Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

investigate making more classes final #2515

Open
hgschmie opened this issue Oct 19, 2023 · 1 comment
Open

investigate making more classes final #2515

hgschmie opened this issue Oct 19, 2023 · 1 comment
Labels
help wanted improvement investigation needed

Comments

@hgschmie
Copy link
Contributor

hgschmie commented Oct 19, 2023
edited

spotbugs added https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ct-constructor-throw, which is an unlikely attack vector that can be mitigated by making classes final.

With bytecode mocking on the way out anyway and mocking as one of the few use cases to extend some of the base classes, we could investigate making more classes (e.g. Handle) final.
@stevenschlansker
Copy link
Member

Finalizers are deprecated for removal, so I think this attack will become moot soon.
If an attacker can inject code to extend Jdbi, they can already make arbitrary calls to the database through the already-available API, so I don't know that this is really a new vulnerability for us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted improvement investigation needed
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hgschmie @stevenschlansker