Skip to content

Java 2 Security issue running with Hibernate #3720

New issue
New issue
Open
Open
Java 2 Security issue running with Hibernate#3720
Labels
target:javatype:improvement
Milestone
4.11
@dazey3

Description

@dazey3
dazey3
opened on May 17, 2022

I am testing using org.antlr:antlr4-runtime:4.9.1 in Hibernate 6.0.0 and I encountered a Java 2 Security issue with ANTLR:

Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. The application needs to have permissions addedPermission: 
("java.lang.RuntimePermission" "getenv.TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT")
Stack: 
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.TURN_OFF_LR_LOOP_ENTRY_BRANCH_OPT")java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
java.base/java.security.AccessController.checkPermission(AccessController.java:897)
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
java.base/java.lang.System.getenv(System.java:999)
org.antlr.v4.runtime.atn.ParserATNSimulator.getSafeEnv(ParserATNSimulator.java:2187)
org.antlr.v4.runtime.atn.ParserATNSimulator.<clinit>(ParserATNSimulator.java:273)
org.hibernate.grammars.hql.HqlParser.<init>(HqlParser.java:264)
org.hibernate.query.hql.internal.HqlParseTreeBuilder$1.<init>(HqlParseTreeBuilder.java:39)
org.hibernate.query.hql.internal.HqlParseTreeBuilder.buildHqlParser(HqlParseTreeBuilder.java:39)
org.hibernate.query.hql.internal.StandardHqlTranslator.parseHql(StandardHqlTranslator.java:106)
org.hibernate.query.hql.internal.StandardHqlTranslator.translate(StandardHqlTranslator.java:77)
org.hibernate.internal.AbstractSharedSessionContract.lambda$createQuery$2(AbstractSharedSessionContract.java:741)
org.hibernate.query.internal.QueryInterpretationCacheStandardImpl.createHqlInterpretation(QueryInterpretationCacheStandardImpl.java:141)
org.hibernate.query.internal.QueryInterpretationCacheStandardImpl.resolveHqlInterpretation(QueryInterpretationCacheStandardImpl.java:128)
org.hibernate.internal.AbstractSharedSessionContract.createQuery(AbstractSharedSessionContract.java:738)
org.hibernate.internal.AbstractSessionImpl.createQuery(AbstractSessionImpl.java:23)

I believe the issue is due to an incorrect behavior in accessing environment variables in ParserATNSimulator.getSafeEnv(String):

public static String getSafeEnv(String envName) {
	try {
		return System.getenv(envName);
	}
	catch(SecurityException e) {
		// use the default value
	}
	return null;
}

Instead, you should properly use a doPriv using java.security API:

public static String getSafeEnv(String envName) {
	return AccessController.doPrivileged(new PrivilegedAction<String>() {
		@Override
		public String run() {
			return System.getenv(envName);
		}
	});
}

#2069 seems to have also observed this issue, but the fix was not correct. You shouldn't just catch the security issue and do nothing.

Metadata

Metadata

Assignees

No one assigned

    Labels

    target:javatype:improvement

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions