArgumentException {
final List<Method> methods = new ArrayList<Method>(32);
doWithMethods(leafClass, new MethodCallback() {
public void doWith(Method method) {
methods.add(method);
}
});
return methods.toArray(new Method[methods.size()]);
}
/**
* Get the unique set of declared methods on the leaf class and all superclasses. Leaf
* class methods are included first and while traversing the superclass hierarchy any methods found
* with signatures matching a method already included are filtered out.
*/
public static Method[] getUniqueDeclaredMethods(Class<?> leafClass) throws IllegalArgumentException {
final List<Method> methods = new ArrayList<Method>(32);
doWithMethods(leafClass, new MethodCallback() {
public void doWith(Method method) {
boolean knownSignature = false;
Method methodBeingOverriddenWithCovariantReturnType = null;
for (Method existingMethod : methods) {
if (method.getName().equals(existingMethod.getName()) &&
Arrays.equals(method.getParameterTypes(), existingMethod.getParameterTypes())) {
// Is this a covariant return type situation?
if (existingMethod.getReturnType() != method.getReturnType() &&
existingMethod.getReturnType().isAssignableFrom(method.getReturnType())) {
methodBeingOverriddenWithCovariantReturnType = existingMethod;
}
else {
knownSignature = true;
}
break;
}
}
if (methodBeingOverriddenWithCovariantReturnType != null) {
methods.remove(methodBeingOverriddenWithCovariantReturnType);
}
if (!knownSignature && !isCglibRenamedMethod(method)) {
methods.add(method);
}
}
});
return methods.toArray(new Method[methods.size()]);
}
/**
* Invoke the given callback on all fields in the target class, going up the
* class hierarchy to get all declared fields.
* @param clazz the target class to analyze
* @param fc the callback to invoke for each field
*/
public static void doWithFields(Class<?> clazz, FieldCallback fc) throws IllegalArgumentException {
doWithFields(clazz, fc, null);
}
/**
* Invoke the given callback on all fields in the target class, going up the
* class hierarchy to get all declared fields.
* @param clazz the target class to analyze
* @param fc the callback to invoke for each field
* @param ff the filter that determines the fields to apply the callback to
*/
public static void doWithFields(Class<?> clazz, FieldCallback fc, FieldFilter ff)
throws IllegalArgumentException {
// Keep backing up the inheritance hierarchy.
Class<?> targetClass = clazz;
do {
Field[] fields = targetClass.getDeclaredFields();
for (Field field : fields) {
// Skip static and final fields.
if (ff != null && !ff.matches(field)) {
continue;
}
try {
fc.doWith(field);
}
catch (IllegalAccessException ex) {
throw new IllegalStateException(
"Shouldn't be illegal to access field '" + field.getName() + "': " + ex);
}
}
targetClass = targetClass.getSuperclass();
}
while (targetClass != null && targetClass != Object.class);
}
/**
* Given the source object and the destination, which must be the same class
* or a subclass, copy all fields, including inherited fields. Designed to
* work on objects with public no-arg constructors.
* @throws IllegalArgumentException if the arguments are incompatible
*/
public static void shallowCopyFieldState(final Object src, final Object dest) throws IllegalArgumentException {
if (src == null) {
throw new IllegalArgumentException("Source for field copy cannot be null");
}
if (dest == null) {
throw new IllegalArgumentException("Destination for field copy cannot be null");
}
if (!src.getClass().isAssignableFrom(dest.getClass())) {
throw new IllegalArgumentException("Destination class [" + dest.getClass().getName()
+ "] must be same or subclass as source class [" + src.getClass().getName() + "]");
}
doWithFields(src.getClass(), new FieldCallback() {
public void doWith(Field field) throws IllegalArgumentException, IllegalAccessException {
makeAccessible(field);
Object srcValue = field.get(src);
field.set(dest, srcValue);
}
}, COPYABLE_FIELDS);
}
/**
* Action to take on each method.
*/
public interface MethodCallback {
/**
* Perform an operation using the given method.
* @param method the method to operate on
*/
void doWith(Method method) throws IllegalArgumentException, IllegalAccessException;
}
/**
* Callback optionally used to filter methods to be operated on by a method callback.
*/
public interface MethodFilter {
/**
* Determine whether the given method matches.
* @param method the method to check
*/
boolean matches(Method method);
}
/**
* Callback interface invoked on each field in the hierarchy.
*/
public interface FieldCallback {
/**
* Perform an operation using the given field.
* @param field the field to operate on
*/
void doWith(Field field) throws IllegalArgumentException, IllegalAccessException;
}
/**
* Callback optionally used to filter fields to be operated on by a field callback.
*/
public interface FieldFilter {
/**
* Determine whether the given field matches.
* @param field the field to check
*/
boolean matches(Field field);
}
/**
* Pre-built FieldFilter that matches all non-static, non-final fields.
*/
public static FieldFilter COPYABLE_FIELDS = new FieldFilter() {
public boolean matches(Field field) {
return !(Modifier.isStatic(field.getModifiers()) || Modifier.isFinal(field.getModifiers()));
}
};
/**
* Pre-built MethodFilter that matches all non-bridge methods.
*/
public static MethodFilter NON_BRIDGED_METHODS = new MethodFilter() {
public boolean matches(Method method) {
return !method.isBridge();
}
};
/**
* Pre-built MethodFilter that matches all non-bridge methods
* which are not declared on {@code java.lang.Object}.
*/
public static MethodFilter USER_DECLARED_METHODS = new MethodFilter() {
public boolean matches(Method method) {
return (!method.isBridge() && method.getDeclaringClass() != Object.class);
}
};
}
ReflectionHelper
ReflectionHelper 是 google.gson 提供的一个类,有需要的话可以引入 gson
依赖,不确定copy后是否可直接使用(如果有包内关联类的话,最好是引入依赖)
package com.google.gson.internal.reflect;
import com.google.gson.JsonIOException;
import com.google.gson.internal.GsonBuildConfig;
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
public class ReflectionHelper {
private static final RecordHelper RECORD_HELPER;
static {
RecordHelper instance;
try {
// Try to construct the RecordSupportedHelper, if this fails, records are not supported on this JVM.
instance = new RecordSupportedHelper();
} catch (NoSuchMethodException e) {
instance = new RecordNotSupportedHelper();
}
RECORD_HELPER = instance;
}
private ReflectionHelper() {}
/**
* Internal implementation of making an {@link AccessibleObject} accessible.
*
* @param object the object that {@link AccessibleObject#setAccessible(boolean)} should be called on.
* @throws JsonIOException if making the object accessible fails
*/
public static void makeAccessible(AccessibleObject object) throws JsonIOException {
try {
object.setAccessible(true);
} catch (Exception exception) {
String description = getAccessibleObjectDescription(object, false);
throw new JsonIOException("Failed making " + description + " accessible; either increase its visibility"
+ " or write a custom TypeAdapter for its declaring type.", exception);
}
}
/**
* Returns a short string describing the {@link AccessibleObject} in a human-readable way.
* The result is normally shorter than {@link AccessibleObject#toString()} because it omits
* modifiers (e.g. {@code final}) and uses simple names for constructor and method parameter
* types.
*
* @param object object to describe
* @param uppercaseFirstLetter whether the first letter of the description should be uppercased
*/
public static String getAccessibleObjectDescription(AccessibleObject object, boolean uppercaseFirstLetter) {
String description;
if (object instanceof Field) {
description = "field '" + fieldToString((Field) object) + "'";
} else if (object instanceof Method) {
Method method = (Method) object;
StringBuilder methodSignatureBuilder = new StringBuilder(method.getName());
appendExecutableParameters(method, methodSignatureBuilder);
String methodSignature = methodSignatureBuilder.toString();
description = "method '" + method.getDeclaringClass().getName() + "#" + methodSignature + "'";
} else if (object instanceof Constructor) {
description = "constructor '" + constructorToString((Constructor<?>) object) + "'";
} else {
description = "<unknown AccessibleObject> " + object.toString();
}
if (uppercaseFirstLetter && Character.isLowerCase(description.charAt(0))) {
description = Character.toUpperCase(description.charAt(0)) + description.substring(1);
}
return description;
}
/**
* Creates a string representation for a field, omitting modifiers and
* the field type.
*/
public static String fieldToString(Field field) {
return field.getDeclaringClass().getName() + "#" + field.getName();
}
/**
* Creates a string representation for a constructor.
* E.g.: {@code java.lang.String(char[], int, int)}
*/
public static String constructorToString(Constructor<?> constructor) {
StringBuilder stringBuilder = new StringBuilder(constructor.getDeclaringClass().getName());
appendExecutableParameters(constructor, stringBuilder);
return stringBuilder.toString();
}
// Note: Ideally parameter type would be java.lang.reflect.Executable, but that was added in Java 8
private static void appendExecutableParameters(AccessibleObject executable, StringBuilder stringBuilder) {
stringBuilder.append('(');
Class<?>[] parameters = (executable instanceof Method)
? ((Method) executable).getParameterTypes()
: ((Constructor<?>) executable).getParameterTypes();
for (int i = 0; i < parameters.length; i++) {
if (i > 0) {
stringBuilder.append(", ");
}
stringBuilder.append(parameters[i].getSimpleName());
}
stringBuilder.append(')');
}
/**
* Tries making the constructor accessible, returning an exception message
* if this fails.
*
* @param constructor constructor to make accessible
* @return exception message; {@code null} if successful, non-{@code null} if
* unsuccessful
*/
public static String tryMakeAccessible(Constructor<?> constructor) {
try {
constructor.setAccessible(true);
return null;
} catch (Exception exception) {
return "Failed making constructor '" + constructorToString(constructor) + "' accessible;"
+ " either increase its visibility or write a custom InstanceCreator or TypeAdapter for"
// Include the message since it might contain more detailed information
+ " its declaring type: " + exception.getMessage();
}
}
/** If records are supported on the JVM, this is equivalent to a call to Class.isRecord() */
public static boolean isRecord(Class<?> raw) {
return RECORD_HELPER.isRecord(raw);
}
public static String[] getRecordComponentNames(Class<?> raw) {
return RECORD_HELPER.getRecordComponentNames(raw);
}
/** Looks up the record accessor method that corresponds to the given record field */
public static Method getAccessor(Class<?> raw, Field field) {
return RECORD_HELPER.getAccessor(raw, field);
}
public static <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {
return RECORD_HELPER.getCanonicalRecordConstructor(raw);
}
public static RuntimeException createExceptionForUnexpectedIllegalAccess(
IllegalAccessException exception) {
throw new RuntimeException("Unexpected IllegalAccessException occurred (Gson " + GsonBuildConfig.VERSION + ")."
+ " Certain ReflectionAccessFilter features require Java >= 9 to work correctly. If you are not using"
+ " ReflectionAccessFilter, report this to the Gson maintainers.",
exception);
}
private static RuntimeException createExceptionForRecordReflectionException(
ReflectiveOperationException exception) {
throw new RuntimeException("Unexpected ReflectiveOperationException occurred"
+ " (Gson " + GsonBuildConfig.VERSION + ")."
+ " To support Java records, reflection is utilized to read out information"
+ " about records. All these invocations happens after it is established"
+ " that records exist in the JVM. This exception is unexpected behavior.",
exception);
}
/**
* Internal abstraction over reflection when Records are supported.
*/
private abstract static class RecordHelper {
abstract boolean isRecord(Class<?> clazz);
abstract String[] getRecordComponentNames(Class<?> clazz);
abstract <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw);
public abstract Method getAccessor(Class<?> raw, Field field);
}
private static class RecordSupportedHelper extends RecordHelper {
private final Method isRecord;
private final Method getRecordComponents;
private final Method getName;
private final Method getType;
private RecordSupportedHelper() throws NoSuchMethodException {
isRecord = Class.class.getMethod("isRecord");
getRecordComponents = Class.class.getMethod("getRecordComponents");
// Class java.lang.reflect.RecordComponent
Class<?> classRecordComponent = getRecordComponents.getReturnType().getComponentType();
getName = classRecordComponent.getMethod("getName");
getType = classRecordComponent.getMethod("getType");
}
@Override
boolean isRecord(Class<?> raw) {
try {
return (boolean) isRecord.invoke(raw);
} catch (ReflectiveOperationException e) {
throw createExceptionForRecordReflectionException(e);
}
}
@Override
String[] getRecordComponentNames(Class<?> raw) {
try {
Object[] recordComponents = (Object[]) getRecordComponents.invoke(raw);
String[] componentNames = new String[recordComponents.length];
for (int i = 0; i < recordComponents.length; i++) {
componentNames[i] = (String) getName.invoke(recordComponents[i]);
}
return componentNames;
} catch (ReflectiveOperationException e) {
throw createExceptionForRecordReflectionException(e);
}
}
@Override
public <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {
try {
Object[] recordComponents = (Object[]) getRecordComponents.invoke(raw);
Class<?>[] recordComponentTypes = new Class<?>[recordComponents.length];
for (int i = 0; i < recordComponents.length; i++) {
recordComponentTypes[i] = (Class<?>) getType.invoke(recordComponents[i]);
}
// Uses getDeclaredConstructor because implicit constructor has same visibility as record and might
// therefore not be public
return raw.getDeclaredConstructor(recordComponentTypes);
} catch (ReflectiveOperationException e) {
throw createExceptionForRecordReflectionException(e);
}
}
@Override
public Method getAccessor(Class<?> raw, Field field) {
try {
// Records consists of record components, each with a unique name, a corresponding field and accessor method
// with the same name. Ref.: https://docs.oracle.com/javase/specs/jls/se17/html/jls-8.html#jls-8.10.3
return raw.getMethod(field.getName());
} catch (ReflectiveOperationException e) {
throw createExceptionForRecordReflectionException(e);
}
}
}
/**
* Instance used when records are not supported
*/
private static class RecordNotSupportedHelper extends RecordHelper {
@Override
boolean isRecord(Class<?> clazz) {
return false;
}
@Override
String[] getRecordComponentNames(Class<?> clazz) {
throw new UnsupportedOperationException(
"Records are not supported on this JVM, this method should not be called");
}
@Override
<T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {
throw new UnsupportedOperationException(
"Records are not supported on this JVM, this method should not be called");
}
@Override
public Method getAccessor(Class<?> raw, Field field) {
throw new UnsupportedOperationException(
"Records are not supported on this JVM, this method should not be called");
}
}
}
使用方式
仅需在原 setAccessible(true) 处采用 ReflectionHelper.makeAccessible(xxx) 或
ReflectionUtils.makeAccessible(xxx) 替换即可
SecurityManager 相关思考
在此之前我应该没了解过 SecurityManager ,这次应该是首次,以下主要是我的一些答疑
如何规避 setAccessible 风险?
Hint :伪代码其实就已经做了 try、catch 操作
SecurityManager 如何给 setAccessible 授权?
我理解的:根据结果来看就是不建议使用setAccessible,如果要使用就用 SecurityManager
授权,但即使这样也不保证就能解决安全风险?
SecurityManager 如何使用?
学习网络安全技术的方法无非三种:
第一种是报网络安全专业,现在叫网络空间安全专业,主要专业课程:程序设计、计算机组成原理原理、数据结构、操作系统原理、数据库系统、 计算机网络、人工智能、自然语言处理、社会计算、网络安全法律法规、网络安全、内容安全、数字取证、机器学习,多媒体技术,信息检索、舆情分析等。
第二种是自学,就是在网上找资源、找教程,或者是想办法认识一-些大佬,抱紧大腿,不过这种方法很耗时间,而且学习没有规划,可能很长一段时间感觉自己没有进步,容易劝退。
如果你对网络安全入门感兴趣,那么你需要的话可以点击这里👉网络安全重磅福利:入门&进阶全套282G学习资源包免费分享!
第三种就是去找培训。
接下来,我会教你零基础入门快速入门上手网络安全。
网络安全入门到底是先学编程还是先学计算机基础?这是一个争议比较大的问题,有的人会建议先学编程,而有的人会建议先学计算机基础,其实这都是要学的。而且这些对学习网络安全来说非常重要。但是对于完全零基础的人来说又或者急于转行的人来说,学习编程或者计算机基础对他们来说都有一定的难度,并且花费时间太长。
第一阶段:基础准备 4周~6周
这个阶段是所有准备进入安全行业必学的部分,俗话说:基础不劳,地动山摇
第二阶段:web渗透
学习基础 时间:1周 ~ 2周:
① 了解基本概念:(SQL注入、XSS、上传、CSRF、一句话木马、等)为之后的WEB渗透测试打下基础。
② 查看一些论坛的一些Web渗透,学一学案例的思路,每一个站点都不一样,所以思路是主要的。
③ 学会提问的艺术,如果遇到不懂得要善于提问。
配置渗透环境 时间:3周 ~ 4周:
① 了解渗透测试常用的工具,例如(AWVS、SQLMAP、NMAP、BURP、中国菜刀等)。
② 下载这些工具无后门版本并且安装到计算机上。
③ 了解这些工具的使用场景,懂得基本的使用,推荐在Google上查找。
渗透实战操作 时间:约6周:
① 在网上搜索渗透实战案例,深入了解SQL注入、文件上传、解析漏洞等在实战中的使用。
② 自己搭建漏洞环境测试,推荐DWVA,SQLi-labs,Upload-labs,bWAPP。
③ 懂得渗透测试的阶段,每一个阶段需要做那些动作:例如PTES渗透测试执行标准。
④ 深入研究手工SQL注入,寻找绕过waf的方法,制作自己的脚本。
⑤ 研究文件上传的原理,如何进行截断、双重后缀欺骗(IIS、PHP)、解析漏洞利用(IIS、Nignix、Apache)等,参照:上传攻击框架。
⑥ 了解XSS形成原理和种类,在DWVA中进行实践,使用一个含有XSS漏洞的cms,安装安全狗等进行测试。
⑦ 了解一句话木马,并尝试编写过狗一句话。
⑧ 研究在Windows和Linux下的提升权限,Google关键词:提权
以上就是入门阶段
第三阶段:进阶
已经入门并且找到工作之后又该怎么进阶?详情看下图
给新手小白的入门建议:
新手入门学习最好还是从视频入手进行学习,视频的浅显易懂相比起晦涩的文字而言更容易吸收,这里我给大家准备了一套网络安全从入门到精通的视频学习资料包免费领取哦!
如果你对网络安全入门感兴趣,那么你需要的话可以点击这里👉网络安全重磅福利:入门&进阶全套282G学习资源包免费分享!
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
