RFR: JDK-8285932 Implementation of JEP-430 String Templates (Preview) [v7]
Jim Laskey
jlaskey at openjdk.org
Tue Nov 1 19:09:41 UTC 2022
On Mon, 31 Oct 2022 21:23:19 GMT, Stuart Marks <smarks at openjdk.org> wrote:
>> Jim Laskey has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Add @SafeVarargs declarations
>
> src/java.base/share/classes/java/lang/template/TemplateRuntime.java line 99:
>
>> 97: private static <E> List<E> toList(E... elements) {
>> 98: return JUCA.listFromTrustedArrayNullsAllowed(elements);
>> 99: }
>
> I'm ok with using JUCA to create an unmodifiable list that can contain nulls.
>
> However, it "trusts" the argument array, meaning that the array is assumed to be referenced exclusively and so the array reference is used directly in the resulting List object. That implies that one needs to be very careful about the array that gets passed in, otherwise, the resulting List might not actually be unmodifiable.
>
> In particular, the call site in StringTemplate.of()
>
> https://github.com/openjdk/jdk/pull/10889/files#diff-d4e02e5ead5ad4f2cfe509c58d1145f599285cd6736bbf37e4116045b2fd50bcR309
>
> passes the array obtained from a List parameter that comes directly from a public call, meaning that malicious code could keep a reference to the array returned by `toArray` and modify it later. You could clone the array, or just revert back to the slow path.
Changing caller
-------------
PR: https://git.openjdk.org/jdk/pull/10889
More information about the security-dev
mailing list