You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by an...@apache.org on 2015/12/01 23:04:16 UTC
[64/77] [abbrv] tomee git commit: TOMEE-1669 blacklist
org.codehaus.groovy.runtime., org.apache.commons.collections.functors.,
org.apache.xalan in our custom ObjectInputStream
TOMEE-1669 blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in our custom ObjectInputStream
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/3966347f
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/3966347f
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/3966347f
Branch: refs/heads/tomee-7.0.0-M1
Commit: 3966347fd36f613981a0ed8a7bce1a8da7c31dd5
Parents: 3b1b63d
Author: Romain Manni-Bucau <rm...@gmail.com>
Authored: Fri Nov 27 12:57:36 2015 +0100
Committer: Romain Manni-Bucau <rm...@gmail.com>
Committed: Fri Nov 27 12:57:50 2015 +0100
----------------------------------------------------------------------
.../openejb/core/ivm/EjbObjectInputStream.java | 8 ++-
.../core/rmi/BlacklistClassResolver.java | 60 ++++++++++++++++++++
.../timer/quartz/QuartzObjectInputStream.java | 3 +-
.../core/rmi/BlacklistClassResolverTest.java | 41 +++++++++++++
.../openejb/client/EjbObjectInputStream.java | 43 +++++++++++++-
5 files changed, 151 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java b/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java
index 1f14489..9324984 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java
@@ -17,6 +17,8 @@
package org.apache.openejb.core.ivm;
+import org.apache.openejb.core.rmi.BlacklistClassResolver;
+
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
@@ -32,9 +34,11 @@ public class EjbObjectInputStream extends ObjectInputStream {
super(in);
}
+ @Override
protected Class resolveClass(final ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
+ final String checkedName = BlacklistClassResolver.DEFAULT.check(classDesc.getName());
try {
- return Class.forName(classDesc.getName(), false, getClassloader());
+ return Class.forName(checkedName, false, getClassloader());
} catch (final ClassNotFoundException e) {
final String n = classDesc.getName();
if (n.equals("boolean")) {
@@ -62,7 +66,7 @@ public class EjbObjectInputStream extends ObjectInputStream {
return double.class;
}
- return getClass().getClassLoader().loadClass(classDesc.getName()); // if CCL is not correct
+ return getClass().getClassLoader().loadClass(checkedName); // if CCL is not correct
}
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
new file mode 100644
index 0000000..ffefc3a
--- /dev/null
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.openejb.core.rmi;
+
+public class BlacklistClassResolver {
+ private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist"));
+ private static final String[] BLACKLIST = toArray(System.getProperty("tomee.serialization.class.blacklist"));
+
+ public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
+ new String[] { "org.codehaus.groovy.runtime.", "org.apache.commons.collections.functors.", "org.apache.xalan" },
+ null);
+
+ private final String[] blacklist;
+ private final String[] whitelist;
+
+ protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+ this.whitelist = whitelist;
+ this.blacklist = blacklist;
+ }
+
+ protected boolean isBlacklisted(final String name) {
+ return !contains(whitelist, name) && contains(blacklist, name);
+ }
+
+ public final String check(final String name) {
+ if (isBlacklisted(name)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ return name;
+ }
+
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static boolean contains(final String[] list, String name) {
+ if (list != null) {
+ for (final String white : list) {
+ if (name.startsWith(white)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+}
http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java b/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java
index f0c757c..dc2525e 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java
@@ -17,6 +17,7 @@
package org.apache.openejb.core.timer.quartz;
+import org.apache.openejb.core.rmi.BlacklistClassResolver;
import org.apache.openejb.quartz.spi.ClassLoadHelper;
import java.io.IOException;
@@ -34,6 +35,6 @@ public class QuartzObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException, IOException {
- return loader.loadClass(desc.getName());
+ return loader.loadClass(BlacklistClassResolver.DEFAULT.check(desc.getName()));
}
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
new file mode 100644
index 0000000..1174be2
--- /dev/null
+++ b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.openejb.core.rmi;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class BlacklistClassResolverTest {
+ @Test
+ public void blacklistDefault() {
+ assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.codehaus.groovy.runtime.Foo"));
+ assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.commons.collections.functors.Foo"));
+ assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.xalan.Foo"));
+ }
+
+ @Test
+ public void implicitWhiteList() {
+ assertFalse(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.tomee.Foo"));
+ }
+
+ @Test
+ public void whiteList() {
+ assertFalse(new BlacklistClassResolver(null, new String[] { "org.apache.xalan" }).isBlacklisted("org.apache.xalan.Foo"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
----------------------------------------------------------------------
diff --git a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
index 03e8177..bb9ea83 100644
--- a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
+++ b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
@@ -26,6 +26,9 @@ import java.lang.reflect.Proxy;
* @version $Rev$ $Date$
*/
public class EjbObjectInputStream extends ObjectInputStream {
+ public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
+ new String[]{"org.codehaus.groovy.runtime.", "org.apache.commons.collections.functors.", "org.apache.xalan"},
+ null);
public EjbObjectInputStream(final InputStream in) throws IOException {
super(in);
@@ -33,7 +36,7 @@ public class EjbObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(final ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
- final String n = classDesc.getName();
+ final String n = DEFAULT.check(classDesc.getName());
final ClassLoader classloader = getClassloader();
try {
return Class.forName(n, false, classloader);
@@ -87,4 +90,42 @@ public class EjbObjectInputStream extends ObjectInputStream {
return Thread.currentThread().getContextClassLoader();
}
+ public static class BlacklistClassResolver {
+ private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist"));
+ private static final String[] BLACKLIST = toArray(System.getProperty("tomee.serialization.class.blacklist"));
+
+ private final String[] blacklist;
+ private final String[] whitelist;
+
+ protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+ this.whitelist = whitelist;
+ this.blacklist = blacklist;
+ }
+
+ protected boolean isBlacklisted(final String name) {
+ return !contains(whitelist, name) && contains(blacklist, name);
+ }
+
+ public final String check(final String name) {
+ if (isBlacklisted(name)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ return name;
+ }
+
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static boolean contains(final String[] list, String name) {
+ if (list != null) {
+ for (final String white : list) {
+ if (name.startsWith(white)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+ }
}