Check hidden frames in entitlements#127877
Merged
rjernst merged 7 commits intoelastic:mainfrom May 8, 2025
Merged
Conversation
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.
rjernst
added
>bug
auto-backport
Collaborator
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
Collaborator
|
Hi @rjernst, I've created a changelog YAML for you. |
ldematte
approved these changes
May 8, 2025
Contributor
ldematte
left a comment
ldematte
left a comment
There was a problem hiding this comment.
LGTM as a short term solution; for a long term solution I have other thoughts, but we should discuss this separately.
| public static final Class<?> NO_CLASS = new Object() { | ||
| }.getClass(); | ||
|
|
||
| private static final Set<String> skipInternalPackages = Set.of("java.lang.invoke", "java.lang.reflect", "jdk.internal.reflect"); |
Contributor
There was a problem hiding this comment.
This set leaves me a bit uneasy -- we should at least test this is complete for all JDKs we support
Member
Author
There was a problem hiding this comment.
This will be difficult to do ahead of time without a lot of work. I'm going to leave this up to our jdk matrix tests that are run on main, and will watch that job.
| org.elasticsearch.repository.url: | ||
| - outbound_network | ||
| - files: | ||
| - relative_path: . |
Contributor
There was a problem hiding this comment.
Nit/comment: elsewhere we expressed this as "", but I actually like '.' more
docs/changelog/127877.yaml
Outdated
| @@ -0,0 +1,5 @@ | |||
| pr: 127877 | |||
| summary: Check hidden frames in entitlements | |||
| area: Infra/Entitlements | |||
Contributor
There was a problem hiding this comment.
I think we need to change this to Infra/Core or add Infra/Entitlements to the changelog schema
rjernst
added a commit
to rjernst/elasticsearch
that referenced
this pull request
May 9, 2025
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.
This was referenced May 9, 2025
Collaborator
rjernst
added a commit
to rjernst/elasticsearch
that referenced
this pull request
May 9, 2025
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.
rjernst
added a commit
to rjernst/elasticsearch
that referenced
this pull request
May 9, 2025
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 9, 2025
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 9, 2025
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.
ywangd
pushed a commit
to ywangd/elasticsearch
that referenced
this pull request
May 9, 2025
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 9, 2025
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack. Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
jfreden
pushed a commit
to jfreden/elasticsearch
that referenced
this pull request
May 12, 2025
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Entitlements do a stack walk to find the calling class. When method refences are used in a lambda, the frame ends up hidden in the stack walk. In the case of using a method reference with AccessController.doPrivileged, the call looks like it is the jdk itself, so the call is trivially allowed. This commit adds hidden frames to the stack walk so that the lambda frame created for the method reference is included. Several internal packages are then necessary to filter out of the stack.