New candidate JEP: 491: Synchronize Virtual Threads without Pinning
Kyle Stiemann
kyle.stiemann at contrastsecurity.com
Fri Oct 25 13:34:03 UTC 2024
We track untrusted data moving to different threads. Oversimplified example:
```
final String param = httpRequest.getParam("foo");
new Thread(() -> {
// Vulnerable to SQL Injection.
sqlConnection.prepareCall("SELECT * FROM foo WHERE bar='" + param +
"'");
// ...
}).start();
Thread.startVirtualThread(() -> {
// Vulnerable to SQL Injection.
sqlConnection.prepareCall("SELECT * FROM foo WHERE bar='" + param +
"'");
// ...
});
```
We need to detect both of these cases of SQL Injection so we store a
context of untrusted data to keep track of how that data moves between
threads.
- Kyle
On Thu, Oct 24, 2024 at 5:49 AM Alan Bateman <alan.bateman at oracle.com>
wrote:
>
>
> On 23/10/2024 18:51, Kyle Stiemann wrote:
> > Hello,
> > I work on the Java Agent team at Contrast Security. Our agent has to
> > track security-relevant data/contexts across threads (including
> > virtual threads).
> Reading your mail again, I'm puzzled as to why you are doing this. A
> virtual thread and its carrier are separate threads. What security
> relevant data are you tracking?
>
> -Alan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/loom-dev/attachments/20241025/86cb3ed9/attachment-0001.htm>
More information about the loom-dev
mailing list