package charite.christo; import java.io.File; import java.io.IOException; /** All Insecure operations such as file modification or running native code are chaneled through this class. This class contains all security checks. @author Christoph Gille */ public class Insecure { private final static boolean ALL_ALLOWED=true; public final static boolean CLASSLOADING_ALLOWED=ALL_ALLOWED, EXEC_ALLOWED=ALL_ALLOWED, ARBITRARY_WORKING_DIRECTORY_ALLOWED=ALL_ALLOWED, UNCONTROLLED_FILE_MODIFICATION_ALLOWED=ALL_ALLOWED; public final static String TEXMF_DOT_CONF="/usr/share/texmf/web2c/texmf.cnf", DIR_DesktopUtils="/strap_utils/", DIR_STRAP_ALIGN="StrapAlign/", DIR_METANNOGEN="/metannogen/"; /* --------------------------------------- */ /* >>> Is file modification allowed ? >>> */ private final static String ERROR="\u001B[45mError\u001B[0m in charite.christo.Insecure.java: ", ALLOWED_SUBSTRING[]={ TEXMF_DOT_CONF, TEXMF_DOT_CONF.replace('/','\\'), DIR_DesktopUtils, DIR_DesktopUtils.replace('/','\\'), DIR_STRAP_ALIGN, DIR_STRAP_ALIGN.replace('/','\\'), DIR_METANNOGEN, DIR_METANNOGEN.replace('/','\\'), "StrapAlign.ini", "/christo/java/" }; private static String getPath(File f) { try { return f==null ? null : f.getCanonicalPath(); } catch(IOException iox) { } return f.getAbsolutePath(); } public static boolean canModify(File f) { if (f==null) return false; if (UNCONTROLLED_FILE_MODIFICATION_ALLOWED && !securityEnabled) return true; final String path=getPath(f); if (ARBITRARY_WORKING_DIRECTORY_ALLOWED && allowedPath!=null && path.startsWith(allowedPath)) return true; if (path.endsWith(".jnlp") && path.indexOf("strap")>=0) return true; for(String s : ALLOWED_SUBSTRING) if (path.indexOf(s)>=0) return true; /* Modification not allowed if beyond this point */ System.out.println(ERROR+"canModify(File) failed for "+path); if (VIOLATIONS.get(path)==null) { final String stckTrc=stackTrceAsStrg(new IllegalAccessException(path)); VIOLATIONS.put(path,stckTrc.intern()); System.out.println(stckTrc); } return false; } private static String allowedPath; public static void securitySetAllowedPath(File dir) { if (ARBITRARY_WORKING_DIRECTORY_ALLOWED) { if (dir==null || (dir.exists() && !dir.isDirectory())) { System.out.println("dir="+dir); assert false; } allowedPath=getPath(dir); } } private static boolean securityEnabled; public static void setFileModificationControl(boolean b) {securityEnabled=b;} /* <<< Is file modification allowed ? <<< */ /* ---------------------------------------- */ /* >>> Report Violations >>> */ public final static java.util.HashMap VIOLATIONS=new java.util.HashMap(); public static String stackTrceAsStrg(Throwable t) { java.io.ByteArrayOutputStream os=new java.io.ByteArrayOutputStream(); if (t==null) t=new Throwable(); t.printStackTrace(new java.io.PrintStream(os)); return os.toString(); } public static void tellNoPermission(char what, String pfx) { final String w=what=='X'?"Execution of native code " : "", msg= " is disabled in STRAPlite.
\n"+ "You can open STRAP with full functionality by pressing the Web-start button on the STRAP-home-page:
"+ ChConstants.URL_STRAP+"

\n\n"+ "You can exchange proteins between two STRAP views with the mouse using Drag-and-Drop."; ChUtils.error( w+pfx+msg); } /* >>> Report Violations >>> */ /* ---------------------------------------- */ /* >>> Native binaries >>> */ public static Process runtimeExec(String arg[], String[] env, File dir) throws IOException{ return EXEC_ALLOWED ? Runtime.getRuntime().exec(arg, env,dir) : null; } /* <<< Native binaries <<< */ /* ---------------------------------------- */ /* >>> File modification >>> */ public static boolean renameToIgnoreSecurity(File fSrc, File fDest) { return fSrc!=null && fDest!=null && fSrc.renameTo(fDest); } static boolean renameFile(File src, File dest) { return canModify(src) && canModify(dest) ? src.renameTo(dest): false; } static boolean delFile(File f) { return canModify(f) ? f.delete() : false; } static java.io.OutputStream fileOutputStream(File f, boolean append) throws IOException { if (f==null) return null; if (canModify(f)) return new java.io.FileOutputStream(f,append); else { System.out.println(ERROR+"new FileOutputStream failed for "+f); throw new IOException("Insecure.java: "+f); } } static java.io.Writer fileWriter(File f) throws IOException { if (f==null) return null; if (canModify(f)) return new java.io.FileWriter(f); else { System.out.println(ERROR+"new FileWriter failed for "+f); throw new IOException("Insecure.java: "+f); } } public static java.io.RandomAccessFile randomAccessFile(File f, String mode) throws IOException { if (canModify(f)) return new java.io.RandomAccessFile(f, mode); else { System.out.println(ERROR+"new FileWriter failed for "+f); throw new IOException("Insecure.java: "+f); } } /* <<< File modification <<< */ /* ---------------------------------------- */ /* >>> Class loading >>> */ public static Class findClassByName(final String cn) { if (cn==null) return null; if (CLASSLOADING_ALLOWED) return ChClassLoader.staticFindClass(cn); try { //System.out.println("findClassByName Class.forName "+cn); return Class.forName(cn); } catch(Throwable ex) { ChUtils.stckTrc(ex); tellNoPermission(' ', "Insecure.java: Class.forName("+cn+") failed\n\nMaybe that the requested operation "); } return null; } }