[jboss-jira] [JBoss JIRA] (WFLY-11717) Illegal reflective access - org.jboss.invocation.proxy.AbstractProxyFactory

Brian Stansberry (Jira) issues at jboss.org
Thu Mar 21 20:42:00 EDT 2019 

    [ https://issues.jboss.org/browse/WFLY-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13711915#comment-13711915 ] 

Brian Stansberry commented on WFLY-11717:
-----------------------------------------

Notes to self:

AbstractProxyFactory.setupCachedProxyFields() is iterating over 'cachedMethods' and setting the Method to be accessible. So. java.lang.Object.clone() is being made accessible, hence the WARN.

The 'cachedMethods' are all methods that have been in 'methodIdentifiers'.

The 'methodIdentifiers' collection is updated only by the 'loadMethodIdentifier' method., which is only called by ProxyMethodBodyCreator.overrideMethod(ClassMethod method, Method superclassMethod).

That is called by the two AbstractSubclassFactory.overrideMethod methods.

The overrideMethod(ClassMethod method, MethodIdentifier identifier, MethodBodyCreator creator) variant passes null as the Method arg, and null != Object.clone() so that path is not relevant.

The overrideMethod(Method method, MethodIdentifier identifier, MethodBodyCreator creator) is used as follows:

{code}
Method
    overrideMethod(Method, MethodIdentifier, MethodBodyCreator)
Found usages  (7 usages found)
    Unclassified usage  (7 usages found)
        Maven: org.jboss.invocation:jboss-invocation:1.5.2.Final  (7 usages found)
            org.jboss.invocation.proxy  (7 usages found)
                AbstractSubclassFactory  (7 usages found)
                    overridePublicMethods(MethodBodyCreator)  (1 usage found)
                        184 overrideMethod(method, identifier, override);
                    overrideAllMethods(MethodBodyCreator)  (1 usage found)
                        224 overrideMethod(method, identifier, override);
                    overrideEquals(MethodBodyCreator)  (1 usage found)
                        254 return overrideMethod(equals, MethodIdentifier.getIdentifierForMethod(equals), creator);
                    overrideHashcode(MethodBodyCreator)  (1 usage found)
                        281 return overrideMethod(hashCode, MethodIdentifier.getIdentifierForMethod(hashCode), creator);
                    overrideToString(MethodBodyCreator)  (1 usage found)
                        307 return overrideMethod(toString, MethodIdentifier.getIdentifierForMethod(toString), creator);
                    overrideFinalize(MethodBodyCreator)  (1 usage found)
                        332 return overrideMethod(finalize, MethodIdentifier.getIdentifierForMethod(finalize), creator);
                    addInterface(MethodBodyCreator, Class<?>)  (1 usage found)
                        385 overrideMethod(method, MethodIdentifier.getIdentifierForMethod(method), override);
{code}

overridePublicMethods won't handle Object.clone() because it is not public.
overrideAllMethods specifically skips processing of Object.class
overrideEquals|Hashcode|ToString|Finalize won't handle Object.clone() because it's not Equals|Hashcode|ToString|Finalize.
addInterface shouldn't be handling Object.clone because Object is not an interface.

It's possible addInterface is involved, since the param there is Class<?> and Object.class fits that. So perhaps some check for an interface is missing.  Looking at usage of ProxyConfiguration.addAdditionalInterface() I see DefaultComponentViewConfigurator.configure, but it is doing a isInterface() check. And then there is JBossMessageEndpointFactory which takes final Class<?> messageListenerInterface. Tracing back where that param comes from it goes pretty far but it seems possible the app could set it to Object.class.

And we have.....

{code}
@Target(ElementType.TYPE) @Retention(RetentionPolicy.RUNTIME)
   public @interface MessageDriven
{
   String name() default "";
   Class messageListenerInterface() default Object.class;
   ActivationConfigProperty[] activationConfig() default {};
   String mappedName() default "";
   String description() default "";
}
{code}

So maybe that's it?

> Illegal reflective access - org.jboss.invocation.proxy.AbstractProxyFactory
> ---------------------------------------------------------------------------
>
>                 Key: WFLY-11717
>                 URL: https://issues.jboss.org/browse/WFLY-11717
>             Project: WildFly
>          Issue Type: Bug
>    Affects Versions: 15.0.1.Final
>            Reporter: Kris-Gerhard Aabrams
>            Assignee: Brian Stansberry
>            Priority: Major
>              Labels: Java11
>
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by org.jboss.invocation.proxy.AbstractProxyFactory$1 (jar:file:/opt/jboss/wildfly/modules/system/layers/base/org/jboss/invocation/main/jboss-invocation-1.5.1.Final.jar!/) to method java.lang.Object.clone()
> WARNING: Please consider reporting this to the maintainers of org.jboss.invocation.proxy.AbstractProxyFactory$1
> WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
> WARNING: All illegal access operations will be denied in a future release



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list