AMQ-7438 - Harden deserialization

This commit is contained in:
Colm O hEigeartaigh 2020-03-06 17:22:07 +00:00
parent c0e7949468
commit a73a85e6c2
3 changed files with 41 additions and 61 deletions

View File

@ -20,8 +20,11 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
@ -192,7 +195,7 @@ public class SubQueueSelectorCacheBroker extends BrokerFilter implements Runnabl
if (persistFile != null && persistFile.exists()) {
try {
try (FileInputStream fis = new FileInputStream(persistFile);) {
ObjectInputStream in = new ObjectInputStream(fis);
ObjectInputStream in = new SubSelectorClassObjectInputStream(fis);
try {
LOG.debug("Reading selector cache....");
subSelectorCache = (ConcurrentHashMap<String, Set<String>>) in.readObject();
@ -365,4 +368,19 @@ public class SubQueueSelectorCacheBroker extends BrokerFilter implements Runnabl
return false;
}
}
private static class SubSelectorClassObjectInputStream extends ObjectInputStream {
public SubSelectorClassObjectInputStream(InputStream is) throws IOException {
super(is);
}
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (!(desc.getName().equals("java.lang.String") || desc.getName().startsWith("java.util."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);
}
}
}

View File

@ -27,8 +27,10 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.InterruptedIOException;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.io.OutputStream;
import java.util.ArrayList;
import java.util.Arrays;
@ -805,7 +807,7 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
if (metadata.producerSequenceIdTrackerLocation != null) {
try {
KahaProducerAuditCommand audit = (KahaProducerAuditCommand) load(metadata.producerSequenceIdTrackerLocation);
ObjectInputStream objectIn = new ObjectInputStream(audit.getAudit().newInput());
ObjectInputStream objectIn = new MessageDatabaseObjectInputStream(audit.getAudit().newInput());
int maxNumProducers = getMaxFailoverProducersToTrack();
int maxAuditDepth = getFailoverProducersAuditDepth();
metadata.producerSequenceIdTracker = (ActiveMQMessageAuditNoSync) objectIn.readObject();
@ -826,7 +828,7 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
if (metadata.ackMessageFileMapLocation != null) {
try {
KahaAckMessageFileMapCommand audit = (KahaAckMessageFileMapCommand) load(metadata.ackMessageFileMapLocation);
ObjectInputStream objectIn = new ObjectInputStream(audit.getAckMessageFileMap().newInput());
ObjectInputStream objectIn = new MessageDatabaseObjectInputStream(audit.getAckMessageFileMap().newInput());
metadata.ackMessageFileMap = (Map<Integer, Set<Integer>>) objectIn.readObject();
metadata.ackMessageFileMapDirtyFlag.lazySet(true);
requiresReplay = false;
@ -4114,7 +4116,7 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
byte[] data = new byte[dataLen];
dataIn.readFully(data);
ByteArrayInputStream bais = new ByteArrayInputStream(data);
ObjectInputStream oin = new ObjectInputStream(bais);
ObjectInputStream oin = new MessageDatabaseObjectInputStream(bais);
try {
return (HashSet<String>) oin.readObject();
} catch (ClassNotFoundException cfe) {
@ -4227,4 +4229,21 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
public void setEnableSubscriptionStatistics(boolean enableSubscriptionStatistics) {
this.enableSubscriptionStatistics = enableSubscriptionStatistics;
}
private static class MessageDatabaseObjectInputStream extends ObjectInputStream {
public MessageDatabaseObjectInputStream(InputStream is) throws IOException {
super(is);
}
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (!(desc.getName().startsWith("java.lang.") || desc.getName().startsWith("java.util.")
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);
}
}
}

View File

@ -1,57 +0,0 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.store.kahadb.disk.util;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
/**
* Implementation of a Marshaller for Objects
*
*
*/
public class ObjectMarshaller extends VariableMarshaller<Object> {
public void writePayload(Object object, DataOutput dataOut) throws IOException {
ByteArrayOutputStream bytesOut = new ByteArrayOutputStream();
ObjectOutputStream objectOut = new ObjectOutputStream(bytesOut);
objectOut.writeObject(object);
objectOut.close();
byte[] data = bytesOut.toByteArray();
dataOut.writeInt(data.length);
dataOut.write(data);
}
public Object readPayload(DataInput dataIn) throws IOException {
int size = dataIn.readInt();
byte[] data = new byte[size];
dataIn.readFully(data);
ByteArrayInputStream bytesIn = new ByteArrayInputStream(data);
ObjectInputStream objectIn = new ObjectInputStream(bytesIn);
try {
return objectIn.readObject();
} catch (ClassNotFoundException e) {
throw new IOException(e.getMessage());
}
}
}