This is an automated email from the ASF dual-hosted git repository. snemeth pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push: new 5e2f4339fad YARN-11126. ZKConfigurationStore Java deserialisation vulnerability. Contributed by Tamas Domok 5e2f4339fad is described below commit 5e2f4339fadc88f20543915fc9b0aaeaf4f9e7bf Author: Szilard Nemeth <snem...@apache.org> AuthorDate: Thu May 12 13:42:06 2022 +0200 YARN-11126. ZKConfigurationStore Java deserialisation vulnerability. Contributed by Tamas Domok --- .../capacity/conf/ZKConfigurationStore.java | 5 ++-- .../capacity/conf/TestZKConfigurationStore.java | 35 ++++++++++++++++++++++ 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/ZKConfigurationStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/ZKConfigurationStore.java index 71226c300a8..ad8fb97a7a6 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/ZKConfigurationStore.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/ZKConfigurationStore.java @@ -18,6 +18,7 @@ package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.conf; +import org.apache.commons.io.serialization.ValidatingObjectInputStream; import org.apache.hadoop.classification.VisibleForTesting; import org.apache.zookeeper.KeeperException.NodeExistsException; import org.slf4j.Logger; @@ -35,7 +36,6 @@ import org.apache.zookeeper.data.ACL; import java.io.IOException; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; -import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.util.HashMap; import java.util.LinkedList; @@ -314,7 +314,8 @@ public class ZKConfigurationStore extends YarnConfigurationStore { private static Object deserializeObject(byte[] bytes) throws Exception { try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes); - ObjectInputStream ois = new ObjectInputStream(bais);) { + ValidatingObjectInputStream ois = new ValidatingObjectInputStream(bais);) { + ois.accept(LinkedList.class, LogMutation.class, HashMap.class, String.class); return ois.readObject(); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/TestZKConfigurationStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/TestZKConfigurationStore.java index 880ba77fa51..155996d11fe 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/TestZKConfigurationStore.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/TestZKConfigurationStore.java @@ -42,15 +42,18 @@ import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.conf.Yar import org.apache.hadoop.yarn.webapp.dao.QueueConfigInfo; import org.apache.hadoop.yarn.webapp.dao.SchedConfUpdateInfo; import org.junit.After; +import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.File; import java.io.IOException; import java.io.ByteArrayOutputStream; import java.io.ObjectOutputStream; import java.util.Arrays; +import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -67,6 +70,9 @@ public class TestZKConfigurationStore extends LoggerFactory.getLogger(TestZKConfigurationStore.class); private static final int ZK_TIMEOUT_MS = 10000; + private static final String DESERIALIZATION_VULNERABILITY_FILEPATH = + "/tmp/ZK_DESERIALIZATION_VULNERABILITY"; + private TestingServer curatorTestingServer; private CuratorFramework curatorFramework; private ResourceManager rm; @@ -401,6 +407,35 @@ public class TestZKConfigurationStore extends rm2.close(); } + @Test(timeout = 3000) + @SuppressWarnings("checkstyle:linelength") + public void testDeserializationIsNotVulnerable() throws Exception { + confStore.initialize(conf, schedConf, rmContext); + String confStorePath = getZkPath("CONF_STORE"); + + File flagFile = new File(DESERIALIZATION_VULNERABILITY_FILEPATH); + if (flagFile.exists()) { + Assert.assertTrue(flagFile.delete()); + } + + // Generated using ysoserial (https://github.com/frohoff/ysoserial) + // java -jar ysoserial.jar CommonsBeanutils1 'touch /tmp/ZK_DESERIALIZATION_VULNERABILITY' | base64 + ((ZKConfigurationStore) confStore).setZkData(confStorePath, Base64.getDecoder().decode("rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRp [...] + Assert.assertNull(confStore.retrieve()); + + if (!System.getProperty("os.name").startsWith("Windows")) { + for (int i = 0; i < 20; ++i) { + if (flagFile.exists()) { + continue; + } + Thread.sleep(100); + } + + Assert.assertFalse("The file '" + DESERIALIZATION_VULNERABILITY_FILEPATH + + "' should not have been created by deserialization attack", flagFile.exists()); + } + } + @Override public YarnConfigurationStore createConfStore() { return new ZKConfigurationStore(); --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org