[rfc][icedtea-web] Temporary Permissions generated via reflection (re-proposal)

Andrew Azores aazores at redhat.com
Fri Jun 13 20:41:41 UTC 2014 

On 06/13/2014 04:26 PM, Deepak Bhole wrote:
> * Andrew Azores <aazores at redhat.com> [2014-06-13 11:19]:
>> On 06/13/2014 11:09 AM, Andrew Azores wrote:
>>> Hi,
>>>
>>> When Temporary Permissions on the security dialogs were first introduced,
>>> I proposed to have them generated from the PolicyEditorPermissions
>>> dynamically using reflection, so that "grantable" permissions were only
>>> defined in one place and so maintenance would be easy, and the
>>> TemporaryPermissions class could be kept small. This was rejected due to
>>> the required use of reflection, but I am re-proposing this patch because I
>>> do believe it is a much cleaner solution, especially now that the number
>>> of grantable permissions has grown and the temporary permissions menu has
>>> become a multi-select UI rather than preset groups.
>>>
>>> ChangeLog:
>>>     TemporaryPermissions generated via reflection rather than hard coded
>>>     * netx/net/sourceforge/jnlp/resources/Messages.properties
>>>     (STempPermNoFile, STempPermNoNetwork, STempPermNoExec,
>>>     STempNoFileOrNetwork, STempNoExecOrNetwork, STempNoFileOrExec,
>>>     STempNoFileOrNetworkOrExec, STempAllMedia, STempSoundOnly,
>>>     STempClipboardOnly, STempPrintOnly, STempAllFileAndPropertyAccess,
>>>     STempReadLocalFilesAndProperties, STempReflectionOnly): removed
>>>     (STempNetwork, STempReadFilesAndProperties,
>>> STempWriteFilesAndProperties,
>>>     STempReflectionAndExternal, STempAllMedia): new messages
>>>     * netx/net/sourceforge/jnlp/resources/Messages_cs.properties
>>>     (STempPermNoFile, STempPermNoNetwork, STempPermNoExec,
>>>     STempNoFileOrNetwork, STempNoExecOrNetwork, STempNoFileOrExec,
>>>     STempNoFileOrNetworkOrExec, STempAllMedia, STempSoundOnly,
>>>     STempClipboardOnly, STempPrintOnly, STempAllFileAndPropertyAccess,
>>>     STempReadLocalFilesAndProperties, STempReflectionOnly): removed
>>>     *
>>> netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissions.java:
>>>     rewrite to use reflection to generate permissions from
>>>     PolicyEditorPermissions rather than exposing statically defined values
>>>     *
>>> netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java:
>>>     refactor to use new TemporaryPermissions change
>>>     * tests/netx/unit/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsTest.java:
>>>     new tests for TemporaryPermissions
>>>
>>>
>>> Thanks,
>>>
>> Lightning-quick update thanks to Jie Kang's keen eye: now using multi-catch
>> in TemporaryPermissions.getPermission. Semantically the same and no other
>> changes.
>>
> Hi Andrew,
>
> I agree, reflection is preferable over an ever growing list of static
> permission objects.
>
> Right now the code seems to be boxed such that the reflected object
> creation is always done dynamically (via the new getPermission method).
> Is there is a chance that this could later be utilized with user input?
>
> In its current static state it is fine, but my concern is that there is
> no arg sanitization when we try to create permission objects with the
> given string args in getPermission. In addition to potential bugs, there
> could also be security implications caused by incorrect permission
> creation/granting.
>
> Rest looks fine to me.
>
> Cheers,
> Deepak

I don't anticipate this particular code being used to accept user input, 
although I suppose it would be possible. For me at least the purpose of 
these temporary permissions is just to give users a faster way to 
quickly test applets with various restricted permission configurations, 
rather than having to use PolicyEditor or policytool, which is a bit 
more involved. If the user needs a custom-defined permission, then 
PolicyEditor allows this through CustomPolicyViewer.

As it is, the PolicyEditorPermissions argument is pretty restrictive 
already. It's an enum with two String fields providing simple 
human-readable descriptions, and three more enum fields that model the 
permission type (eg java.io.FilePermission), target (eg "${user.home}"), 
and actions (eg "read"). So there isn't any actual sanitization on the 
input, but it's just because the input is restricted to come from these 
pre-defined enum values anyway.

Thanks,

-- 
Andrew A

More information about the distro-pkg-dev mailing list