Repository: activemq Updated Branches: refs/heads/activemq-5.12.x d5f6b0297 -> 82e12f0e5
https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker Project: http://git-wip-us.apache.org/repos/asf/activemq/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq/commit/e7a4b53f Tree: http://git-wip-us.apache.org/repos/asf/activemq/tree/e7a4b53f Diff: http://git-wip-us.apache.org/repos/asf/activemq/diff/e7a4b53f Branch: refs/heads/activemq-5.12.x Commit: e7a4b53f799685e337972dd36ba0253c04bcc01f Parents: d5f6b02 Author: Dejan Bosanac <de...@nighttale.net> Authored: Fri Oct 16 15:44:02 2015 +0200 Committer: Daniel Kulp <dk...@apache.org> Committed: Thu Dec 3 19:22:30 2015 +0100 ---------------------------------------------------------------------- .../ClassLoadingAwareObjectInputStream.java | 54 ++++++++++++++++++-- .../transport/xstream/XStreamWireFormat.java | 14 +++-- .../transport/stomp/JmsFrameTranslator.java | 4 +- .../transport/stomp/XStreamSupport.java | 47 +++++++++++++++++ .../transport/stomp/StompTestSupport.java | 2 +- .../stomp/util/XStreamBrokerContext.java | 3 +- .../org/apache/activemq/web/MessageQuery.java | 4 +- 7 files changed, 114 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq/blob/e7a4b53f/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java ---------------------------------------------------------------------- diff --git a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java index 74dcdf8..f8a7d0c 100644 --- a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java +++ b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java @@ -21,6 +21,9 @@ import java.io.InputStream; import java.io.ObjectInputStream; import java.io.ObjectStreamClass; import java.lang.reflect.Proxy; +import java.util.Arrays; +import java.util.Collection; +import java.util.Map; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -31,6 +34,8 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { private static final ClassLoader FALLBACK_CLASS_LOADER = ClassLoadingAwareObjectInputStream.class.getClassLoader(); + private static String[] serializablePackages; + private final ClassLoader inLoader; public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException { @@ -41,7 +46,9 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { ClassLoader cl = Thread.currentThread().getContextClassLoader(); - return load(classDesc.getName(), cl, inLoader); + Class clazz = load(classDesc.getName(), cl, inLoader); + checkSecurity(clazz); + return clazz; } @Override @@ -52,21 +59,58 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { cinterfaces[i] = load(interfaces[i], cl); } + Class clazz = null; try { - return Proxy.getProxyClass(cl, cinterfaces); + clazz = Proxy.getProxyClass(cl, cinterfaces); } catch (IllegalArgumentException e) { try { - return Proxy.getProxyClass(inLoader, cinterfaces); + clazz = Proxy.getProxyClass(inLoader, cinterfaces); } catch (IllegalArgumentException e1) { // ignore } try { - return Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); + clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); } catch (IllegalArgumentException e2) { // ignore } + } + + if (clazz != null) { + checkSecurity(clazz); + return clazz; + } else { + throw new ClassNotFoundException(null); + } + } + + public static String[] getSerialziablePackages() { + if (serializablePackages == null) { + serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", + "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); + } + + return serializablePackages; + }; - throw new ClassNotFoundException(null, e); + public static boolean isAllAllowed() { + return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*"); + } + + private void checkSecurity(Class clazz) throws ClassNotFoundException { + if (!clazz.isPrimitive()) { + if (clazz.getPackage() != null && !isAllAllowed()) { + boolean found = false; + for (String packageName : getSerialziablePackages()) { + if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) { + found = true; + break; + } + } + + if (!found) { + throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property."); + } + } } } http://git-wip-us.apache.org/repos/asf/activemq/blob/e7a4b53f/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java ---------------------------------------------------------------------- diff --git a/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java b/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java index de437c9..76a5873 100755 --- a/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java +++ b/activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java @@ -19,8 +19,17 @@ package org.apache.activemq.transport.xstream; import java.io.IOException; import java.io.Reader; +<<<<<<< HEAD +======= +import com.thoughtworks.xstream.converters.Converter; +import com.thoughtworks.xstream.converters.MarshallingContext; +import com.thoughtworks.xstream.converters.UnmarshallingContext; +import com.thoughtworks.xstream.io.HierarchicalStreamReader; +import com.thoughtworks.xstream.io.HierarchicalStreamWriter; +>>>>>>> a7e2a44... https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker import org.apache.activemq.command.MarshallAware; import org.apache.activemq.command.MessageDispatch; +import org.apache.activemq.transport.stomp.XStreamSupport; import org.apache.activemq.transport.util.TextWireFormat; import org.apache.activemq.wireformat.WireFormat; @@ -93,8 +102,7 @@ public class XStreamWireFormat extends TextWireFormat { } // Properties - // ------------------------------------------------------------------------- - public XStream getXStream() { + // -------------------------------------------------activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java if (xStream == null) { xStream = createXStream(); // make it work in OSGi env @@ -110,7 +118,7 @@ public class XStreamWireFormat extends TextWireFormat { // Implementation methods // ------------------------------------------------------------------------- protected XStream createXStream() { - XStream xstream = new XStream(); + final XStream xstream = XStreamSupport.createXStream(); xstream.ignoreUnknownElements(); return xstream; } http://git-wip-us.apache.org/repos/asf/activemq/blob/e7a4b53f/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java ---------------------------------------------------------------------- diff --git a/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java b/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java index 3525b23..3504182 100644 --- a/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java +++ b/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java @@ -91,7 +91,7 @@ public class JmsFrameTranslator extends LegacyFrameTranslator implements BrokerC msg = createMapMessage(in); break; default: - throw new Exception("Unkown transformation: " + transformation); + throw new Exception("Unknown transformation: " + transformation); } } catch (Throwable e) { command.getHeaders().put(Headers.TRANSFORMATION_ERROR, e.getMessage()); @@ -254,7 +254,7 @@ public class JmsFrameTranslator extends LegacyFrameTranslator implements BrokerC } if (xstream == null) { - xstream = new XStream(); + xstream = XStreamSupport.createXStream(); xstream.ignoreUnknownElements(); } http://git-wip-us.apache.org/repos/asf/activemq/blob/e7a4b53f/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java ---------------------------------------------------------------------- diff --git a/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java b/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java new file mode 100644 index 0000000..94ae7b7 --- /dev/null +++ b/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java @@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.transport.stomp; + +import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.security.AnyTypePermission; +import com.thoughtworks.xstream.security.NoTypePermission; +import com.thoughtworks.xstream.security.PrimitiveTypePermission; +import org.apache.activemq.util.ClassLoadingAwareObjectInputStream; + +import java.util.Collection; +import java.util.Map; + +public class XStreamSupport { + + public static XStream createXStream() { + XStream stream = new XStream(); + stream.addPermission(NoTypePermission.NONE); + stream.addPermission(PrimitiveTypePermission.PRIMITIVES); + stream.allowTypeHierarchy(Collection.class); + stream.allowTypeHierarchy(Map.class); + stream.allowTypes(new Class[]{String.class}); + if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { + stream.addPermission(AnyTypePermission.ANY); + } else { + for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) { + stream.allowTypesByWildcard(new String[]{packageName + ".**"}); + } + } + return stream; + } + +} http://git-wip-us.apache.org/repos/asf/activemq/blob/e7a4b53f/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java ---------------------------------------------------------------------- diff --git a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java index 0bf1928..b48ddb7 100644 --- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java +++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java @@ -111,7 +111,7 @@ public class StompTestSupport { } public void startBroker() throws Exception { - + System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "*"); createBroker(true); XStreamBrokerContext context = new XStreamBrokerContext(); http://git-wip-us.apache.org/repos/asf/activemq/blob/e7a4b53f/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/util/XStreamBrokerContext.java ---------------------------------------------------------------------- diff --git a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/util/XStreamBrokerContext.java b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/util/XStreamBrokerContext.java index 2b1243e..5648225 100644 --- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/util/XStreamBrokerContext.java +++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/util/XStreamBrokerContext.java @@ -23,6 +23,7 @@ import org.apache.activemq.broker.BrokerContext; import org.apache.activemq.transport.stomp.SamplePojo; import com.thoughtworks.xstream.XStream; +import org.apache.activemq.transport.stomp.XStreamSupport; public class XStreamBrokerContext implements BrokerContext { @@ -30,7 +31,7 @@ public class XStreamBrokerContext implements BrokerContext { public XStreamBrokerContext() { - XStream stream = new XStream(); + XStream stream = XStreamSupport.createXStream(); stream.processAnnotations(SamplePojo.class); beansMap.put("xstream", stream); http://git-wip-us.apache.org/repos/asf/activemq/blob/e7a4b53f/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java ---------------------------------------------------------------------- diff --git a/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java b/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java index 040fb60..e416e52 100644 --- a/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java +++ b/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java @@ -81,9 +81,9 @@ public class MessageQuery extends QueueBrowseQuery { if (message instanceof ObjectMessage) { try { return ((ObjectMessage) message).getObject(); - } catch (JMSException e) { + } catch (Exception e) { //message could not be parsed, make the reason available - return e; + return new String("Cannot display ObjectMessage body. Reason: " + e.getMessage()); } } if (message instanceof MapMessage) {
