-
-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: undeprecate method getActualClass #4943
Conversation
The method is quite prone to failure:
Additonally, it executes arbitrary code of the analyzed project in the context of the input classloader. This poses a significant security risk when analyzing code. With the security manager on its way out you are now basically executing arbitrary code within your security context. I am not sure what spoon's security model is (maybe we don't give any guarantees at all), but this is a worthwhile point to think about here. Those are quite some red flags to be aware of IMHO. |
Fully agree, hence the API Javadoc:
I would also add your wrap-up in the Javadoc. WDYT? |
Sounds alright then. It can be useful but you also really need to be careful when using it. As an aside, formulating some kind of "never run spoon on untrusted code" (or can you?) policy might also be an interesting thing. I am not sure in what contexts spoon is mostly used. I had a few where I absolutely did not trust the code I analyzed but I would have sandboxed the whole thing away. |
updated the javadoc |
Moved the interesting conversation about untrusted code in dedicated issue #4945 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That looks a lot better. I would probably expand it to something akin to this. It explicitly specifies a lot of the weird rules spoon follows but clearly marks them as implementation artifacts. We are allowed to break them at any time.
Sorry for being so pedantic here, I really just don't want to debug a bug report involving this method :D
@@ -59,11 +59,10 @@ | |||
|
|||
/** | |||
* | |||
* NEVER USE THIS. | |||
* This is a low-level feature, it should never been used by non advanced users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe highlight the risk part a bit more. Personally, I started ignoring warnings like low-level feature
, as projects started writing this all over the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
feel free to Github-suggest or edit directly :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about copying the paragraph from CtTypeReference
? I know duplicates are bad, but we really don't change our Javadoc that often.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm in favor of this, this is the best way to get incorrect documentation with drifting.
Co-authored-by: I-Al-Istannen <I-Al-Istannen@users.noreply.github.com>
@I-Al-Istannen it seems like you had a strong opinion on this PR. What is your current state on this PR? Merging, extra refinements, or strongly against it? |
#4945 (comment) This basically. After spending an hour trying and failing to exploit it, I am fine with this PR and might actually consider lessening the warning I suggested above a bit. You can still get an arbitrary code execution but it seems you actually have to try. |
Thanks, @monperrus and @I-Al-Istannen |
Thanks @MartinWitt @I-Al-Istannen |
getActualClass
was deprecated (I may even be the author of the deprecation).But:
So it is indeed very useful, and we should undeprecate it.