TOMEE-1669 blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in our custom ObjectInputStream
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/3966347f Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/3966347f Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/3966347f Branch: refs/heads/tomee-7.0.0-M1 Commit: 3966347fd36f613981a0ed8a7bce1a8da7c31dd5 Parents: 3b1b63d Author: Romain Manni-Bucau <rmann...@gmail.com> Authored: Fri Nov 27 12:57:36 2015 +0100 Committer: Romain Manni-Bucau <rmann...@gmail.com> Committed: Fri Nov 27 12:57:50 2015 +0100 ---------------------------------------------------------------------- .../openejb/core/ivm/EjbObjectInputStream.java | 8 ++- .../core/rmi/BlacklistClassResolver.java | 60 ++++++++++++++++++++ .../timer/quartz/QuartzObjectInputStream.java | 3 +- .../core/rmi/BlacklistClassResolverTest.java | 41 +++++++++++++ .../openejb/client/EjbObjectInputStream.java | 43 +++++++++++++- 5 files changed, 151 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java ---------------------------------------------------------------------- diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java b/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java index 1f14489..9324984 100644 --- a/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java +++ b/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java @@ -17,6 +17,8 @@ package org.apache.openejb.core.ivm; +import org.apache.openejb.core.rmi.BlacklistClassResolver; + import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; @@ -32,9 +34,11 @@ public class EjbObjectInputStream extends ObjectInputStream { super(in); } + @Override protected Class resolveClass(final ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { + final String checkedName = BlacklistClassResolver.DEFAULT.check(classDesc.getName()); try { - return Class.forName(classDesc.getName(), false, getClassloader()); + return Class.forName(checkedName, false, getClassloader()); } catch (final ClassNotFoundException e) { final String n = classDesc.getName(); if (n.equals("boolean")) { @@ -62,7 +66,7 @@ public class EjbObjectInputStream extends ObjectInputStream { return double.class; } - return getClass().getClassLoader().loadClass(classDesc.getName()); // if CCL is not correct + return getClass().getClassLoader().loadClass(checkedName); // if CCL is not correct } } http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java ---------------------------------------------------------------------- diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java new file mode 100644 index 0000000..ffefc3a --- /dev/null +++ b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java @@ -0,0 +1,60 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.openejb.core.rmi; + +public class BlacklistClassResolver { + private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist")); + private static final String[] BLACKLIST = toArray(System.getProperty("tomee.serialization.class.blacklist")); + + public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver( + new String[] { "org.codehaus.groovy.runtime.", "org.apache.commons.collections.functors.", "org.apache.xalan" }, + null); + + private final String[] blacklist; + private final String[] whitelist; + + protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) { + this.whitelist = whitelist; + this.blacklist = blacklist; + } + + protected boolean isBlacklisted(final String name) { + return !contains(whitelist, name) && contains(blacklist, name); + } + + public final String check(final String name) { + if (isBlacklisted(name)) { + throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading."); + } + return name; + } + + private static String[] toArray(final String property) { + return property == null ? null : property.split(" *, *"); + } + + private static boolean contains(final String[] list, String name) { + if (list != null) { + for (final String white : list) { + if (name.startsWith(white)) { + return true; + } + } + } + return false; + } +} http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java ---------------------------------------------------------------------- diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java b/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java index f0c757c..dc2525e 100644 --- a/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java +++ b/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java @@ -17,6 +17,7 @@ package org.apache.openejb.core.timer.quartz; +import org.apache.openejb.core.rmi.BlacklistClassResolver; import org.apache.openejb.quartz.spi.ClassLoadHelper; import java.io.IOException; @@ -34,6 +35,6 @@ public class QuartzObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException, IOException { - return loader.loadClass(desc.getName()); + return loader.loadClass(BlacklistClassResolver.DEFAULT.check(desc.getName())); } } http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java ---------------------------------------------------------------------- diff --git a/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java new file mode 100644 index 0000000..1174be2 --- /dev/null +++ b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java @@ -0,0 +1,41 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.openejb.core.rmi; + +import org.junit.Test; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +public class BlacklistClassResolverTest { + @Test + public void blacklistDefault() { + assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.codehaus.groovy.runtime.Foo")); + assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.commons.collections.functors.Foo")); + assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.xalan.Foo")); + } + + @Test + public void implicitWhiteList() { + assertFalse(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.tomee.Foo")); + } + + @Test + public void whiteList() { + assertFalse(new BlacklistClassResolver(null, new String[] { "org.apache.xalan" }).isBlacklisted("org.apache.xalan.Foo")); + } +} http://git-wip-us.apache.org/repos/asf/tomee/blob/3966347f/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java ---------------------------------------------------------------------- diff --git a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java index 03e8177..bb9ea83 100644 --- a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java +++ b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java @@ -26,6 +26,9 @@ import java.lang.reflect.Proxy; * @version $Rev$ $Date$ */ public class EjbObjectInputStream extends ObjectInputStream { + public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver( + new String[]{"org.codehaus.groovy.runtime.", "org.apache.commons.collections.functors.", "org.apache.xalan"}, + null); public EjbObjectInputStream(final InputStream in) throws IOException { super(in); @@ -33,7 +36,7 @@ public class EjbObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(final ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { - final String n = classDesc.getName(); + final String n = DEFAULT.check(classDesc.getName()); final ClassLoader classloader = getClassloader(); try { return Class.forName(n, false, classloader); @@ -87,4 +90,42 @@ public class EjbObjectInputStream extends ObjectInputStream { return Thread.currentThread().getContextClassLoader(); } + public static class BlacklistClassResolver { + private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist")); + private static final String[] BLACKLIST = toArray(System.getProperty("tomee.serialization.class.blacklist")); + + private final String[] blacklist; + private final String[] whitelist; + + protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) { + this.whitelist = whitelist; + this.blacklist = blacklist; + } + + protected boolean isBlacklisted(final String name) { + return !contains(whitelist, name) && contains(blacklist, name); + } + + public final String check(final String name) { + if (isBlacklisted(name)) { + throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading."); + } + return name; + } + + private static String[] toArray(final String property) { + return property == null ? null : property.split(" *, *"); + } + + private static boolean contains(final String[] list, String name) { + if (list != null) { + for (final String white : list) { + if (name.startsWith(white)) { + return true; + } + } + } + return false; + } + } }
