This is an automated email from the ASF dual-hosted git repository.
chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory.git
The following commit(s) were added to refs/heads/main by this push:
new 2e0daeb3 feat(java): support maven shade for disallowed.txt (#2327)
2e0daeb3 is described below
commit 2e0daeb36cd4fa7b11cb06b7b6fad0636ae5bfb3
Author: Shawn Yang <[email protected]>
AuthorDate: Fri Jun 13 11:47:37 2025 +0800
feat(java): support maven shade for disallowed.txt (#2327)
## What does this PR do?
support maven shade for disallowed.txt by inlining the list in java
file, so that it can be shaded and relocated by maven shade plugin, and
support users shade and using multiple version of fory in same
application too.
## Related issues
<!--
Is there any related issue? Please attach here.
- #xxxx0
- #xxxx1
- #xxxx2
-->
## Does this PR introduce any user-facing change?
<!--
If any user-facing interface changes, please [open an
issue](https://github.com/apache/fory/issues/new/choose) describing the
need to do so and update the document if necessary.
-->
- [ ] Does this PR introduce any public API change?
- [ ] Does this PR introduce any binary protocol compatibility change?
## Benchmark
<!--
When the PR has an impact on performance (if you don't know whether the
PR will have an impact on performance, you can submit the PR first, and
if it will have impact on performance, the code reviewer will explain
it), be sure to attach a benchmark data here.
-->
---
.../org/apache/fory/resolver/DisallowedList.java | 338 +++++++++++++++++----
.../src/main/resources/fory/disallowed.txt | 276 -----------------
.../apache/fory/resolver/DisallowedListTest.java | 55 ++--
3 files changed, 288 insertions(+), 381 deletions(-)
diff --git
a/java/fory-core/src/main/java/org/apache/fory/resolver/DisallowedList.java
b/java/fory-core/src/main/java/org/apache/fory/resolver/DisallowedList.java
index 9da6266f..4b125402 100644
--- a/java/fory-core/src/main/java/org/apache/fory/resolver/DisallowedList.java
+++ b/java/fory-core/src/main/java/org/apache/fory/resolver/DisallowedList.java
@@ -19,82 +19,286 @@
package org.apache.fory.resolver;
-import java.io.BufferedReader;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
import java.util.Set;
-import java.util.TreeSet;
import java.util.stream.Collectors;
import org.apache.fory.exception.InsecureException;
/** A class to record which classes are not allowed for serialization. */
class DisallowedList {
- private static final String DISALLOWED_LIST_TXT_PATH = "fory/disallowed.txt";
- // When the disallowed.txt file is modified, update this hash using the
following steps:
- // 1. Run the DisallowedListTest#testCalculateSHA256 test method
- // 2. Copy the output hash from the test result
- // 3. Replace the value of SHA256_HASH below with the new hash
- // 4. Rerun all tests to ensure everything is working correctly with the new
hash
- private static final String SHA256_HASH =
- "53ecb405085d795d45ce033cd4f1055ae06247a5dbaa617ecd20e4aac4303f60";
- private static final Set<String> DEFAULT_DISALLOWED_LIST_SET;
- static {
- try (InputStream is =
-
DisallowedList.class.getClassLoader().getResourceAsStream(DISALLOWED_LIST_TXT_PATH))
{
- if (is != null) {
- DEFAULT_DISALLOWED_LIST_SET =
- new BufferedReader(new InputStreamReader(is,
StandardCharsets.UTF_8))
- .lines()
- .filter(line -> !line.isEmpty() && !line.startsWith("#"))
- .collect(Collectors.toSet());
- String calculatedHash = calculateSHA256(new
TreeSet<>(DEFAULT_DISALLOWED_LIST_SET));
- if (!SHA256_HASH.equals(calculatedHash)) {
- // add a check to avoid some malicious overwrite disallowed.txt
- throw new SecurityException("Disallowed list has been tampered");
- }
- } else {
- throw new IllegalStateException(
- String.format("Read disallowed list %s failed",
DISALLOWED_LIST_TXT_PATH));
- }
- } catch (IOException e) {
- throw new IllegalStateException(
- String.format("Read disallowed list %s failed",
DISALLOWED_LIST_TXT_PATH), e);
- }
- }
+ // Embedded disallowed class names list - no external file dependency
+ private static final String[] DISALLOWED_CLASSES = {
+ "bsh.Interpreter",
+ "bsh.XThis",
+ "ch.qos.logback.core.db.DriverManagerConnectionSource",
+ "ch.qos.logback.core.db.JNDIConnectionSource",
+ "clojure.core",
+ "clojure.main",
+ "com.caucho.config.types.ResourceRef",
+ "com.caucho.hessian.test.TestCons",
+ "com.caucho.naming.QName",
+ "com.ibm.jtc.jax.xml.bind.v2.runtime.unmarshaller.Base64Data",
+ "com.ibm.xltxe.rnm1.xtq.bcel.util.ClassLoader",
+ "com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase",
+ "com.mchange.v2.c3p0.JndiRefForwardingDataSource",
+ "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
+ "com.mysql.cj.jdbc.MysqlConnectionPoolDataSource",
+ "com.mysql.cj.jdbc.MysqlDataSource",
+ "com.mysql.cj.jdbc.MysqlXADataSource",
+ "com.mysql.jdbc.jdbc2.optional.MysqlDataSource",
+ "com.mysql.jdbc.util.ServerController",
+ "com.rometools.rome.feed.impl.EqualsBean",
+ "com.rometools.rome.feed.impl.ToStringBean",
+ "com.sun.corba.se.impl.activation.ServerManagerImpl",
+ "com.sun.corba.se.impl.activation.ServerTableEntry",
+
"com.sun.corba.se.impl.presentation.rmi.InvocationHandlerFactoryImpl.CustomCompositeInvocationHandlerImpl",
+ "com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl",
+ "com.sun.corba.se.spi.orbutil.proxy.LinkedInvocationHandler",
+ "com.sun.jndi.ldap.LdapAttribute",
+ "com.sun.jndi.rmi.registry.BindingEnumeration",
+ "com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl",
+ "com.sun.org.apache.bcel.internal.util.ClassLoader",
+ "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
+ "com.sun.org.apache.xpath.internal.objects.XString",
+ "com.sun.org.apache.xpath.internal.XPathContext",
+ "com.sun.rowset.JdbcRowSetImpl",
+ "com.sun.syndication.feed.impl.EqualsBean",
+ "com.sun.syndication.feed.impl.ObjectBean",
+ "com.sun.syndication.feed.impl.ToStringBean",
+ "com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data",
+ "com.zaxxer.hikari.HikariConfig",
+ "com.zaxxer.hikari.HikariDataSource",
+ "groovy.lang.PropertyValue",
+ "groovy.util.MapEntry",
+ "java.beans.EventHandler",
+ "java.beans.Expression",
+ "java.lang.invoke.InvokeDynamic",
+ "java.lang.invoke.MethodHandles.Lookup",
+ "java.lang.MethodHandle",
+ "java.lang.Process",
+ "java.lang.ProcessBuilder",
+ "java.lang.reflect.Constructor",
+ "java.lang.reflect.Field",
+ "java.lang.reflect.Method",
+ "java.lang.Runtime",
+ "java.lang.Shutdown",
+ "java.lang.System",
+ "java.lang.Thread",
+ "java.lang.ThreadGroup",
+ "java.lang.ThreadLocal",
+ "java.lang.UNIXProcess",
+ "java.lang.VarHandler",
+ "java.net.Socket",
+ "java.rmi.registry.Registry",
+ "java.rmi.server.ObjID",
+ "java.rmi.server.RemoteObjectInvocationHandler",
+ "java.rmi.server.UnicastRemoteObject",
+ "java.security.SignedObject",
+ "java.util.ServiceLoader",
+ "javassist.bytecode.annotation.Annotation",
+ "javassist.bytecode.annotation.AnnotationImpl",
+ "javassist.bytecode.annotation.AnnotationMemberValue",
+ "javassist.tools.web.Viewer",
+ "javassist.util.proxy.SerializedProxy",
+ "javax.activation.MimeTypeParameterList",
+ "javax.imageio.ImageIO",
+ "javax.imageio.spi.ServiceRegistry",
+ "javax.management.BadAttributeValueExpException",
+ "javax.management.ImmutableDescriptor",
+ "javax.management.MBeanServerInvocationHandler",
+ "javax.management.openmbean.CompositeDataInvocationHandler",
+ "javax.media.jai.remote.SerializableRenderedImage",
+ "javax.naming.InitialContext",
+ "javax.naming.ldap.Rdn",
+ "javax.naming.spi.ContinuationContext.getEnvironment",
+ "javax.naming.spi.ContinuationContext.getTargetContext",
+ "javax.naming.spi.ObjectFactory",
+ "javax.script.ScriptEngineManager",
+ "javax.sound.sampled.AudioFileFormat",
+ "javax.sound.sampled.AudioFormat",
+ "javax.swing.UIDefaults",
+ "javax.xml.transform.Templates",
+ "net.bytebuddy.dynamic.loading.ByteArrayClassLoader",
+ "oracle.jdbc.connector.OracleManagedConnectionFactory",
+ "oracle.jdbc.pool.OracleDataSource",
+ "org.apache.activemq.ActiveMQConnectionFactory",
+ "org.apache.activemq.ActiveMQXAConnectionFactory",
+ "org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory",
+ "org.apache.bcel.util.ClassLoader",
+ "org.apache.carbondata.core.scan.expression.ExpressionResult",
+ "org.apache.commons.beanutils.BeanComparator",
+ "org.apache.commons.beanutils.BeanToPropertyValueTransformer",
+ "org.apache.commons.codec.binary.Base64",
+ "org.apache.commons.collections.functors.ChainedTransformer",
+ "org.apache.commons.collections.functors.ConstantTransformer",
+ "org.apache.commons.collections.functors.InstantiateTransformer",
+ "org.apache.commons.collections.functors.InvokerTransformer",
+ "org.apache.commons.collections.Transformer",
+ "org.apache.commons.collections4.comparators.TransformingComparator",
+ "org.apache.commons.collections4.functors.ChainedTransformer",
+ "org.apache.commons.collections4.functors.ConstantTransformer",
+ "org.apache.commons.collections4.functors.InstantiateTransformer",
+ "org.apache.commons.collections4.functors.InvokerTransformer",
+ "org.apache.commons.configuration.JNDIConfiguration",
+ "org.apache.commons.configuration2.JNDIConfiguration",
+ "org.apache.commons.dbcp.datasources.PerUserPoolDataSource",
+ "org.apache.commons.dbcp.datasources.SharedPoolDataSource",
+ "org.apache.commons.dbcp2.datasources.PerUserPoolDataSource",
+ "org.apache.commons.dbcp2.datasources.SharedPoolDataSource",
+ "org.apache.commons.fileupload.disk.DiskFileItem",
+ "org.apache.ibatis.executor.loader.AbstractSerialStateHolder",
+ "org.apache.ibatis.executor.loader.cglib.CglibProxyFactory",
+ "org.apache.ibatis.executor.loader.CglibSerialStateHolder",
+ "org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder",
+ "org.apache.ibatis.executor.loader.JavassistSerialStateHolder",
+ "org.apache.ibatis.javassist.bytecode.annotation.Annotation",
+ "org.apache.ibatis.javassist.bytecode.annotation.AnnotationImpl",
+ "org.apache.ibatis.javassist.bytecode.annotation.AnnotationMemberValue",
+ "org.apache.ibatis.javassist.tools.web.Viewer",
+ "org.apache.ibatis.javassist.util.proxy.SerializedProxy",
+ "org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup",
+ "org.apache.log.output.db.DefaultDataSource",
+ "org.apache.log4j.receivers.db.DriverManagerConnectionSource",
+ "org.apache.myfaces.context.servlet.FacesContextImpl",
+ "org.apache.myfaces.context.servlet.FacesContextImplBase",
+ "org.apache.myfaces.el.CompositeELResolver",
+ "org.apache.myfaces.el.unified.FacesELContext",
+ "org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression",
+ "org.apache.openjpa.ee.JNDIManagedRuntime",
+ "org.apache.openjpa.ee.RegistryManagedRuntime",
+ "org.apache.shiro.jndi.JndiObjectFactory",
+ "org.apache.shiro.realm.jndi.JndiRealmFactory",
+ "org.apache.tomcat.dbcp.dbcp.BasicDataSource",
+ "org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource",
+ "org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource",
+ "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
+ "org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource",
+ "org.apache.velocity.runtime.resource.ContentResource",
+ "org.apache.velocity.runtime.resource.loader.DataSourceResourceLoader",
+ "org.apache.velocity.runtime.resource.Resource",
+ "org.apache.velocity.Template",
+ "org.apache.wicket.util.upload.DiskFileItem",
+ "org.apache.xalan.xsltc.trax.TemplatesImpl",
+ "org.apache.xbean.naming.context.ContextUtil",
+ "org.apache.xpath.XPathContext",
+ "org.apache.zookeeper.Shell",
+ "org.aspectj.apache.bcel.util.ClassLoader",
+ "org.bouncycastle.asn1.ASN1Object",
+ "org.bouncycastle.asn1.x509.X509Extensions",
+ "org.codehaus.groovy.runtime.ConvertedClosure",
+ "org.codehaus.groovy.runtime.GStringImpl",
+ "org.codehaus.groovy.runtime.MethodClosure",
+
"org.datanucleus.store.rdbms.datasource.dbcp.datasources.PerUserPoolDataSource;",
+
"org.datanucleus.store.rdbms.datasource.dbcp.datasources.SharedPoolDataSource;",
+ "org.eclipse.jetty.util.log.LoggerLog",
+ "org.geotools.filter.ConstantExpression",
+ "org.h2.value.ValueJavaObject",
+ "org.h2.message.Trace",
+ "org.h2.message.TraceObject",
+ "org.h2.message.TraceSystem",
+ "org.h2.message.TraceWriterAdapter",
+ "org.h2.jdbcx.JdbcDataSource",
+ "org.hibernate.engine.spi.TypedValue",
+ "org.hibernate.tuple.component.AbstractComponentTuplizer",
+ "org.hibernate.tuple.component.PojoComponentTuplizer",
+ "org.hibernate.type.AbstractType",
+ "org.hibernate.type.ComponentType",
+ "org.hibernate.type.Type",
+ "org.jboss.ejb3.proxy.handle.HomeHandleImpl",
+ "org.jboss.ejb3.stateful.StatefulHandleImpl",
+ "org.jboss.ejb3.stateless.StatelessHandleImpl",
+ "org.jboss.interceptor.builder.InterceptionModelBuilder",
+ "org.jboss.interceptor.builder.MethodReference",
+ "org.jboss.interceptor.proxy.DefaultInvocationContextFactory",
+ "org.jboss.interceptor.proxy.InterceptorMethodHandler",
+ "org.jboss.interceptor.reader.ClassMetadataInterceptorReference",
+ "org.jboss.interceptor.reader.DefaultMethodMetadata",
+ "org.jboss.interceptor.reader.ReflectiveClassMetadata",
+ "org.jboss.interceptor.reader.SimpleInterceptorMetadata",
+ "org.jboss.interceptor.spi.instance.InterceptorInstantiator",
+ "org.jboss.interceptor.spi.metadata.InterceptorReference",
+ "org.jboss.interceptor.spi.metadata.MethodMetadata",
+ "org.jboss.interceptor.spi.model.InterceptionModel",
+ "org.jboss.interceptor.spi.model.InterceptionType",
+ "org.jboss.proxy.ejb.handle.EntityHandleImpl",
+ "org.jboss.proxy.ejb.handle.HomeHandleImpl",
+ "org.jboss.proxy.ejb.handle.StatefulHandleImpl",
+ "org.jboss.proxy.ejb.handle.StatelessHandleImpl",
+ "org.jboss.resteasy.plugins.server.resourcefactory.JndiResourceFactory",
+ "org.jboss.weld.interceptor.builder.InterceptionModelBuilder",
+ "org.jboss.weld.interceptor.builder.MethodReference",
+ "org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory",
+ "org.jboss.weld.interceptor.proxy.InterceptorMethodHandler",
+ "org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference",
+ "org.jboss.weld.interceptor.reader.DefaultMethodMetadata",
+ "org.jboss.weld.interceptor.reader.ReflectiveClassMetadata",
+ "org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata",
+ "org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator",
+ "org.jboss.weld.interceptor.spi.metadata.InterceptorReference",
+ "org.jboss.weld.interceptor.spi.metadata.MethodMetadata",
+ "org.jboss.weld.interceptor.spi.model.InterceptionModel",
+ "org.jboss.weld.interceptor.spi.model.InterceptionType",
+ "org.mockito.internal.creation.cglib.AcrossJVMSerializationFeature",
+ "org.mortbay.log.Slf4jLog",
+ "org.mozilla.javascript.Context",
+ "org.mozilla.javascript.IdScriptableObject",
+ "org.mozilla.javascript.MemberBox",
+ "org.mozilla.javascript.NativeError",
+ "org.mozilla.javascript.NativeJavaMethod",
+ "org.mozilla.javascript.NativeJavaObject",
+ "org.mozilla.javascript.NativeObject",
+ "org.mozilla.javascript.ScriptableObject",
+ "org.python.core.PyBytecode",
+ "org.python.core.PyFunction",
+ "org.python.core.PyObject",
+ "org.quartz.utils.JNDIConnectionProvider",
+ "org.reflections.Reflections",
+
"org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator",
+ "org.springframework.aop.framework.AdvisedSupport",
+ "org.springframework.aop.framework.JdkDynamicAopProxy",
+ "org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",
+ "org.springframework.aop.target.SingletonTargetSource",
+ "org.springframework.beans.BeanWrapperImpl",
+ "org.springframework.beans.factory.BeanFactory",
+ "org.springframework.beans.factory.config.MethodInvokingFactoryBean",
+ "org.springframework.beans.factory.config.PropertyPathFactoryBean",
+ "org.springframework.beans.factory.ObjectFactory",
+ "org.springframework.beans.factory.support.DefaultListableBeanFactory",
+ "org.springframework.core.SerializableTypeWrapper",
+ "org.springframework.expression.spel.ast.Indexer",
+ "org.springframework.expression.spel.ast.MethodReference",
+ "org.springframework.jndi.JndiObjectTargetSource",
+ "org.springframework.jndi.support.SimpleJndiBeanFactory",
+ "org.springframework.orm.jpa.AbstractEntityManagerFactoryBean",
+ "org.springframework.transaction.jta.JtaTransactionManager",
+ "org.thymeleaf.standard.expression.Expression",
+ "org.thymeleaf.standard.expression.StandardExpressionParser",
+ "org.yaml.snakeyaml.tokens.DirectiveToken",
+ "pstore.shaded.org.apache.commons.collections.functors.InvokerTransformer",
+ "sun.print.PrintServiceLookupProvider",
+ "sun.print.UnixPrintService",
+ "sun.print.UnixPrintServiceLookup",
+ "sun.rmi.server.UnicastRef",
+ "sun.rmi.server.UnicastRef2",
+ "sun.rmi.transport.LiveRef",
+ "sun.rmi.transport.tcp.TCPEndpoint",
+ "sun.swing.SwingLazyValue",
+ "weblogic.ejb20.internal.LocalHomeHandleImpl",
+ "weblogic.jms.common.ObjectMessageImpl",
+ "com.atomikos.icatch.jta.RemoteClientUserTransaction"
+ };
- private static byte[] readAllBytes(InputStream inputStream) throws
IOException {
- ByteArrayOutputStream buffer = new ByteArrayOutputStream();
- int numbytesRead;
- byte[] data = new byte[1024];
- while ((numbytesRead = inputStream.read(data, 0, data.length)) != -1) {
- buffer.write(data, 0, numbytesRead);
- }
- buffer.flush();
- return buffer.toByteArray();
- }
+ private static final Set<String> DEFAULT_DISALLOWED_LIST_SET =
+ Arrays.stream(DISALLOWED_CLASSES).collect(Collectors.toSet());
- private static String calculateSHA256(TreeSet<String> set) {
- try {
- MessageDigest digest = MessageDigest.getInstance("SHA-256");
- byte[] hashBytes = digest.digest(String.join(",",
set).getBytes(StandardCharsets.UTF_8));
- StringBuilder hexString = new StringBuilder();
- for (byte b : hashBytes) {
- String hex = Integer.toHexString(0xff & b);
- if (hex.length() == 1) {
- hexString.append('0');
- }
- hexString.append(hex);
- }
- return hexString.toString();
- } catch (NoSuchAlgorithmException e) {
- throw new RuntimeException("SHA-256 algorithm not available", e);
- }
+ /**
+ * Get the disallowed class names as a Set for testing purposes.
+ *
+ * @return Set of disallowed class names
+ */
+ static Set<String> getDisallowedClasses() {
+ return DEFAULT_DISALLOWED_LIST_SET;
}
/**
diff --git a/java/fory-core/src/main/resources/fory/disallowed.txt
b/java/fory-core/src/main/resources/fory/disallowed.txt
deleted file mode 100644
index 2a6e5b02..00000000
--- a/java/fory-core/src/main/resources/fory/disallowed.txt
+++ /dev/null
@@ -1,276 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-# Note: update `DisallowedList#SHA256_HASH` when added new classes.
-bsh.Interpreter
-bsh.XThis
-ch.qos.logback.core.db.DriverManagerConnectionSource
-ch.qos.logback.core.db.JNDIConnectionSource
-clojure.core
-clojure.main
-com.caucho.config.types.ResourceRef
-com.caucho.hessian.test.TestCons
-com.caucho.naming.QName
-com.ibm.jtc.jax.xml.bind.v2.runtime.unmarshaller.Base64Data
-com.ibm.xltxe.rnm1.xtq.bcel.util.ClassLoader
-com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase
-com.mchange.v2.c3p0.JndiRefForwardingDataSource
-com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
-com.mysql.cj.jdbc.MysqlConnectionPoolDataSource
-com.mysql.cj.jdbc.MysqlDataSource
-com.mysql.cj.jdbc.MysqlXADataSource
-com.mysql.jdbc.jdbc2.optional.MysqlDataSource
-com.mysql.jdbc.util.ServerController
-com.rometools.rome.feed.impl.EqualsBean
-com.rometools.rome.feed.impl.ToStringBean
-com.sun.corba.se.impl.activation.ServerManagerImpl
-com.sun.corba.se.impl.activation.ServerTableEntry
-com.sun.corba.se.impl.presentation.rmi.InvocationHandlerFactoryImpl.CustomCompositeInvocationHandlerImpl
-com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl
-com.sun.corba.se.spi.orbutil.proxy.LinkedInvocationHandler
-com.sun.jndi.ldap.LdapAttribute
-com.sun.jndi.rmi.registry.BindingEnumeration
-com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl
-com.sun.org.apache.bcel.internal.util.ClassLoader
-com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
-com.sun.org.apache.xpath.internal.objects.XString
-com.sun.org.apache.xpath.internal.XPathContext
-com.sun.rowset.JdbcRowSetImpl
-com.sun.syndication.feed.impl.EqualsBean
-com.sun.syndication.feed.impl.ObjectBean
-com.sun.syndication.feed.impl.ToStringBean
-com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data
-com.zaxxer.hikari.HikariConfig
-com.zaxxer.hikari.HikariDataSource
-groovy.lang.PropertyValue
-groovy.util.MapEntry
-java.beans.EventHandler
-java.beans.Expression
-java.lang.invoke.InvokeDynamic
-java.lang.invoke.MethodHandles.Lookup
-java.lang.MethodHandle
-java.lang.Process
-java.lang.ProcessBuilder
-java.lang.reflect.Constructor
-java.lang.reflect.Field
-java.lang.reflect.Method
-java.lang.Runtime
-java.lang.Shutdown
-java.lang.System
-java.lang.Thread
-java.lang.ThreadGroup
-java.lang.ThreadLocal
-java.lang.UNIXProcess
-java.lang.VarHandler
-java.net.Socket
-java.rmi.registry.Registry
-java.rmi.server.ObjID
-java.rmi.server.RemoteObjectInvocationHandler
-java.rmi.server.UnicastRemoteObject
-java.security.SignedObject
-java.util.ServiceLoader
-javassist.bytecode.annotation.Annotation
-javassist.bytecode.annotation.AnnotationImpl
-javassist.bytecode.annotation.AnnotationMemberValue
-javassist.tools.web.Viewer
-javassist.util.proxy.SerializedProxy
-javax.activation.MimeTypeParameterList
-javax.imageio.ImageIO
-javax.imageio.spi.ServiceRegistry
-javax.management.BadAttributeValueExpException
-javax.management.ImmutableDescriptor
-javax.management.MBeanServerInvocationHandler
-javax.management.openmbean.CompositeDataInvocationHandler
-javax.media.jai.remote.SerializableRenderedImage
-javax.naming.InitialContext
-javax.naming.ldap.Rdn
-javax.naming.spi.ContinuationContext.getEnvironment
-javax.naming.spi.ContinuationContext.getTargetContext
-javax.naming.spi.ObjectFactory
-javax.script.ScriptEngineManager
-javax.sound.sampled.AudioFileFormat
-javax.sound.sampled.AudioFormat
-javax.swing.UIDefaults
-javax.xml.transform.Templates
-net.bytebuddy.dynamic.loading.ByteArrayClassLoader
-oracle.jdbc.connector.OracleManagedConnectionFactory
-oracle.jdbc.pool.OracleDataSource
-org.apache.activemq.ActiveMQConnectionFactory
-org.apache.activemq.ActiveMQXAConnectionFactory
-org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory
-org.apache.bcel.util.ClassLoader
-org.apache.carbondata.core.scan.expression.ExpressionResult
-org.apache.commons.beanutils.BeanComparator
-org.apache.commons.beanutils.BeanToPropertyValueTransformer
-org.apache.commons.codec.binary.Base64
-org.apache.commons.collections.functors.ChainedTransformer
-org.apache.commons.collections.functors.ConstantTransformer
-org.apache.commons.collections.functors.InstantiateTransformer
-org.apache.commons.collections.functors.InvokerTransformer
-org.apache.commons.collections.Transformer
-org.apache.commons.collections4.comparators.TransformingComparator
-org.apache.commons.collections4.functors.ChainedTransformer
-org.apache.commons.collections4.functors.ConstantTransformer
-org.apache.commons.collections4.functors.InstantiateTransformer
-org.apache.commons.collections4.functors.InvokerTransformer
-org.apache.commons.configuration.JNDIConfiguration
-org.apache.commons.configuration2.JNDIConfiguration
-org.apache.commons.dbcp.datasources.PerUserPoolDataSource
-org.apache.commons.dbcp.datasources.SharedPoolDataSource
-org.apache.commons.dbcp2.datasources.PerUserPoolDataSource
-org.apache.commons.dbcp2.datasources.SharedPoolDataSource
-org.apache.commons.fileupload.disk.DiskFileItem
-org.apache.ibatis.executor.loader.AbstractSerialStateHolder
-org.apache.ibatis.executor.loader.cglib.CglibProxyFactory
-org.apache.ibatis.executor.loader.CglibSerialStateHolder
-org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder
-org.apache.ibatis.executor.loader.JavassistSerialStateHolder
-org.apache.ibatis.javassist.bytecode.annotation.Annotation
-org.apache.ibatis.javassist.bytecode.annotation.AnnotationImpl
-org.apache.ibatis.javassist.bytecode.annotation.AnnotationMemberValue
-org.apache.ibatis.javassist.tools.web.Viewer
-org.apache.ibatis.javassist.util.proxy.SerializedProxy
-org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup
-org.apache.log.output.db.DefaultDataSource
-org.apache.log4j.receivers.db.DriverManagerConnectionSource
-org.apache.myfaces.context.servlet.FacesContextImpl
-org.apache.myfaces.context.servlet.FacesContextImplBase
-org.apache.myfaces.el.CompositeELResolver
-org.apache.myfaces.el.unified.FacesELContext
-org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression
-org.apache.openjpa.ee.JNDIManagedRuntime
-org.apache.openjpa.ee.RegistryManagedRuntime
-org.apache.shiro.jndi.JndiObjectFactory
-org.apache.shiro.realm.jndi.JndiRealmFactory
-org.apache.tomcat.dbcp.dbcp.BasicDataSource
-org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource
-org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
-org.apache.tomcat.dbcp.dbcp2.BasicDataSource
-org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource
-org.apache.velocity.runtime.resource.ContentResource
-org.apache.velocity.runtime.resource.loader.DataSourceResourceLoader
-org.apache.velocity.runtime.resource.Resource
-org.apache.velocity.Template
-org.apache.wicket.util.upload.DiskFileItem
-org.apache.xalan.xsltc.trax.TemplatesImpl
-org.apache.xbean.naming.context.ContextUtil
-org.apache.xpath.XPathContext
-org.apache.zookeeper.Shell
-org.aspectj.apache.bcel.util.ClassLoader
-org.bouncycastle.asn1.ASN1Object
-org.bouncycastle.asn1.x509.X509Extensions
-org.codehaus.groovy.runtime.ConvertedClosure
-org.codehaus.groovy.runtime.GStringImpl
-org.codehaus.groovy.runtime.MethodClosure
-org.datanucleus.store.rdbms.datasource.dbcp.datasources.PerUserPoolDataSource;
-org.datanucleus.store.rdbms.datasource.dbcp.datasources.SharedPoolDataSource;
-org.eclipse.jetty.util.log.LoggerLog
-org.geotools.filter.ConstantExpression
-org.h2.value.ValueJavaObject
-org.h2.message.Trace
-org.h2.message.TraceObject
-org.h2.message.TraceSystem
-org.h2.message.TraceWriterAdapter
-org.h2.jdbcx.JdbcDataSource
-org.hibernate.engine.spi.TypedValue
-org.hibernate.tuple.component.AbstractComponentTuplizer
-org.hibernate.tuple.component.PojoComponentTuplizer
-org.hibernate.type.AbstractType
-org.hibernate.type.ComponentType
-org.hibernate.type.Type
-org.jboss.ejb3.proxy.handle.HomeHandleImpl
-org.jboss.ejb3.stateful.StatefulHandleImpl
-org.jboss.ejb3.stateless.StatelessHandleImpl
-org.jboss.interceptor.builder.InterceptionModelBuilder
-org.jboss.interceptor.builder.MethodReference
-org.jboss.interceptor.proxy.DefaultInvocationContextFactory
-org.jboss.interceptor.proxy.InterceptorMethodHandler
-org.jboss.interceptor.reader.ClassMetadataInterceptorReference
-org.jboss.interceptor.reader.DefaultMethodMetadata
-org.jboss.interceptor.reader.ReflectiveClassMetadata
-org.jboss.interceptor.reader.SimpleInterceptorMetadata
-org.jboss.interceptor.spi.instance.InterceptorInstantiator
-org.jboss.interceptor.spi.metadata.InterceptorReference
-org.jboss.interceptor.spi.metadata.MethodMetadata
-org.jboss.interceptor.spi.model.InterceptionModel
-org.jboss.interceptor.spi.model.InterceptionType
-org.jboss.proxy.ejb.handle.EntityHandleImpl
-org.jboss.proxy.ejb.handle.HomeHandleImpl
-org.jboss.proxy.ejb.handle.StatefulHandleImpl
-org.jboss.proxy.ejb.handle.StatelessHandleImpl
-org.jboss.resteasy.plugins.server.resourcefactory.JndiResourceFactory
-org.jboss.weld.interceptor.builder.InterceptionModelBuilder
-org.jboss.weld.interceptor.builder.MethodReference
-org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory
-org.jboss.weld.interceptor.proxy.InterceptorMethodHandler
-org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference
-org.jboss.weld.interceptor.reader.DefaultMethodMetadata
-org.jboss.weld.interceptor.reader.ReflectiveClassMetadata
-org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata
-org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator
-org.jboss.weld.interceptor.spi.metadata.InterceptorReference
-org.jboss.weld.interceptor.spi.metadata.MethodMetadata
-org.jboss.weld.interceptor.spi.model.InterceptionModel
-org.jboss.weld.interceptor.spi.model.InterceptionType
-org.mockito.internal.creation.cglib.AcrossJVMSerializationFeature
-org.mortbay.log.Slf4jLog
-org.mozilla.javascript.Context
-org.mozilla.javascript.IdScriptableObject
-org.mozilla.javascript.MemberBox
-org.mozilla.javascript.NativeError
-org.mozilla.javascript.NativeJavaMethod
-org.mozilla.javascript.NativeJavaObject
-org.mozilla.javascript.NativeObject
-org.mozilla.javascript.ScriptableObject
-org.python.core.PyBytecode
-org.python.core.PyFunction
-org.python.core.PyObject
-org.quartz.utils.JNDIConnectionProvider
-org.reflections.Reflections
-org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator
-org.springframework.aop.framework.AdvisedSupport
-org.springframework.aop.framework.JdkDynamicAopProxy
-org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor
-org.springframework.aop.target.SingletonTargetSource
-org.springframework.beans.BeanWrapperImpl
-org.springframework.beans.factory.BeanFactory
-org.springframework.beans.factory.config.MethodInvokingFactoryBean
-org.springframework.beans.factory.config.PropertyPathFactoryBean
-org.springframework.beans.factory.ObjectFactory
-org.springframework.beans.factory.support.DefaultListableBeanFactory
-org.springframework.core.SerializableTypeWrapper
-org.springframework.expression.spel.ast.Indexer
-org.springframework.expression.spel.ast.MethodReference
-org.springframework.jndi.JndiObjectTargetSource
-org.springframework.jndi.support.SimpleJndiBeanFactory
-org.springframework.orm.jpa.AbstractEntityManagerFactoryBean
-org.springframework.transaction.jta.JtaTransactionManager
-org.thymeleaf.standard.expression.Expression
-org.thymeleaf.standard.expression.StandardExpressionParser
-org.yaml.snakeyaml.tokens.DirectiveToken
-pstore.shaded.org.apache.commons.collections.functors.InvokerTransformer
-sun.print.PrintServiceLookupProvider
-sun.print.UnixPrintService
-sun.print.UnixPrintServiceLookup
-sun.rmi.server.UnicastRef
-sun.rmi.server.UnicastRef2
-sun.rmi.transport.LiveRef
-sun.rmi.transport.tcp.TCPEndpoint
-sun.swing.SwingLazyValue
-weblogic.ejb20.internal.LocalHomeHandleImpl
-weblogic.jms.common.ObjectMessageImpl
-com.atomikos.icatch.jta.RemoteClientUserTransaction
diff --git
a/java/fory-core/src/test/java/org/apache/fory/resolver/DisallowedListTest.java
b/java/fory-core/src/test/java/org/apache/fory/resolver/DisallowedListTest.java
index 0ea64ad3..b7a3a21b 100644
---
a/java/fory-core/src/test/java/org/apache/fory/resolver/DisallowedListTest.java
+++
b/java/fory-core/src/test/java/org/apache/fory/resolver/DisallowedListTest.java
@@ -19,58 +19,37 @@
package org.apache.fory.resolver;
-import java.io.BufferedReader;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
import java.rmi.server.UnicastRemoteObject;
-import java.security.MessageDigest;
import java.util.Set;
-import java.util.TreeSet;
-import java.util.stream.Collectors;
import org.apache.fory.Fory;
import org.apache.fory.ForyTestBase;
import org.apache.fory.config.Language;
import org.apache.fory.exception.InsecureException;
import org.apache.fory.memory.Platform;
-import org.apache.fory.reflect.ReflectionUtils;
import org.testng.Assert;
import org.testng.annotations.Test;
public class DisallowedListTest extends ForyTestBase {
@Test
- public void testCalculateSHA256() throws Exception {
- final String disallowedListTxtPath =
- (String)
- ReflectionUtils.getDeclaredStaticFieldValue(
- DisallowedList.class, "DISALLOWED_LIST_TXT_PATH");
- try (InputStream is =
-
DisallowedList.class.getClassLoader().getResourceAsStream(disallowedListTxtPath))
{
- assert is != null;
- Set<String> set =
- new BufferedReader(new InputStreamReader(is, StandardCharsets.UTF_8))
- .lines()
- .filter(line -> !line.isEmpty() && !line.startsWith("#"))
- .collect(Collectors.toSet());
- MessageDigest digest = MessageDigest.getInstance("SHA-256");
- byte[] hashBytes =
- digest.digest(String.join(",", new
TreeSet<>(set)).getBytes(StandardCharsets.UTF_8));
- StringBuilder hexString = new StringBuilder();
- for (byte b : hashBytes) {
- String hex = Integer.toHexString(0xff & b);
- if (hex.length() == 1) {
- hexString.append('0');
- }
- hexString.append(hex);
- }
- System.out.println("SHA256 HASH for disallowed.txt is " + hexString);
+ public void testDisallowedListNotEmpty() {
+ Set<String> disallowedClasses = DisallowedList.getDisallowedClasses();
+ Assert.assertFalse(disallowedClasses.isEmpty(), "Disallowed list should
not be empty");
+ Assert.assertTrue(
+ disallowedClasses.size() > 200, "Disallowed list should contain many
classes");
+ }
- Assert.assertEquals(
- hexString.toString(),
- ReflectionUtils.getDeclaredStaticFieldValue(DisallowedList.class,
"SHA256_HASH"),
- "Please update `DisallowedList#SHA256_HASH` with the above output
hash value.");
- }
+ @Test
+ public void testKnownDangerousClasses() {
+ Set<String> disallowedClasses = DisallowedList.getDisallowedClasses();
+
+ // Test some known dangerous classes are in the list
+
Assert.assertTrue(disallowedClasses.contains("java.rmi.server.UnicastRemoteObject"));
+
Assert.assertTrue(disallowedClasses.contains("com.sun.jndi.rmi.registry.BindingEnumeration"));
+ Assert.assertTrue(disallowedClasses.contains("java.beans.Expression"));
+ Assert.assertTrue(
+
disallowedClasses.contains("org.apache.commons.collections.functors.InvokerTransformer"));
+
Assert.assertTrue(disallowedClasses.contains("org.apache.xalan.xsltc.trax.TemplatesImpl"));
}
@Test
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
