Java validation
The CIS engine performs an allowlist check on all path elements that are passed to it as Java Classpath when starting an embedded JVM for Java Driver and Java UPoC. On the server, the CIS engine composes a JVM Classpath with these elements:
- User-assigned classpath elements from Java Driver configuration. This is the
CLASSPATH
property in pni files. - All jar files directly under HCIROOT/lib/java.
- All jar files directly under HCIROOT/java_uccs.
- All jar files directly under HCISITEDIR/java_uccs.
- All elements in the environment variable
CLASSPATH
in the terminal context where an engine process starts. This includes at least:- HCIROOT/clgui/lib/cljava.jar.
- HCIROOT/python/jep/jep-*.jar.
- All classes underHCIROOT/java_uccs.
- All classes under MASTERSITEDIR/java_uccs.
- All classes under HCISITEDIR/java_uccs.
- All classes under JVM working directory, which is the startdir in the pni file if set or HCISITEDIR/exec/processes/PROCESS_NAME.
All existing paths from this list are verified by comparing SHA digest to that saved in Java allowlist. In most cases, element paths are resolved to absolute paths by the engine.