Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Candidates to be included as default allowances #353

Open
mschmnet opened this issue Apr 24, 2023 · 0 comments
Open

Candidates to be included as default allowances #353

mschmnet opened this issue Apr 24, 2023 · 0 comments

Comments

@mschmnet
Copy link

mschmnet commented Apr 24, 2023
edited
Loading

Motivation

After integrating BlockHound in a project, we've got these two detections (among others). They look like good candidates to be included in the BlockHound#allowances:

  • io.netty.util.internal.NativeLibraryLoader#load: This looks like a similar case as ClassLoader#class
  • java.util.ServiceLoader$LazyClassPathLookupIterator#hasNext

Desired solution

In case these are considered safe methods to be whitelisted, they could be included in the default list of BlockHound#allowances as they look like potentially common detections.

Considered alternatives

Not including them if assumption is not correct, or they don't seem to be common.

Additional context

One of them is detected when using BlobServiceAsyncClient (Azure):

	Suppressed: reactor.blockhound.BlockingOperationError: Blocking call! java.io.RandomAccessFile#readBytes
		at java.base/java.io.RandomAccessFile.readBytes(RandomAccessFile.java)
		at java.base/java.io.RandomAccessFile.read(RandomAccessFile.java:405)
		at java.base/java.io.RandomAccessFile.readFully(RandomAccessFile.java:469)
		at java.base/java.util.zip.ZipFile$Source.readFullyAt(ZipFile.java:1348)
		at java.base/java.util.zip.ZipFile$ZipFileInputStream.initDataOffset(ZipFile.java:915)
		at java.base/java.util.zip.ZipFile$ZipFileInputStream.read(ZipFile.java:931)
		at java.base/java.util.zip.ZipFile$ZipFileInflaterInputStream.fill(ZipFile.java:448)
		at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
		at java.base/java.io.InputStream.readNBytes(InputStream.java:506)
		at java.base/java.util.jar.JarFile.getBytes(JarFile.java:812)
		at java.base/java.util.jar.JarFile.checkForSpecialAttributes(JarFile.java:1002)
		at java.base/java.util.jar.JarFile.isMultiRelease(JarFile.java:389)
		at java.base/java.util.jar.JarFile.getEntry(JarFile.java:511)
		at java.base/sun.net.www.protocol.jar.URLJarFile.getEntry(URLJarFile.java:131)
		at java.base/sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:135)
		at java.base/sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:175)
		at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.parse(ServiceLoader.java:1172)
		at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.nextProviderClass(ServiceLoader.java:1213)
		at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNextService(ServiceLoader.java:1228)
		at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNext(ServiceLoader.java:1273)
		at java.base/java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1309)
		at java.base/java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1393)
		at java.xml/javax.xml.stream.FactoryFinder$1.run(FactoryFinder.java:350)
		at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
		at java.xml/javax.xml.stream.FactoryFinder.findServiceProvider(FactoryFinder.java:339)
		at java.xml/javax.xml.stream.FactoryFinder.find(FactoryFinder.java:310)
		at java.xml/javax.xml.stream.XMLInputFactory.newFactory(XMLInputFactory.java:288)
		at com.fasterxml.jackson.dataformat.xml.util.StaxUtil.defaultInputFactory(StaxUtil.java:144)
		at com.fasterxml.jackson.dataformat.xml.XmlFactory.<init>(XmlFactory.java:123)
		at com.fasterxml.jackson.dataformat.xml.XmlFactory.<init>(XmlFactory.java:110)
		at com.fasterxml.jackson.dataformat.xml.XmlFactory.<init>(XmlFactory.java:103)
		at com.fasterxml.jackson.dataformat.xml.XmlFactory.<init>(XmlFactory.java:87)
		at com.fasterxml.jackson.dataformat.xml.XmlMapper.<init>(XmlMapper.java:135)
		at com.fasterxml.jackson.dataformat.xml.XmlMapper.builder(XmlMapper.java:226)
		at com.azure.core.implementation.jackson.XmlMapperFactory.createXmlMapper(XmlMapperFactory.java:62)
		at com.azure.core.implementation.jackson.ObjectMapperFactory.createXmlMapper(ObjectMapperFactory.java:43)
		at com.azure.core.implementation.jackson.ObjectMapperShim.createXmlMapper(ObjectMapperShim.java:79)
		at com.azure.core.util.serializer.JacksonAdapter$GlobalXmlMapper.<clinit>(JacksonAdapter.java:40)
		at com.azure.core.util.serializer.JacksonAdapter.getXmlMapper(JacksonAdapter.java:306)
		at com.azure.core.util.serializer.JacksonAdapter.lambda$deserialize$8(JacksonAdapter.java:276)
		at com.azure.core.util.serializer.JacksonAdapter.useAccessHelper(JacksonAdapter.java:327)
		at com.azure.core.util.serializer.JacksonAdapter.deserialize(JacksonAdapter.java:275)
		at com.azure.core.implementation.serializer.HttpResponseBodyDecoder.deserialize(HttpResponseBodyDecoder.java:159)
		at com.azure.core.implementation.serializer.HttpResponseBodyDecoder.deserializeBody(HttpResponseBodyDecoder.java:132)
		at com.azure.core.implementation.serializer.HttpResponseBodyDecoder.decodeByteArray(HttpResponseBodyDecoder.java:56)
		at com.azure.core.implementation.serializer.HttpResponseDecoder$HttpDecodedResponse.getDecodedBody(HttpResponseDecoder.java:93)
		at com.azure.core.implementation.http.rest.AsyncRestProxy.lambda$ensureExpectedStatus$1(AsyncRestProxy.java:116)
		at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onNext(FluxMapFuseable.java:113)

And this is the other one:

java.lang.Exception: Disallowed blocking call: java.io.RandomAccessFile#readBytes
        [...]
	at reactor.blockhound.BlockHound$Builder.lambda$install$8(BlockHound.java:472)
	at reactor.blockhound.BlockHoundRuntime.checkBlocking(BlockHoundRuntime.java:89)
	at java.base/java.io.RandomAccessFile.readBytes(RandomAccessFile.java)
	at java.base/java.io.RandomAccessFile.read(RandomAccessFile.java:405)
	at java.base/java.util.zip.ZipFile$Source.readAt(ZipFile.java:1361)
	at java.base/java.util.zip.ZipFile$ZipFileInputStream.read(ZipFile.java:941)
	at java.base/java.util.zip.ZipFile$ZipFileInflaterInputStream.fill(ZipFile.java:448)
	at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
	at java.base/java.io.InputStream.readNBytes(InputStream.java:506)
	at java.base/java.util.jar.JarFile.getBytes(JarFile.java:812)
	at java.base/java.util.jar.JarFile.checkForSpecialAttributes(JarFile.java:1002)
	at java.base/java.util.jar.JarFile.isMultiRelease(JarFile.java:389)
	at java.base/java.util.jar.JarFile.getEntry(JarFile.java:511)
	at java.base/sun.net.www.protocol.jar.URLJarFile.getEntry(URLJarFile.java:131)
	at java.base/sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:135)
	at java.base/sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:175)
	at java.base/java.net.URL.openStream(URL.java:1161)
	at io.netty.util.internal.NativeLibraryLoader.load(NativeLibraryLoader.java:197)
	at io.netty.resolver.dns.macos.MacOSDnsServerAddressStreamProvider.loadNativeLibrary(MacOSDnsServerAddressStreamProvider.java:92)
	at io.netty.resolver.dns.macos.MacOSDnsServerAddressStreamProvider.<clinit>(MacOSDnsServerAddressStreamProvider.java:77)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Class.java:467)
	at io.netty.resolver.dns.DnsServerAddressStreamProviders$1.run(DnsServerAddressStreamProviders.java:50)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at io.netty.resolver.dns.DnsServerAddressStreamProviders.<clinit>(DnsServerAddressStreamProviders.java:46)
	at io.netty.resolver.dns.DnsNameResolverBuilder.<init>(DnsNameResolverBuilder.java:61)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mschmnet