File _service:tar_scm:CVE-2019-10174.patch of Package infinispan

From 5dbb05cfaca01a1a66732b82a0f5ba615ccbd214 Mon Sep 17 00:00:00 2001
From: Dan Berindei <dan@infinispan.org>
Date: Thu, 13 Jun 2019 12:11:52 +0300
Subject: [PATCH] ISPN-9600 ReflectionUtil.invokeAccessibly should not be
 public

(cherry picked from commit 7bdc2822ccf79127a488130239c49a5e944e3ca2)

Conflicts:
	commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
	commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
	core/src/main/java/org/infinispan/distribution/group/impl/GroupManagerImpl.java
	core/src/main/java/org/infinispan/factories/impl/BasicComponentRegistryImpl.java
	core/src/test/java/org/infinispan/test/TestingUtil.java
---
 .../commons/util/ReflectionUtil.java          | 17 ++++++++++++---
 .../commons/util/SecurityActions.java         | 21 -------------------
 .../distribution/group/GroupManagerImpl.java  | 12 ++++++-----
 .../factories/AbstractComponentRegistry.java  | 16 +++++++-------
 .../infinispan/factories/SecurityActions.java |  8 +++++++
 5 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java b/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
index 9b70e1430c6f..49ff83ac4dbe 100644
--- a/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
+++ b/commons/src/main/java/org/infinispan/commons/util/ReflectionUtil.java
@@ -6,6 +6,7 @@
 
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -161,8 +162,19 @@ private static Field findFieldRecursively(Class<?> c, String fieldName) {
     * @param method     method to execute
     * @param parameters parameters
     */
-   public static Object invokeAccessibly(Object instance, Method method, Object[] parameters) {
-      return SecurityActions.invokeAccessibly(instance, method, parameters);
+   public static Object invokeMethod(Object instance, Method method, Object[] parameters) {
+      try {
+         return method.invoke(instance, parameters);
+      } catch (InvocationTargetException e) {
+         Throwable cause = e.getCause() != null ? e.getCause() : e;
+         throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance
+                 .getClass().getSimpleName()) +
+                 (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), cause);
+      } catch (Exception e) {
+         throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance
+                 .getClass().getSimpleName()) +
+                 (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), e);
+      }
    }
 
    public static Method findGetterForField(Class<?> c, String fieldName) {
@@ -260,7 +272,6 @@ public static Object getValue(Object instance, String fieldName) {
     * @param ann   annotation to search for.  Must be a class-level annotation.
     * @return the annotation instance, or null
     */
-   @SuppressWarnings("unchecked")
    public static <T extends Annotation> T getAnnotation(Class<?> clazz, Class<T> ann) {
       while (true) {
          // first check class
diff --git a/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java b/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
index 72d721349181..6ca2151e0bae 100644
--- a/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
+++ b/commons/src/main/java/org/infinispan/commons/util/SecurityActions.java
@@ -1,12 +1,7 @@
 package org.infinispan.commons.util;
 
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
-import java.util.Arrays;
-
-import org.infinispan.commons.CacheException;
 
 /**
  * Privileged actions for the package
@@ -84,22 +79,6 @@ private static <T> T doPrivileged(PrivilegedAction<T> action) {
       }
    }
 
-   static Object invokeAccessibly(Object instance, Method method, Object[] parameters) {
-       return doPrivileged((PrivilegedAction<Object>) () -> {
-          try {
-             method.setAccessible(true);
-             return method.invoke(instance, parameters);
-          } catch (InvocationTargetException e) {
-             Throwable cause = e.getCause() != null ? e.getCause() : e;
-             throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance.getClass().getSimpleName()) +
-                                            (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), cause);
-          } catch (Exception e) {
-             throw new CacheException("Unable to invoke method " + method + " on object of type " + (instance == null ? "null" : instance.getClass().getSimpleName()) +
-                   (parameters != null ? " with parameters " + Arrays.asList(parameters) : ""), e);
-          }
-       });
-   }
-
    static ClassLoader[] getClassLoaders(ClassLoader appClassLoader) {
       return doPrivileged((PrivilegedAction<ClassLoader[]>) () -> {
          return new ClassLoader[] { appClassLoader,   // User defined classes
diff --git a/core/src/main/java/org/infinispan/distribution/group/GroupManagerImpl.java b/core/src/main/java/org/infinispan/distribution/group/GroupManagerImpl.java
index 566c8a7746f5..369537aa7319 100644
--- a/core/src/main/java/org/infinispan/distribution/group/GroupManagerImpl.java
+++ b/core/src/main/java/org/infinispan/distribution/group/GroupManagerImpl.java
@@ -1,6 +1,6 @@
 package org.infinispan.distribution.group;
 
-import static org.infinispan.commons.util.ReflectionUtil.invokeAccessibly;
+import static org.infinispan.commons.util.ReflectionUtil.invokeMethod;
 
 import org.infinispan.commons.util.CollectionFactory;
 import org.infinispan.commons.util.ReflectionUtil;
@@ -50,13 +50,15 @@ public GroupMetadataImpl(Method method) {
 
         @Override
         public String getGroup(Object instance) {
-            Object object;
             if (System.getSecurityManager() == null) {
-                object = invokeAccessibly(instance, method, Util.EMPTY_OBJECT_ARRAY);
+                method.setAccessible(true);
             } else {
-                object = AccessController.doPrivileged((PrivilegedAction<Object>) () -> invokeAccessibly(instance, method, Util.EMPTY_OBJECT_ARRAY));
+                AccessController.doPrivileged((PrivilegedAction<List<Method>>) () -> {
+                    method.setAccessible(true);
+                    return null;
+                });
             }
-            return String.class.cast(object);
+            return String.class.cast(invokeMethod(instance, method, Util.EMPTY_OBJECT_ARRAY));
         }
         
     }
diff --git a/core/src/main/java/org/infinispan/factories/AbstractComponentRegistry.java b/core/src/main/java/org/infinispan/factories/AbstractComponentRegistry.java
index 468dd4b266b2..367ae6709343 100644
--- a/core/src/main/java/org/infinispan/factories/AbstractComponentRegistry.java
+++ b/core/src/main/java/org/infinispan/factories/AbstractComponentRegistry.java
@@ -21,7 +21,6 @@
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -35,8 +34,6 @@
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.TimeUnit;
 
-import static org.infinispan.commons.util.ReflectionUtil.invokeAccessibly;
-
 /**
  * A registry where components which have been created are stored.  Components are stored as singletons, registered
  * under a specific name.
@@ -245,11 +242,7 @@ private void invokeInjectionMethod(Object o, ComponentMetadata.InjectMetadata in
             boolean nameIsFQCN = !injectMetadata.isParameterNameSet(i);
             params[i] = getOrCreateComponent(dependencies[i], name, nameIsFQCN);
          }
-         if (System.getSecurityManager() == null) {
-            invokeAccessibly(o, injectMetadata.getMethod(), params);
-         } else {
-            AccessController.doPrivileged((PrivilegedAction<Object>) () -> invokeAccessibly(o, injectMetadata.getMethod(), params));
-         }
+         invokeAccessibly(o, injectMetadata.getMethod(), params);
       }
    }
 
@@ -465,6 +458,13 @@ public void rewire() {
       }
    }
 
+   private static Object invokeAccessibly(Object instance, Method method, Object[] parameters) {
+      return SecurityActions.doPrivileged(() -> {
+         method.setAccessible(true);
+         return ReflectionUtil.invokeMethod(instance, method, parameters);
+      });
+   }
+
    /**
     * Scans each registered component for lifecycle methods, and adds them to the appropriate lists, and then sorts them
     * by priority.
diff --git a/core/src/main/java/org/infinispan/factories/SecurityActions.java b/core/src/main/java/org/infinispan/factories/SecurityActions.java
index 43f12152fe53..9a4ab8f1bc97 100644
--- a/core/src/main/java/org/infinispan/factories/SecurityActions.java
+++ b/core/src/main/java/org/infinispan/factories/SecurityActions.java
@@ -21,6 +21,14 @@
 final class SecurityActions {
    private static final Log log = LogFactory.getLog(SecurityActions.class);
 
+    static <T> T doPrivileged(PrivilegedAction<T> action) {
+      if (System.getSecurityManager() != null) {
+         return AccessController.doPrivileged(action);
+      } else {
+         return action.run();
+      }
+   }
+
    private static Field findFieldRecursively(Class<?> c, String fieldName) {
       Field f = null;
       try {