Don’t hack the platform? ☠️💣💥

Jan Ouwens

February 23, 2018

ಠ_ಠ

About me 🤓

Jan Ouwens

jqno

EqualsVerifier


EqualsVerifier.forClass(Foo.class)
              .verify();

About this talk

Happy accidents

About this talk

Evil consequences

Things you shouldn’t mess with RIGHT NOW:

  • Language ‘features’
  • Reflection
  • Annotations
  • External libraries

Ratings

  • ☠️
  • ☠️💣
  • ☠️💣💥

☠️ Language ‘features’

True Lambda

Demo

Demo

Unicode symbols

  • Hard to type
  • Hard to read
  • Rating: ☠️

False is True

Demo

False is True

Scala demo

False is True

Kotlin demo

False is True

Rating: ☠️💣

Unicode converter

Demo

Unicode escapes

  • Harder to type and read
  • Maven says ¯\_(ツ)_/¯
  • Rating: ☠️💣

Emoji

Demo

Emoji

  • Rating: 🎉

Hash-code

Demo

Hash-code

  • Fun when coworkers insist on hashCode as key
  • Rating: ☠️

However…

☠️ Reflection

Introducing: Reflector

Demo

Call of the Void

Demo

Oh man 😒

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by demos.reflection.CallOfTheVoid (file:/Users/jqno/w/personal/dont-hack-the-platform-talk/target/classes/) to constructor java.lang.Void()
WARNING: Please consider reporting this to the maintainers of demos.reflection.CallOfTheVoid
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

--add-opens java.base/java.lang=ALL-UNNAMED

Oh man 😒

[INFO] --- kotlin-maven-plugin:1.2.20:compile (compile) @ dont-hack-the-platform ---
WARNING: An illegal reflective access operation has occurred

Call of the Void

Rating: ☠️

Loopy

Demo

Loopy

Was this hack evil? ✋

Are Calendars and arrays evil? ✋

Are JPA entities evil? 👹

Loopy

Rating: ☠️💣💥

Interning

Demo

Interning

  • Fun way to mess up unit tests!
  • Rating: ☠️💣

dirty_CLASS

Demo

You should probably

  • Call close() on URLClassLoader
  • Report compilation errors with CompilationTask
  • Handle exceptions


¯\_(ツ)_/¯

Multi-release JAR file

EqualsVerifier

@Test
public void equalsverifierSucceeds_whenOneOfTheFieldsIsSynthetic() {
    if (!isJava8Available()) {
        return;
    }

    Class<?> java8ClassWithSyntheticField = compile(JAVA_8_CLASS_WITH_SYNTHETIC_FIELD_NAME, JAVA_8_CLASS_WITH_SYNTHETIC_FIELD);
    EqualsVerifier.forClass(java8ClassWithSyntheticField)
            .verify();
}

private static final String JAVA_8_CLASS_WITH_SYNTHETIC_FIELD_NAME = "Java8ClassWithSyntheticField";
private static final String JAVA_8_CLASS_WITH_SYNTHETIC_FIELD =
        "\nimport java.util.Comparator;" +
        "\nimport java.util.Objects;" +
        "\n" +
        "\npublic final class Java8ClassWithSyntheticField {" +
        "\n    private static final Comparator<Java8ClassWithSyntheticField> COMPARATOR =" +
        "\n            (c1, c2) -> 0;   // A lambda is a synthetic class" +
        "\n" +
        "\n    private final String s;" +
        "\n    " +
        "\n    public Java8ClassWithSyntheticField(String s) {" +
        "\n        this.s = s;" +
        "\n    }" +
        "\n    " +
        "\n    @Override" +
        "\n    public boolean equals(Object obj) {" +
        "\n        if (!(obj instanceof Java8ClassWithSyntheticField)) {" +
        "\n            return false;" +
        "\n        }" +
        "\n        return Objects.equals(s, ((Java8ClassWithSyntheticField)obj).s);" +
        "\n    }" +
        "\n    " +
        "\n    @Override" +
        "\n    public int hashCode() {" +
        "\n        return Objects.hash(s);" +
        "\n    }" +
        "\n}";

JavaCompiler

Rating: ☠️💣💥

☠️ Annotations

Lombok 🌶

use annotations

to trick the Java compiler

into generating bytecode

that does something else

Spring & Hibernate

use annotations

to trick the Java runtime

into generating bytecode

that does something else

Boring

Rating: ☠️

☠️ External libraries

Objenesis

Constructors are tedious

Demo

Constructors are tedious

Rating: ☠️

Singletons

“[An enum] provides an ironclad guarantee against multiple instantiation, even in the face of sophisticated serialization or reflection attacks. […] A single-element enum type is often the best way to implement a singleton”

– Joshua Bloch, Effective Java 3rd Edition

😇

Singletons

Demo

Singletons

Rating: ☠️💣

Confusing card game

Confusing card game

Demo

Confusing card game

Rating: ☠️💣💥

Messing with Scala

Demo

Messing with Scala

Rating: ☠️💣

External libraries

ByteBuddy

&

ByteBuddy Agent

Disclaimer

Use cases for agents

  • there are many
  • they’re legitimate

Time Traveling 🕙🕚

Demo





Idea shamelessly stolen from
/TOPdesk/time-transformer-agent

Time Traveling 🕙🕚

  • Unit testing legacy code
  • Messing up any code
  • Rating: ☠️💣💥

But wait

There’s more

Remote Time Traveling

Demo



mvn clean package

mvn exec:java -DmainClass=demos.libraries.RemoteTimeTraveling -Darg0=target/dont-hack-the-platform-0.1-SNAPSHOT.jar -Darg1=???

Remote Time Traveling

Rating:

😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱

Awareness

Emoji & unicode

  • Checkstyle
  • SonarQube

Reflection and libraries

  • Security manager
  • Modularisation

Security manager

Demo



System.setSecurityManager(new SecurityManager());

Security manager

Modularisation

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by demos.reflection.CallOfTheVoid (file:/Users/jqno/w/personal/dont-hack-the-platform-talk/target/classes/) to constructor java.lang.Void()
WARNING: Please consider reporting this to the maintainers of demos.reflection.CallOfTheVoid
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

--illegal-access=deny

Do try this at home!

Maybe not at work though?

Questions?



slides & code at
/jqno/dont-hack-the-platform-talk

me at
jqno