Use privileged action to instantiate LiteExtensionTranslator; make su…

…re we use constructor when instantiating instances via no-args ctors
weld · May 15, 2024 · d686860 · d686860
1 parent 7b16c24
commit d686860
Show file tree

Hide file tree

Showing 9 changed files with 59 additions and 15 deletions.
diff --git a/...src/main/java/org/jboss/weld/environment/deployment/discovery/jandex/SecurityActions.java b/...src/main/java/org/jboss/weld/environment/deployment/discovery/jandex/SecurityActions.java
@@ -22,6 +22,7 @@
 
 import org.jboss.weld.exceptions.WeldException;
 import org.jboss.weld.security.ConstructorNewInstanceAction;
+import org.jboss.weld.security.GetDeclaredConstructorAction;
 import org.jboss.weld.security.NewInstanceAction;
 
 /**
@@ -41,7 +42,8 @@ private SecurityActions() {
     static <T> T newInstance(Class<T> javaClass) throws InstantiationException, IllegalAccessException {
         if (System.getSecurityManager() != null) {
             try {
-                return AccessController.doPrivileged(NewInstanceAction.of(javaClass));
+                return AccessController.doPrivileged(
+                        NewInstanceAction.of(AccessController.doPrivileged(GetDeclaredConstructorAction.of(javaClass))));
             } catch (PrivilegedActionException e) {
                 throw new WeldException(e.getCause());
             }

diff --git a/environments/common/src/main/java/org/jboss/weld/environment/util/SecurityActions.java b/environments/common/src/main/java/org/jboss/weld/environment/util/SecurityActions.java
@@ -20,6 +20,7 @@
 import java.security.PrivilegedActionException;
 
 import org.jboss.weld.exceptions.WeldException;
+import org.jboss.weld.security.GetDeclaredConstructorAction;
 import org.jboss.weld.security.NewInstanceAction;
 
 /**
@@ -41,7 +42,8 @@ private SecurityActions() {
     static <T> T newInstance(Class<T> javaClass) throws InstantiationException, IllegalAccessException {
         if (System.getSecurityManager() != null) {
             try {
-                return AccessController.doPrivileged(NewInstanceAction.of(javaClass));
+                return AccessController.doPrivileged(
+                        NewInstanceAction.of(AccessController.doPrivileged(GetDeclaredConstructorAction.of(javaClass))));
             } catch (PrivilegedActionException e) {
                 throw new WeldException(e.getCause());
             }

diff --git a/environments/se/core/src/main/java/org/jboss/weld/environment/se/SecurityActions.java b/environments/se/core/src/main/java/org/jboss/weld/environment/se/SecurityActions.java
@@ -16,11 +16,14 @@
  */
 package org.jboss.weld.environment.se;
 
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
 
 import org.jboss.weld.exceptions.WeldException;
+import org.jboss.weld.security.GetDeclaredConstructorAction;
 import org.jboss.weld.security.NewInstanceAction;
 
 /**
@@ -42,7 +45,8 @@ private SecurityActions() {
     static <T> T newInstance(Class<T> javaClass) throws InstantiationException, IllegalAccessException {
         if (System.getSecurityManager() != null) {
             try {
-                return AccessController.doPrivileged(NewInstanceAction.of(javaClass));
+                Constructor<T> constructor = AccessController.doPrivileged(GetDeclaredConstructorAction.of(javaClass));
+                return AccessController.doPrivileged(NewInstanceAction.of(constructor));
             } catch (PrivilegedActionException e) {
                 throw new WeldException(e.getCause());
             }
@@ -51,6 +55,28 @@ static <T> T newInstance(Class<T> javaClass) throws InstantiationException, Ille
         }
     }
 
+    static <T> Constructor<T> getDeclaredConstructor(Class<T> javaClass, Class<?>... parameterTypes)
+            throws NoSuchMethodException, PrivilegedActionException {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(GetDeclaredConstructorAction.of(javaClass, parameterTypes));
+        } else {
+            return javaClass.getDeclaredConstructor(parameterTypes);
+        }
+    }
+
+    static <T> T newInstance(Constructor<T> constructor, Object... params)
+            throws InstantiationException, IllegalAccessException, InvocationTargetException {
+        if (System.getSecurityManager() != null) {
+            try {
+                return AccessController.doPrivileged(NewInstanceAction.of(constructor, params));
+            } catch (PrivilegedActionException e) {
+                throw new WeldException(e.getCause());
+            }
+        } else {
+            return constructor.newInstance(params);
+        }
+    }
+
     /**
      *
      * @param hook

diff --git a/environments/se/core/src/main/java/org/jboss/weld/environment/se/Weld.java b/environments/se/core/src/main/java/org/jboss/weld/environment/se/Weld.java
@@ -1181,7 +1181,8 @@ protected Iterable<Metadata<Extension>> getExtensions() {
         if (!allBce.isEmpty()) {
             try {
                 result.add(new MetadataImpl<Extension>(
-                        new LiteExtensionTranslator(allBce, Thread.currentThread().getContextClassLoader()),
+                        SecurityActions.newInstance(SecurityActions.getDeclaredConstructor(LiteExtensionTranslator.class,
+                                Collection.class, ClassLoader.class), allBce, Thread.currentThread().getContextClassLoader()),
                         SYNTHETIC_LOCATION_PREFIX + LiteExtensionTranslator.class.getName()));
             } catch (Exception e) {
                 throw new RuntimeException(e);

diff --git a/...nments/servlet/core/src/main/java/org/jboss/weld/environment/servlet/SecurityActions.java b/...nments/servlet/core/src/main/java/org/jboss/weld/environment/servlet/SecurityActions.java
@@ -24,6 +24,7 @@
 
 import org.jboss.weld.exceptions.WeldException;
 import org.jboss.weld.security.ConstructorNewInstanceAction;
+import org.jboss.weld.security.GetDeclaredConstructorAction;
 import org.jboss.weld.security.MethodLookupAction;
 import org.jboss.weld.security.NewInstanceAction;
 
@@ -44,7 +45,8 @@ private SecurityActions() {
     static <T> T newInstance(Class<T> javaClass) throws InstantiationException, IllegalAccessException {
         if (System.getSecurityManager() != null) {
             try {
-                return AccessController.doPrivileged(NewInstanceAction.of(javaClass));
+                return AccessController.doPrivileged(
+                        NewInstanceAction.of(AccessController.doPrivileged(GetDeclaredConstructorAction.of(javaClass))));
             } catch (PrivilegedActionException e) {
                 throw new WeldException(e.getCause());
             }

diff --git a/impl/src/main/java/org/jboss/weld/injection/Exceptions.java b/impl/src/main/java/org/jboss/weld/injection/Exceptions.java
@@ -23,6 +23,7 @@
 import jakarta.enterprise.inject.CreationException;
 
 import org.jboss.weld.exceptions.WeldException;
+import org.jboss.weld.security.GetDeclaredConstructorAction;
 import org.jboss.weld.security.NewInstanceAction;
 
 class Exceptions {
@@ -36,8 +37,8 @@ private static void rethrowException(Throwable t, Class<? extends RuntimeExcepti
         } else {
             RuntimeException e;
             try {
-
-                e = AccessController.doPrivileged(NewInstanceAction.of(exceptionToThrow));
+                e = AccessController.doPrivileged(
+                        NewInstanceAction.of(AccessController.doPrivileged(GetDeclaredConstructorAction.of(exceptionToThrow))));
             } catch (PrivilegedActionException ex) {
                 throw new WeldException(ex.getCause());
             }

diff --git a/impl/src/main/java/org/jboss/weld/security/NewInstanceAction.java b/impl/src/main/java/org/jboss/weld/security/NewInstanceAction.java
@@ -16,20 +16,27 @@
  */
 package org.jboss.weld.security;
 
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
 import java.security.PrivilegedExceptionAction;
 
 public class NewInstanceAction<T> extends AbstractGenericReflectionAction<T> implements PrivilegedExceptionAction<T> {
 
-    public static <T> NewInstanceAction<T> of(Class<T> javaClass) {
-        return new NewInstanceAction<T>(javaClass);
+    public static <T> NewInstanceAction<T> of(Constructor<T> constructor, Object... params) {
+        return new NewInstanceAction<T>(constructor, params);
     }
 
-    public NewInstanceAction(Class<T> javaClass) {
-        super(javaClass);
+    private final Constructor<T> constructor;
+    private final Object[] params;
+
+    public NewInstanceAction(Constructor<T> constructor, Object... params) {
+        super(constructor.getDeclaringClass());
+        this.constructor = constructor;
+        this.params = params;
     }
 
     @Override
-    public T run() throws InstantiationException, IllegalAccessException {
-        return javaClass.newInstance();
+    public T run() throws InvocationTargetException, InstantiationException, IllegalAccessException {
+        return constructor.newInstance(params);
     }
 }
diff --git a/impl/src/test/java/org/jboss/weld/tests/unit/security/ReflectionTest.java b/impl/src/test/java/org/jboss/weld/tests/unit/security/ReflectionTest.java
@@ -197,7 +197,8 @@ public void testConstructorAccess() {
 
     @Test
     public void testNewInstance() throws PrivilegedActionException {
-        Assert.assertNotNull(AccessController.doPrivileged(NewInstanceAction.of(TestObject.class)));
+        Assert.assertNotNull(AccessController.doPrivileged(
+                NewInstanceAction.of(AccessController.doPrivileged(GetDeclaredConstructorAction.of(TestObject.class)))));
     }
 
     @Test

diff --git a/modules/ejb/src/main/java/org/jboss/weld/module/ejb/SessionBeanProxyInstantiator.java b/modules/ejb/src/main/java/org/jboss/weld/module/ejb/SessionBeanProxyInstantiator.java
@@ -31,6 +31,7 @@
 import org.jboss.weld.injection.producer.Instantiator;
 import org.jboss.weld.logging.BeanLogger;
 import org.jboss.weld.manager.BeanManagerImpl;
+import org.jboss.weld.security.GetDeclaredConstructorAction;
 import org.jboss.weld.security.NewInstanceAction;
 
 /**
@@ -51,7 +52,8 @@ class SessionBeanProxyInstantiator<T> implements Instantiator<T> {
     @Override
     public T newInstance(CreationalContext<T> ctx, BeanManagerImpl manager) {
         try {
-            T instance = AccessController.doPrivileged(NewInstanceAction.of(proxyClass));
+            T instance = AccessController.doPrivileged(
+                    NewInstanceAction.of(AccessController.doPrivileged(GetDeclaredConstructorAction.of(proxyClass))));
             if (!bean.getScope().equals(Dependent.class)) {
                 ctx.push(instance);
             }