New candidate JEP: 491: Synchronize Virtual Threads without Pinning
Alan Bateman
alan.bateman at oracle.com
Fri Oct 25 13:46:32 UTC 2024
On 25/10/2024 14:34, Kyle Stiemann wrote:
> We track untrusted data moving to different threads. Oversimplified
> example:
>
> ```
> final String param = httpRequest.getParam("foo");
>
> new Thread(() -> {
> // Vulnerable to SQL Injection.
> sqlConnection.prepareCall("SELECT * FROM foo WHERE bar='" + param
> + "'");
>
> // ...
> }).start();
>
> Thread.startVirtualThread(() -> {
> // Vulnerable to SQL Injection.
> sqlConnection.prepareCall("SELECT * FROM foo WHERE bar='" + param
> + "'");
>
> // ...
> });
> ```
>
> We need to detect both of these cases of SQL Injection so we store a
> context of untrusted data to keep track of how that data moves between
> threads.
>
Okay, but this is just capturing and using in two threads, it shouldn't
require instrumenting scheduling points.
-Alan
More information about the loom-dev
mailing list