Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid codeql zip slip warning #13193

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Avoid codeql zip slip warning #13193

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 45 additions & 19 deletions javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,11 +169,11 @@ public Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundExce
}

private Class<?> findAgentClass(String name) throws ClassNotFoundException {
JarEntry jarEntry = findJarEntry(name.replace('.', '/') + ".class");
if (jarEntry != null) {
AgentJarResource jarResource = findAgentJarResource(name.replace('.', '/') + ".class");
if (jarResource != null) {
byte[] bytes;
try {
bytes = getJarEntryBytes(jarEntry);
bytes = getJarEntryBytes(jarResource.getJarEntry());
} catch (IOException exception) {
throw new ClassNotFoundException(name, exception);
}
Expand Down Expand Up @@ -236,18 +236,20 @@ private static String getPackageName(String className) {
return index == -1 ? null : className.substring(0, index);
}

private JarEntry findJarEntry(String name) {
private AgentJarResource findAgentJarResource(String name) {
// shading renames .class to .classdata
boolean isClass = name.endsWith(".class");
if (isClass) {
name += getClassSuffix();
}

JarEntry jarEntry = jarFile.getJarEntry(jarEntryPrefix + name);
String jarEntryName = jarEntryPrefix + name;
JarEntry jarEntry = jarFile.getJarEntry(jarEntryName);
AgentJarResource jarResource = AgentJarResource.create(jarEntryName, jarEntry);
if (MULTI_RELEASE_JAR_ENABLE) {
jarEntry = findVersionedJarEntry(jarEntry, name);
jarResource = findVersionedAgentJarResource(jarResource, name);
}
return jarEntry;
return jarResource;
}

// suffix appended to class resource names
Expand All @@ -256,22 +258,23 @@ protected String getClassSuffix() {
return "data";
}

private JarEntry findVersionedJarEntry(JarEntry jarEntry, String name) {
private AgentJarResource findVersionedAgentJarResource(
AgentJarResource jarResource, String name) {
// same logic as in JarFile.getVersionedEntry
if (!name.startsWith(META_INF)) {
// search for versioned entry by looping over possible versions form high to low
int version = JAVA_VERSION;
while (version >= MIN_MULTI_RELEASE_JAR_JAVA_VERSION) {
JarEntry versionedJarEntry =
jarFile.getJarEntry(jarEntryPrefix + META_INF_VERSIONS + version + "/" + name);
String versionedJarEntryName = jarEntryPrefix + META_INF_VERSIONS + version + "/" + name;
JarEntry versionedJarEntry = jarFile.getJarEntry(versionedJarEntryName);
if (versionedJarEntry != null) {
return versionedJarEntry;
return AgentJarResource.create(versionedJarEntryName, versionedJarEntry);
}
version--;
}
}

return jarEntry;
return jarResource;
}

@Override
Expand All @@ -296,17 +299,17 @@ public URL findResource(String name) {
}

private URL findJarResource(String name) {
JarEntry jarEntry = findJarEntry(name);
return getJarEntryUrl(jarEntry);
AgentJarResource jarResource = findAgentJarResource(name);
return getAgentJarResourceUrl(jarResource);
}

private URL getJarEntryUrl(JarEntry jarEntry) {
if (jarEntry != null) {
private URL getAgentJarResourceUrl(AgentJarResource jarResource) {
if (jarResource != null) {
try {
return new URL(jarBase, jarEntry.getName());
return new URL(jarBase, jarResource.getName());
} catch (MalformedURLException e) {
throw new IllegalStateException(
"Failed to construct url for jar entry " + jarEntry.getName(), e);
"Failed to construct url for jar entry " + jarResource.getName(), e);
}
}

Expand Down Expand Up @@ -374,7 +377,8 @@ public URL getResource(String resourceName) {
// find from agent jar
if (agentClassLoader != null) {
JarEntry jarEntry = agentClassLoader.jarFile.getJarEntry(resourceName);
return agentClassLoader.getJarEntryUrl(jarEntry);
AgentJarResource jarResource = AgentJarResource.create(resourceName, jarEntry);
return agentClassLoader.getAgentJarResourceUrl(jarResource);
}
return null;
}
Expand All @@ -385,6 +389,28 @@ protected Class<?> findClass(String name) throws ClassNotFoundException {
}
}

private static class AgentJarResource {
private final String name;
private final JarEntry jarEntry;

private AgentJarResource(String name, JarEntry jarEntry) {
this.name = name;
this.jarEntry = jarEntry;
}

String getName() {
return name;
}

JarEntry getJarEntry() {
return jarEntry;
}

static AgentJarResource create(String name, JarEntry jarEntry) {
return jarEntry != null ? new AgentJarResource(name, jarEntry) : null;
}
}

private static class AgentClassLoaderUrlStreamHandler extends URLStreamHandler {
private final JarFile jarFile;

Expand Down