Forbid usage of java.lang.ClassLoader.getResourceAsStream (#4381)

* Improve configuration * Forbid usage of java.lang.ClassLoader.getResourceAsStream
detekt · Dec 18, 2021 · aa2bc99 · aa2bc99
1 parent 4e2e8ba
commit aa2bc99
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 9 deletions.
diff --git a/config/detekt/detekt.yml b/config/detekt/detekt.yml
@@ -169,8 +169,9 @@ style:
     methods:
       - 'kotlin.io.print'
       - 'kotlin.io.println'
-      - 'java.net.URL.openStream()'
-      - 'java.lang.Class.getResourceAsStream()'
+      - 'java.net.URL.openStream'
+      - 'java.lang.Class.getResourceAsStream'
+      - 'java.lang.ClassLoader.getResourceAsStream'
   ForbiddenVoid:
     active: true
   LibraryCodeMustSpecifyReturnType:

diff --git a/detekt-core/src/main/kotlin/io/gitlab/arturbosch/detekt/core/config/ValidateConfig.kt b/detekt-core/src/main/kotlin/io/gitlab/arturbosch/detekt/core/config/ValidateConfig.kt
@@ -1,5 +1,6 @@
 package io.gitlab.arturbosch.detekt.core.config
 
+import io.github.detekt.utils.openSafeStream
 import io.gitlab.arturbosch.detekt.api.Config
 import io.gitlab.arturbosch.detekt.api.Notification
 import io.gitlab.arturbosch.detekt.api.internal.CommaSeparatedPattern
@@ -67,13 +68,16 @@ internal fun validateConfig(
     val notifications = mutableListOf<Notification>()
 
     fun getDeprecatedProperties(): List<Pair<Regex, String>> {
-        return settings.javaClass.classLoader.getResourceAsStream("deprecation.properties")!!.use { inputStream ->
-            val prop = Properties().apply { load(inputStream) }
-
-            prop.entries.map { entry ->
-                (entry.key as String).toRegex() to (entry.value as String)
+        return settings.javaClass.classLoader
+            .getResource("deprecation.properties")!!
+            .openSafeStream()
+            .use { inputStream ->
+                val prop = Properties().apply { load(inputStream) }
+
+                prop.entries.map { entry ->
+                    (entry.key as String).toRegex() to (entry.value as String)
+                }
             }
-        }
     }
 
     fun testKeys(current: Map<String, Any>, base: Map<String, Any>, parentPath: String?) {

diff --git a/detekt-gradle-plugin/build.gradle.kts b/detekt-gradle-plugin/build.gradle.kts
@@ -61,6 +61,7 @@ configurations.compileOnly { extendsFrom(pluginCompileOnly) }
 dependencies {
     compileOnly(libs.kotlin.gradlePluginApi)
     implementation(libs.sarif4k)
+    implementation(projects.detektUtils)
 
     pluginCompileOnly(libs.android.gradle)
     pluginCompileOnly(libs.kotlin.gradle)

diff --git a/detekt-gradle-plugin/src/main/kotlin/io/gitlab/arturbosch/detekt/DetektPlugin.kt b/detekt-gradle-plugin/src/main/kotlin/io/gitlab/arturbosch/detekt/DetektPlugin.kt
@@ -1,5 +1,6 @@
 package io.gitlab.arturbosch.detekt
 
+import io.github.detekt.utils.openSafeStream
 import io.gitlab.arturbosch.detekt.extensions.DetektExtension
 import io.gitlab.arturbosch.detekt.internal.DetektAndroid
 import io.gitlab.arturbosch.detekt.internal.DetektJvm
@@ -120,6 +121,6 @@ const val CONFIGURATION_DETEKT = "detekt"
 const val CONFIGURATION_DETEKT_PLUGINS = "detektPlugins"
 
 internal fun loadDetektVersion(classLoader: ClassLoader): String = Properties().run {
-    load(classLoader.getResourceAsStream("versions.properties")!!)
+    load(classLoader.getResource("versions.properties")!!.openSafeStream())
     getProperty("detektVersion")
 }
diff --git a/detekt-utils/src/main/kotlin/io/github/detekt/utils/Resources.kt b/detekt-utils/src/main/kotlin/io/github/detekt/utils/Resources.kt
@@ -19,3 +19,7 @@ fun URL.openSafeStream(): InputStream {
 fun <T> Class<T>.getSafeResourceAsStream(name: String): InputStream? {
     return getResource(name)?.openSafeStream()
 }
+
+fun ClassLoader.getSafeResourceAsStream(name: String): InputStream? {
+    return getResource(name)?.openSafeStream()
+}