Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #179

Closed
rzanner opened this issue Feb 14, 2023 · 5 comments
Closed

Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #179

rzanner opened this issue Feb 14, 2023 · 5 comments
Labels
bug Something isn't working Status: Completed Completed, but not yet released

Comments

@rzanner
Copy link

rzanner commented Feb 14, 2023
edited
Loading

First opened as discussion: in #178

Describe the bug
When using the print feature of the CsrfGuard, either by activating it in csrfguard.properties (org.owasp.csrfguard.Config.Print = true) or in web.xml (set context parameter "Owasp.CsrfGuard.Config.Print" to true), you get the following stacktrace, complaining that the "java.util.regex" package is not accessible via reflection:

java.lang.reflect.InaccessibleObjectException: Unable to make field static final boolean java.util.regex.Pattern.$assertionsDisabled accessible: module java.base does not "opens java.util.regex" to unnamed module @45ed3a9b
	at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)
	at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)
	at java.base/java.lang.reflect.Field.checkCanSetAccessible(Field.java:178)
	at java.base/java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:130)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.appendFieldsIn(ReflectionToStringBuilder.java:645)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:840)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:313)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:166)
	at org.apache.commons.lang3.builder.RecursiveToStringStyle.appendDetail(RecursiveToStringStyle.java:73)
	at org.apache.commons.lang3.builder.ToStringStyle.appendInternal(ToStringStyle.java:579)
	at org.apache.commons.lang3.builder.ToStringStyle.append(ToStringStyle.java:466)
	at org.apache.commons.lang3.builder.ToStringBuilder.append(ToStringBuilder.java:860)
	at org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder.append(CsrfGuardPropertiesToStringBuilder.java:186)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.appendFieldsIn(ReflectionToStringBuilder.java:654)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:840)
	at org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder.toString(CsrfGuardPropertiesToStringBuilder.java:68)
	at org.owasp.csrfguard.CsrfGuard.toString(CsrfGuard.java:281)
	at java.base/java.lang.String.valueOf(String.java:4218)
	at java.base/java.lang.StringBuilder.append(StringBuilder.java:173)
	at org.owasp.csrfguard.CsrfGuardServletContextListener.printConfigIfConfigured(CsrfGuardServletContextListener.java:131)
	at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:155)
	...

Currently the only work-around is to not log the config. :-(

To Reproduce
Steps to reproduce the behavior:

  1. Enable printing the configuration via csrfguard.properties (org.owasp.csrfguard.Config.Print = true)
  2. Start the application
  3. See error

Expected behavior
Normal logging of the app, no stacktrace.

Additional context
I think the field "javascriptRefererPattern" of the org.owasp.csrfguard.config.PropertiesConfigurationProvider needs to be added to the "FIELDS_TO_EXCLUDE" constant array in org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder to prevent at least this error.

Probably other fields of the PropertiesConfigurationProvider are also affected, like "pageTokenSynchronizationTolerance" (java.time.Duration) or "prng" (java.security.SecureRandom).
@rzanner
Copy link
Author

rzanner commented Feb 22, 2023

There's already a bug open for the ReflectionToStringBuilder in commons-lang: https://issues.apache.org/jira/browse/LANG-1685

@forgedhallpass
Copy link
Member

Thank you for reporting it. Would you be interested to provide a PR with a fix?

@rzanner
Copy link
Author

rzanner commented Mar 5, 2023
edited
Loading

Thank you for reporting it. Would you be interested to provide a PR with a fix?

Let me check tomorrow - maybe it's easier and more suitable to fix it in commons-lang first... ;-)

forgedhallpass added a commit that referenced this issue Mar 22, 2023
@forgedhallpass
fix(util): Fix the config printing in Java 17
1506bd2 
 Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #179
@forgedhallpass forgedhallpass added the bug Something isn't working label Mar 22, 2023
@forgedhallpass
Copy link
Member

@rzanner I've pushed a quick fix for this issue. Feel free to test it out and let me know if this works for you, then I can create a patch release.

@forgedhallpass forgedhallpass added the Status: Completed Completed, but not yet released label May 16, 2023
forgedhallpass added a commit that referenced this issue Jun 2, 2023
@forgedhallpass
fix(util): Fix the config printing in Java 17
4185d63 
 Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #179
@forgedhallpass
Copy link
Member

Released under version 4.3.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Status: Completed Completed, but not yet released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rzanner @forgedhallpass