3

I'm working on a closed source java app that analyzes JAR files. Since java can be easily decompiled, and obfuscation really isn't a big deal, I want to provide an online service that will execute the app on my server and return it's result much like fernflower here: www.reversed-java.com/fernflower/.

Problem is, I fear that's a recipe for disaster having my app load any potentially harmfull jars on the server, even though i'm never running the jars. All i'm doing is load them using URLClassLoader and JarInputStream.

Can a jar I am loading override classes in my original app in order to execute malicious code, or mess up my program?

What are the risks in dynamically loading jars?

Vivek Kalkur
  • 2,200
  • 2
  • 21
  • 40
YLivay
  • 125
  • 1
  • 8
  • How do you load them? Classes can have static initializers that execute code when the class is loaded in the "normal" way. – Thilo Nov 29 '11 at 07:21
  • `jarLoader = new URLClassLoader(new URL[] { this.jarFile.toURI().toURL() }, Thread.currentThread().getContextClassLoader()); jarLoader.loadClass("Myclass");` – YLivay Nov 29 '11 at 07:24
  • That most likely executes the static initializers for `Myclass`. Put a System.out.println in there and see if it shows up somewhere. Or an infinite loop. – Thilo Nov 29 '11 at 07:27
  • Sounds like an excellent case for a security manager. – Thorbjørn Ravn Andersen Nov 29 '11 at 07:41

1 Answers1

8

What are the risks in dynamically loading jars?

There are no risks of dynamically loading per se. The risks are really the risks of running untrusted code. If you do that without taking the appropriate precautions, you risk having your machine totally compromised.

If you are going to do this kind of thing, at the very least you should run untrusted code in a sandbox that stops it from doing anything potentially harmful. For instance, you need to block reading and writing local files, running external processes, using reflection, accessing system properties, and so on. And you may want to stop it creating threads, creating sockets, and other things that consume system resources.

Finally, you need to consider the case where some untrusted JAR has a method that is an infinite loop. This is a problem that can't be dealt with using security sandboxes. Indeed, the only bomb-proof way to get rid of a looping thread is to exit the JVM and restart it.

Can a jar im loading override classes in my original app in order to execute malicious code, or mess up my program?

I don't think it can easily override your classes, but there are lots of other ways for untrusted code to "mess up" your world; see above. (And if the untrusted code can execute reflective code, then it possibly can override your classes by messing around with the classloader's private data structures.)

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • Thanks for the detailed answer! I'm not running the jars in any way, but is there a way that the loaded jar override my classes? – YLivay Nov 29 '11 at 07:36
  • 2
    If you can **guarantee** that you won't run any static initializers for the code that you load, then you should be safe. – Stephen C Nov 29 '11 at 07:38
  • Thanks again! I'll be looking how to prevent static initializers from running then. – YLivay Nov 29 '11 at 07:41