You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by sn...@apache.org on 2022/05/12 11:42:18 UTC
[hadoop] branch trunk updated: YARN-11126. ZKConfigurationStore Java deserialisation vulnerability. Contributed by Tamas Domok
This is an automated email from the ASF dual-hosted git repository.
snemeth pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new 5e2f4339fad YARN-11126. ZKConfigurationStore Java deserialisation vulnerability. Contributed by Tamas Domok
5e2f4339fad is described below
commit 5e2f4339fadc88f20543915fc9b0aaeaf4f9e7bf
Author: Szilard Nemeth <sn...@apache.org>
AuthorDate: Thu May 12 13:42:06 2022 +0200
YARN-11126. ZKConfigurationStore Java deserialisation vulnerability. Contributed by Tamas Domok
---
.../capacity/conf/ZKConfigurationStore.java | 5 ++--
.../capacity/conf/TestZKConfigurationStore.java | 35 ++++++++++++++++++++++
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/ZKConfigurationStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/ZKConfigurationStore.java
index 71226c300a8..ad8fb97a7a6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/ZKConfigurationStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/ZKConfigurationStore.java
@@ -18,6 +18,7 @@
package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.conf;
+import org.apache.commons.io.serialization.ValidatingObjectInputStream;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.zookeeper.KeeperException.NodeExistsException;
import org.slf4j.Logger;
@@ -35,7 +36,6 @@ import org.apache.zookeeper.data.ACL;
import java.io.IOException;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
-import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.LinkedList;
@@ -314,7 +314,8 @@ public class ZKConfigurationStore extends YarnConfigurationStore {
private static Object deserializeObject(byte[] bytes) throws Exception {
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
- ObjectInputStream ois = new ObjectInputStream(bais);) {
+ ValidatingObjectInputStream ois = new ValidatingObjectInputStream(bais);) {
+ ois.accept(LinkedList.class, LogMutation.class, HashMap.class, String.class);
return ois.readObject();
}
}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/TestZKConfigurationStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/TestZKConfigurationStore.java
index 880ba77fa51..155996d11fe 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/TestZKConfigurationStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/TestZKConfigurationStore.java
@@ -42,15 +42,18 @@ import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.conf.Yar
import org.apache.hadoop.yarn.webapp.dao.QueueConfigInfo;
import org.apache.hadoop.yarn.webapp.dao.SchedConfUpdateInfo;
import org.junit.After;
+import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.io.File;
import java.io.IOException;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.util.Arrays;
+import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
@@ -67,6 +70,9 @@ public class TestZKConfigurationStore extends
LoggerFactory.getLogger(TestZKConfigurationStore.class);
private static final int ZK_TIMEOUT_MS = 10000;
+ private static final String DESERIALIZATION_VULNERABILITY_FILEPATH =
+ "/tmp/ZK_DESERIALIZATION_VULNERABILITY";
+
private TestingServer curatorTestingServer;
private CuratorFramework curatorFramework;
private ResourceManager rm;
@@ -401,6 +407,35 @@ public class TestZKConfigurationStore extends
rm2.close();
}
+ @Test(timeout = 3000)
+ @SuppressWarnings("checkstyle:linelength")
+ public void testDeserializationIsNotVulnerable() throws Exception {
+ confStore.initialize(conf, schedConf, rmContext);
+ String confStorePath = getZkPath("CONF_STORE");
+
+ File flagFile = new File(DESERIALIZATION_VULNERABILITY_FILEPATH);
+ if (flagFile.exists()) {
+ Assert.assertTrue(flagFile.delete());
+ }
+
+ // Generated using ysoserial (https://github.com/frohoff/ysoserial)
+ // java -jar ysoserial.jar CommonsBeanutils1 'touch /tmp/ZK_DESERIALIZATION_VULNERABILITY' | base64
+ ((ZKConfigurationStore) confStore).setZkData(confStorePath, Base64.getDecoder().decode("rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRp [...]
+ Assert.assertNull(confStore.retrieve());
+
+ if (!System.getProperty("os.name").startsWith("Windows")) {
+ for (int i = 0; i < 20; ++i) {
+ if (flagFile.exists()) {
+ continue;
+ }
+ Thread.sleep(100);
+ }
+
+ Assert.assertFalse("The file '" + DESERIALIZATION_VULNERABILITY_FILEPATH +
+ "' should not have been created by deserialization attack", flagFile.exists());
+ }
+ }
+
@Override
public YarnConfigurationStore createConfStore() {
return new ZKConfigurationStore();
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org