You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dubbo.apache.org by li...@apache.org on 2019/08/21 07:10:33 UTC
[dubbo] 01/07: security serialization
This is an automated email from the ASF dual-hosted git repository.
liujun pushed a commit to branch cloud-native
in repository https://gitbox.apache.org/repos/asf/dubbo.git
commit 4efee131e79e95498b0d26140a9bc29dbddc8aee
Author: ken.lj <ke...@gmail.com>
AuthorDate: Fri Aug 16 11:12:51 2019 +0800
security serialization
---
.../apache/dubbo/common/utils/SerialDetector.java | 184 +++++++++++++++++++++
1 file changed, 184 insertions(+)
diff --git a/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerialDetector.java b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerialDetector.java
new file mode 100644
index 0000000..a5891f8
--- /dev/null
+++ b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerialDetector.java
@@ -0,0 +1,184 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.common.utils;
+
+import org.apache.dubbo.common.logger.Logger;
+import org.apache.dubbo.common.logger.LoggerFactory;
+
+import java.io.ObjectInputStream;
+
+/**
+ *
+ */
+public class SerialDetector extends ObjectInputStream {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SerialDetector.class);
+
+ private static final Map<String, Configuration> configs = new ConcurrentHashMap<>();
+
+ private final Configuration config;
+ private final boolean profiling;
+
+ /**
+ * SerialKiller constructor, returns instance of ObjectInputStream.
+ *
+ * @param inputStream The original InputStream, used by your service to receive serialized objects
+ * @param configFile The location of the config file (absolute path)
+ * @throws java.io.IOException File I/O exception
+ * @throws IllegalStateException Invalid configuration exception
+ */
+ public SerialKiller(final InputStream inputStream, final String configFile) throws IOException {
+ super(inputStream);
+
+ config = configs.computeIfAbsent(configFile, Configuration::new);
+ profiling = config.isProfiling();
+ }
+
+ @Override
+ protected Class<?> resolveClass(final ObjectStreamClass serialInput) throws IOException, ClassNotFoundException {
+ config.reloadIfNeeded();
+
+ // Enforce SerialKiller's blacklist
+ for (Pattern blackPattern : config.blacklist()) {
+ Matcher blackMatcher = blackPattern.matcher(serialInput.getName());
+
+ if (blackMatcher.find()) {
+ if (profiling) {
+ // Reporting mode
+ LOGGER.info(String.format("Blacklist match: '%s'", serialInput.getName()));
+ } else {
+ // Blocking mode
+ LOGGER.error(String.format("Blocked by blacklist '%s'. Match found for '%s'", new Object[]{blackPattern.pattern(), serialInput.getName()}));
+ throw new InvalidClassException(serialInput.getName(), "Class blocked from deserialization (blacklist)");
+ }
+ }
+ }
+
+ // Enforce SerialKiller's whitelist
+ boolean safeClass = false;
+
+ for (Pattern whitePattern : config.whitelist()) {
+ Matcher whiteMatcher = whitePattern.matcher(serialInput.getName());
+
+ if (whiteMatcher.find()) {
+ safeClass = true;
+
+ if (profiling) {
+ // Reporting mode
+ LOGGER.info(String.format("Whitelist match: '%s'", serialInput.getName()));
+ }
+
+ // We have found a whitelist match, no need to continue
+ break;
+ }
+ }
+
+ if (!safeClass && !profiling) {
+ // Blocking mode
+ LOGGER.error(String.format("Blocked by whitelist. No match found for '%s'", serialInput.getName()));
+ throw new InvalidClassException(serialInput.getName(), "Class blocked from deserialization (non-whitelist)");
+ }
+
+ return super.resolveClass(serialInput);
+ }
+
+ static final class Configuration {
+ private final XMLConfiguration config;
+
+ private PatternList blacklist;
+ private PatternList whitelist;
+
+ Configuration(final String configPath) {
+ try {
+ config = new XMLConfiguration(configPath);
+
+ FileChangedReloadingStrategy reloadStrategy = new FileChangedReloadingStrategy();
+ reloadStrategy.setRefreshDelay(config.getLong("refresh", 6000));
+ config.setReloadingStrategy(reloadStrategy);
+ config.addConfigurationListener(event -> init(config));
+
+ init(config);
+ } catch (ConfigurationException | PatternSyntaxException e) {
+ throw new IllegalStateException("SerialKiller not properly configured: " + e.getMessage(), e);
+ }
+ }
+
+ private void init(final XMLConfiguration config) {
+ blacklist = new PatternList(config.getStringArray("blacklist.regexps.regexp"));
+ whitelist = new PatternList(config.getStringArray("whitelist.regexps.regexp"));
+ }
+
+ void reloadIfNeeded() {
+ // NOTE: Unfortunately, this will invoke synchronized blocks in Commons Configuration
+ config.reload();
+ }
+
+ Iterable<Pattern> blacklist() {
+ return blacklist;
+ }
+
+ Iterable<Pattern> whitelist() {
+ return whitelist;
+ }
+
+ boolean isProfiling() {
+ return config.getBoolean("mode.profiling", false);
+ }
+ }
+
+ static final class PatternList implements Iterable<Pattern> {
+ private final Pattern[] patterns;
+
+ PatternList(final String... regExps) {
+
+ requireNonNull(regExps, "regExps");
+
+ this.patterns = new Pattern[regExps.length];
+ for (int i = 0; i < regExps.length; i++) {
+ patterns[i] = Pattern.compile(regExps[i]);
+ }
+ }
+
+ @Override
+ public Iterator<Pattern> iterator() {
+ return new Iterator<Pattern>() {
+ int index = 0;
+
+ @Override
+ public boolean hasNext() {
+ return index < patterns.length;
+ }
+
+ @Override
+ public Pattern next() {
+ return patterns[index++];
+ }
+
+ @Override
+ public void remove() {
+ throw new UnsupportedOperationException("remove");
+ }
+ };
+ }
+
+ @Override
+ public String toString() {
+ return Arrays.toString(patterns);
+ }
+
+ }
+}
\ No newline at end of file