nishat-06 opened a new pull request, #8612:
URL: https://github.com/apache/hadoop/pull/8612

   ### Description of PR
   
   `LeveldbConfigurationStore.deserLogMutations` reads the capacity scheduler 
configuration log back with a bare `ObjectInputStream`, so whatever sits under 
the leveldb `log` key decides which `Serializable` types the RM constructs 
during recovery. `ZKConfigurationStore.deserializeObject` already fences the 
identical `LinkedList<LogMutation>` graph behind a 
`ValidatingObjectInputStream` allowlist, and 
`TestZKConfigurationStore.testDeserializationIsNotVulnerable` pins that with a 
ysoserial payload, but the leveldb store never got either. This applies the 
same `accept()` list at the point the bytes are turned back into objects.
   
   `ConfigurationUpdateAssembler.constructKeyValueConfUpdate` builds the 
updates map with `new HashMap<>()`, so `LinkedList`, `LogMutation`, `HashMap` 
and `String` cover a real configuration log and valid stores still load 
unchanged.
   
   ### How was this patch tested?
   
   Added `testDeserializationIsNotVulnerable` to 
`TestLeveldbConfigurationStore`, alongside the existing ZK one. It plants a 
list holding a type that is not part of a configuration log and asserts the 
read is rejected and the type is never constructed. Against the unpatched store 
the payload's `readObject` runs and no exception is raised; with the patch it 
fails with `InvalidClassException`.
   
   `mvn compile`/`test-compile` and `checkstyle:check` are clean for both files 
on JDK 17. I could not execute the leveldb suite locally, `leveldbjni` ships no 
arm64 native and the existing tests in that class already fail the same way on 
this machine, so I am relying on CI for the run.
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   ### AI Tooling
   
   If an AI tool was used:
   
   - [ ] The PR includes the phrase "Contains content generated by <tool>"
         where <tool> is the name of the AI tool used.
   - [ ] My use of AI contributions follows the ASF legal policy
         https://www.apache.org/legal/generative-tooling.html
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to