BlockHound icon indicating copy to clipboard operation
BlockHound copied to clipboard

Published 20 hours ago verified publisher icon reactor

Candidates to be included as default allowances

Open mschmnet opened this issue 1 year ago • 0 comments

Motivation

After integrating BlockHound in a project, we've got these two detections (among others). They look like good candidates to be included in the BlockHound#allowances:

  • io.netty.util.internal.NativeLibraryLoader#load: This looks like a similar case as ClassLoader#class
  • java.util.ServiceLoader$LazyClassPathLookupIterator#hasNext

Desired solution

In case these are considered safe methods to be whitelisted, they could be included in the default list of BlockHound#allowances as they look like potentially common detections.

Considered alternatives

Not including them if assumption is not correct, or they don't seem to be common.

Additional context

One of them is detected when using BlobServiceAsyncClient (Azure):

	Suppressed: reactor.blockhound.BlockingOperationError: Blocking call! java.io.RandomAccessFile#readBytes
		at java.base/java.io.RandomAccessFile.readBytes(RandomAccessFile.java)
		at java.base/java.io.RandomAccessFile.read(RandomAccessFile.java:405)
		at java.base/java.io.RandomAccessFile.readFully(RandomAccessFile.java:469)
		at java.base/java.util.zip.ZipFile$Source.readFullyAt(ZipFile.java:1348)
		at java.base/java.util.zip.ZipFile$ZipFileInputStream.initDataOffset(ZipFile.java:915)
		at java.base/java.util.zip.ZipFile$ZipFileInputStream.read(ZipFile.java:931)
		at java.base/java.util.zip.ZipFile$ZipFileInflaterInputStream.fill(ZipFile.java:448)
		at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
		at java.base/java.io.InputStream.readNBytes(InputStream.java:506)
		at java.base/java.util.jar.JarFile.getBytes(JarFile.java:812)
		at java.base/java.util.jar.JarFile.checkForSpecialAttributes(JarFile.java:1002)
		at java.base/java.util.jar.JarFile.isMultiRelease(JarFile.java:389)
		at java.base/java.util.jar.JarFile.getEntry(JarFile.java:511)
		at java.base/sun.net.www.protocol.jar.URLJarFile.getEntry(URLJarFile.java:131)
		at java.base/sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:135)
		at java.base/sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:175)
		at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.parse(ServiceLoader.java:1172)
		at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.nextProviderClass(ServiceLoader.java:1213)
		at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNextService(ServiceLoader.java:1228)
		at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNext(ServiceLoader.java:1273)
		at java.base/java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1309)
		at java.base/java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1393)
		at java.xml/javax.xml.stream.FactoryFinder$1.run(FactoryFinder.java:350)
		at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
		at java.xml/javax.xml.stream.FactoryFinder.findServiceProvider(FactoryFinder.java:339)
		at java.xml/javax.xml.stream.FactoryFinder.find(FactoryFinder.java:310)
		at java.xml/javax.xml.stream.XMLInputFactory.newFactory(XMLInputFactory.java:288)
		at com.fasterxml.jackson.dataformat.xml.util.StaxUtil.defaultInputFactory(StaxUtil.java:144)
		at com.fasterxml.jackson.dataformat.xml.XmlFactory.<init>(XmlFactory.java:123)
		at com.fasterxml.jackson.dataformat.xml.XmlFactory.<init>(XmlFactory.java:110)
		at com.fasterxml.jackson.dataformat.xml.XmlFactory.<init>(XmlFactory.java:103)
		at com.fasterxml.jackson.dataformat.xml.XmlFactory.<init>(XmlFactory.java:87)
		at com.fasterxml.jackson.dataformat.xml.XmlMapper.<init>(XmlMapper.java:135)
		at com.fasterxml.jackson.dataformat.xml.XmlMapper.builder(XmlMapper.java:226)
		at com.azure.core.implementation.jackson.XmlMapperFactory.createXmlMapper(XmlMapperFactory.java:62)
		at com.azure.core.implementation.jackson.ObjectMapperFactory.createXmlMapper(ObjectMapperFactory.java:43)
		at com.azure.core.implementation.jackson.ObjectMapperShim.createXmlMapper(ObjectMapperShim.java:79)
		at com.azure.core.util.serializer.JacksonAdapter$GlobalXmlMapper.<clinit>(JacksonAdapter.java:40)
		at com.azure.core.util.serializer.JacksonAdapter.getXmlMapper(JacksonAdapter.java:306)
		at com.azure.core.util.serializer.JacksonAdapter.lambda$deserialize$8(JacksonAdapter.java:276)
		at com.azure.core.util.serializer.JacksonAdapter.useAccessHelper(JacksonAdapter.java:327)
		at com.azure.core.util.serializer.JacksonAdapter.deserialize(JacksonAdapter.java:275)
		at com.azure.core.implementation.serializer.HttpResponseBodyDecoder.deserialize(HttpResponseBodyDecoder.java:159)
		at com.azure.core.implementation.serializer.HttpResponseBodyDecoder.deserializeBody(HttpResponseBodyDecoder.java:132)
		at com.azure.core.implementation.serializer.HttpResponseBodyDecoder.decodeByteArray(HttpResponseBodyDecoder.java:56)
		at com.azure.core.implementation.serializer.HttpResponseDecoder$HttpDecodedResponse.getDecodedBody(HttpResponseDecoder.java:93)
		at com.azure.core.implementation.http.rest.AsyncRestProxy.lambda$ensureExpectedStatus$1(AsyncRestProxy.java:116)
		at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onNext(FluxMapFuseable.java:113)

And this is the other one:

java.lang.Exception: Disallowed blocking call: java.io.RandomAccessFile#readBytes
        [...]
	at reactor.blockhound.BlockHound$Builder.lambda$install$8(BlockHound.java:472)
	at reactor.blockhound.BlockHoundRuntime.checkBlocking(BlockHoundRuntime.java:89)
	at java.base/java.io.RandomAccessFile.readBytes(RandomAccessFile.java)
	at java.base/java.io.RandomAccessFile.read(RandomAccessFile.java:405)
	at java.base/java.util.zip.ZipFile$Source.readAt(ZipFile.java:1361)
	at java.base/java.util.zip.ZipFile$ZipFileInputStream.read(ZipFile.java:941)
	at java.base/java.util.zip.ZipFile$ZipFileInflaterInputStream.fill(ZipFile.java:448)
	at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
	at java.base/java.io.InputStream.readNBytes(InputStream.java:506)
	at java.base/java.util.jar.JarFile.getBytes(JarFile.java:812)
	at java.base/java.util.jar.JarFile.checkForSpecialAttributes(JarFile.java:1002)
	at java.base/java.util.jar.JarFile.isMultiRelease(JarFile.java:389)
	at java.base/java.util.jar.JarFile.getEntry(JarFile.java:511)
	at java.base/sun.net.www.protocol.jar.URLJarFile.getEntry(URLJarFile.java:131)
	at java.base/sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:135)
	at java.base/sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:175)
	at java.base/java.net.URL.openStream(URL.java:1161)
	at io.netty.util.internal.NativeLibraryLoader.load(NativeLibraryLoader.java:197)
	at io.netty.resolver.dns.macos.MacOSDnsServerAddressStreamProvider.loadNativeLibrary(MacOSDnsServerAddressStreamProvider.java:92)
	at io.netty.resolver.dns.macos.MacOSDnsServerAddressStreamProvider.<clinit>(MacOSDnsServerAddressStreamProvider.java:77)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Class.java:467)
	at io.netty.resolver.dns.DnsServerAddressStreamProviders$1.run(DnsServerAddressStreamProviders.java:50)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at io.netty.resolver.dns.DnsServerAddressStreamProviders.<clinit>(DnsServerAddressStreamProviders.java:46)
	at io.netty.resolver.dns.DnsNameResolverBuilder.<init>(DnsNameResolverBuilder.java:61)

mschmnet avatar Apr 24 '23 16:04 mschmnet