Skip to content

Prevent reflective invocation of private methods in web dispatcher #35352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Prevent reflective invocation of private methods in web dispatcher #35352

wants to merge 15 commits into from
+306 −1

Conversation

YongGoose
Copy link

fixes #30938

@YongGoose YongGoose mentioned this pull request Aug 20, 2025
Closed
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Aug 20, 2025
rstoyanchev
rstoyanchev requested changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@rstoyanchev rstoyanchev left a comment
edited by sbrannen
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't this be checked in RequestMappingHandlerMapping when request mappings are being initialized?

It would avoid repeating that on every call.

@rstoyanchev rstoyanchev added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Oct 1, 2025
sbrannen
sbrannen requested changes Oct 3, 2025
View reviewed changes
Copy link
Member

@sbrannen sbrannen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I requested a few changes.

Please also take Rossen's comment into account.

@sbrannen sbrannen added the status: waiting-for-feedback We need additional information before we can continue label Oct 3, 2025
@YongGoose
Copy link
Author

I'm currently traveling, so I should be able to work on it around Wednesday or Thursday this week.
@rstoyanchev @sbrannen Thank you both so much for the great reviews! 🙇🏻‍♂️

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Oct 6, 2025
@YongGoose
Apply code review
72ff98a 
Signed-off-by: yongjunhong <[email protected]>
@YongGoose
Revert changes
549acc0 
Signed-off-by: yongjunhong <[email protected]>
@YongGoose
Create test code
6819d95 
Signed-off-by: yongjunhong <[email protected]>
@YongGoose
Copy link
Author

Couldn't this be checked in RequestMappingHandlerMapping when request mappings are being initialized?

It would avoid repeating that on every call.

Please take a look :)

@YongGoose
Copy link
Author

@sbrannen @rstoyanchev

If you have some time, I’d really appreciate it if you could take a look at this PR as well. 🙇🏻‍♂️🙇🏻‍♂️

It’s similar to the this PR, focusing on the access modifiers and proxies!!

sbrannen
sbrannen requested changes Oct 10, 2025
View reviewed changes
Copy link
Member

@sbrannen sbrannen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making the requested changes. It's looking better. 👍

I've requested a few additional changes in this follow up review.

Also, please make analogous changes to org.springframework.web.reactive.result.method.annotation.RequestMappingHandlerMapping and org.springframework.web.reactive.result.method.annotation.RequestMappingHandlerMappingTests.

...java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java Outdated
Comment on lines 218 to 219
String methodPackageName = (methodPackage != null) ? methodPackage.getName() : "default package";
String handlerPackageName = (handlerPackage != null) ? handlerPackage.getName() : "default package";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe java.lang.Package.getName() can return null on Java 17.

...java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
Comment on lines 221 to 226
throw new IllegalStateException(
"Package-private method [" + method + "] on CGLIB proxy class [" + declaringClass.getName() +
"] from package [" + methodPackageName + "] cannot be advised when used by handler class [" +
handlerType.getName() + "] from package [" + handlerPackageName + "] because it is effectively private. " +
"Either make the method public/protected or use interface-based JDK proxying instead.");
}
Copy link
Member

@sbrannen sbrannen Oct 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please introduce a test for this.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in dba200f !

...ng-web/src/test/java/org/springframework/web/method/support/InvocableHandlerMethodTests.java
Comment on lines 182 to 183


Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please revert all unnecessary changes to this file.

...java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
protected @Nullable RequestMappingInfo getMappingForMethod(Method method, Class<?> handlerType) {
int modifiers = method.getModifiers();

if (isCglibProxy(handlerType)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better if we extract this new CGLIB-proxy validation to a separate helper method in order not to clutter getMappingForMethod().

@sbrannen sbrannen self-assigned this Oct 10, 2025
@sbrannen sbrannen added type: enhancement A general enhancement status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Oct 10, 2025
YongGoose and others added 8 commits October 11, 2025 09:55
@YongGoose @sbrannen
Update spring-webmvc/src/main/java/org/springframework/web/servlet/mv…
e278799 
…c/method/annotation/RequestMappingHandlerMapping.java

Co-authored-by: Sam Brannen <[email protected]>
Signed-off-by: Yongjun Hong <[email protected]>
@YongGoose @sbrannen
Update spring-webmvc/src/test/java/org/springframework/web/servlet/mv…
1ff3e61 
…c/method/annotation/RequestMappingHandlerMappingTests.java

Co-authored-by: Sam Brannen <[email protected]>
Signed-off-by: Yongjun Hong <[email protected]>
@YongGoose @sbrannen
Update spring-webmvc/src/test/java/org/springframework/web/servlet/mv…
2416d27 
…c/method/annotation/RequestMappingHandlerMappingTests.java

Co-authored-by: Sam Brannen <[email protected]>
Signed-off-by: Yongjun Hong <[email protected]>
@YongGoose @sbrannen
Update spring-webmvc/src/test/java/org/springframework/web/servlet/mv…
6b884fc 
…c/method/annotation/RequestMappingHandlerMappingTests.java

Co-authored-by: Sam Brannen <[email protected]>
Signed-off-by: Yongjun Hong <[email protected]>
@YongGoose @sbrannen
Update spring-webmvc/src/test/java/org/springframework/web/servlet/mv…
c6678da 
…c/method/annotation/RequestMappingHandlerMappingTests.java

Co-authored-by: Sam Brannen <[email protected]>
Signed-off-by: Yongjun Hong <[email protected]>
@YongGoose @sbrannen
Update spring-webmvc/src/test/java/org/springframework/web/servlet/mv…
2c5f8fd 
…c/method/annotation/RequestMappingHandlerMappingTests.java

Co-authored-by: Sam Brannen <[email protected]>
Signed-off-by: Yongjun Hong <[email protected]>
@YongGoose
Revert unnecessary changes
6822c7c 
Signed-off-by: yongjunhong <[email protected]>
@YongGoose
Apply code review
52f981e 
Signed-off-by: yongjunhong <[email protected]>
@YongGoose YongGoose requested a review from sbrannen October 11, 2025 12:52
@YongGoose
Remove unused annotation
a2d706c 
Signed-off-by: yongjunhong <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rstoyanchev rstoyanchev Awaiting requested review from rstoyanchev

@sbrannen sbrannen Awaiting requested review from sbrannen

Assignees

@sbrannen sbrannen

Labels

in: web Issues in web modules (web, webmvc, webflux, websocket) status: waiting-for-feedback We need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged or decided on type: enhancement A general enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Invoking private method on a CGLIB proxy should trigger a dedicated exception

4 participants

@YongGoose @sbrannen @rstoyanchev @spring-projects-issues