RFR: 8320971: Use BufferedInputStream.buf directly when param of implTransferTo() is trusted [v2]

[Vladimir Sitnikov]

On Thu, 30 Nov 2023 08:58:18 GMT, Alan Bateman <alanb at openjdk.org> wrote:

>> I don't think checking if the package is java.io is secure:
>> 
>> ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
>> BufferedInputStream bis = new BufferedInputStream(bais);
>> UntrustedOutputStream uos = new UntrustedOutputStream();
>> bis.transferTo(new java.io.DataOutputStream(uos)); 
>> 
>> You have to know that it is in the java.io package and it doesn't wrap another stream.
>
>> You have to know that it is in the java.io package and it doesn't wrap another stream.
> 
> That is a good point. In the previous work on this override, we converged on the current implementation to not leak the internal byte[] to the target. It could be special cased for trusted targets but at the cost of auditing and complexity. So more thought needed on this, I don't think the current change can be integrated.

What do you think of adding `OutputStream extends WritableByteChannel`, so `transferTo` could be implemented with `if (target instanceof WritableByteChannel) { target.write(ByteBuffer.wrap(buf, off, len).asReadOnly()); }`?

Read-only byte buffer will not allow modifying the data in the buffer, it would eliminate buffer copies, and adding `write(ByteBuffer)` to `OutputStream` seems reasonable.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/16879#discussion_r1410416823