https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker

activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java

@@ -21,6 +21,9 @@ import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
 import java.lang.reflect.Proxy;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Map;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -31,6 +34,8 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
     private static final ClassLoader FALLBACK_CLASS_LOADER =
         ClassLoadingAwareObjectInputStream.class.getClassLoader();
 
+    private static String[] serializablePackages;
+
     private final ClassLoader inLoader;
 
     public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException {
@@ -41,7 +46,9 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
     @Override
     protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
         ClassLoader cl = Thread.currentThread().getContextClassLoader();
-        return load(classDesc.getName(), cl, inLoader);
+        Class clazz = load(classDesc.getName(), cl, inLoader);
+        checkSecurity(clazz);
+        return clazz;
     }
 
     @Override
@@ -52,21 +59,58 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
             cinterfaces[i] = load(interfaces[i], cl);
         }
 
+        Class clazz = null;
         try {
-            return Proxy.getProxyClass(cl, cinterfaces);
+            clazz = Proxy.getProxyClass(cl, cinterfaces);
         } catch (IllegalArgumentException e) {
             try {
-                return Proxy.getProxyClass(inLoader, cinterfaces);
+                clazz = Proxy.getProxyClass(inLoader, cinterfaces);
             } catch (IllegalArgumentException e1) {
                 // ignore
             }
             try {
-                return Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);
+                clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);
             } catch (IllegalArgumentException e2) {
                 // ignore
             }
+        }
 
-            throw new ClassNotFoundException(null, e);
+        if (clazz != null) {
+            checkSecurity(clazz);
+            return clazz;
+        } else {
+            throw new ClassNotFoundException(null);
+        }
+    }
+
+    public static String[] getSerialziablePackages() {
+       if (serializablePackages == null) {
+           serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES",
+                       "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
+       }
+
+       return serializablePackages;
+    };
+
+    public static boolean isAllAllowed() {
+        return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*");
+    }
+
+    private void checkSecurity(Class clazz) throws ClassNotFoundException {
+        if (!clazz.isPrimitive()) {
+            if (clazz.getPackage() != null && !isAllAllowed()) {
+               boolean found = false;
+               for (String packageName : getSerialziablePackages()) {
+                   if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) {
+                       found = true;
+                       break;
+                   }
+               }
+
+               if (!found) {
+                   throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property.");
+               }
+            }
         }
     }
 

activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java

@@ -19,8 +19,17 @@ package org.apache.activemq.transport.xstream;
 import java.io.IOException;
 import java.io.Reader;
 
+<<<<<<< HEAD
+=======
+import com.thoughtworks.xstream.converters.Converter;
+import com.thoughtworks.xstream.converters.MarshallingContext;
+import com.thoughtworks.xstream.converters.UnmarshallingContext;
+import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+>>>>>>> a7e2a44... https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker
 import org.apache.activemq.command.MarshallAware;
 import org.apache.activemq.command.MessageDispatch;
+import org.apache.activemq.transport.stomp.XStreamSupport;
 import org.apache.activemq.transport.util.TextWireFormat;
 import org.apache.activemq.wireformat.WireFormat;
 
@@ -93,8 +102,7 @@ public class XStreamWireFormat extends TextWireFormat {
     }
 
     // Properties
-    // -------------------------------------------------------------------------
+    // -------------------------------------------------activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java
-    public XStream getXStream() {
         if (xStream == null) {
             xStream = createXStream();
             // make it work in OSGi env
@@ -110,7 +118,7 @@ public class XStreamWireFormat extends TextWireFormat {
     // Implementation methods
     // -------------------------------------------------------------------------
     protected XStream createXStream() {
-        XStream xstream = new XStream();
+        final XStream xstream = XStreamSupport.createXStream();
         xstream.ignoreUnknownElements();
         return xstream;
     }

activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java

@@ -91,7 +91,7 @@ public class JmsFrameTranslator extends LegacyFrameTranslator implements BrokerC
                         msg = createMapMessage(in);
                         break;
                     default:
-                        throw new Exception("Unkown transformation: " + transformation);
+                        throw new Exception("Unknown transformation: " + transformation);
                 }
             } catch (Throwable e) {
                 command.getHeaders().put(Headers.TRANSFORMATION_ERROR, e.getMessage());
@@ -254,7 +254,7 @@ public class JmsFrameTranslator extends LegacyFrameTranslator implements BrokerC
         }
 
         if (xstream == null) {
-            xstream = new XStream();
+            xstream = XStreamSupport.createXStream();
             xstream.ignoreUnknownElements();
         }
 

activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java

@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.transport.stomp;
+
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.security.AnyTypePermission;
+import com.thoughtworks.xstream.security.NoTypePermission;
+import com.thoughtworks.xstream.security.PrimitiveTypePermission;
+import org.apache.activemq.util.ClassLoadingAwareObjectInputStream;
+
+import java.util.Collection;
+import java.util.Map;
+
+public class XStreamSupport {
+
+    public static XStream createXStream() {
+        XStream stream = new XStream();
+        stream.addPermission(NoTypePermission.NONE);
+        stream.addPermission(PrimitiveTypePermission.PRIMITIVES);
+        stream.allowTypeHierarchy(Collection.class);
+        stream.allowTypeHierarchy(Map.class);
+        stream.allowTypes(new Class[]{String.class});
+        if (ClassLoadingAwareObjectInputStream.isAllAllowed()) {
+            stream.addPermission(AnyTypePermission.ANY);
+        } else {
+            for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) {
+                stream.allowTypesByWildcard(new String[]{packageName + ".**"});
+            }
+        }
+        return stream;
+    }
+
+}

activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java

@@ -111,7 +111,7 @@ public class StompTestSupport {
     }
 
     public void startBroker() throws Exception {
-
+        System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "*");
         createBroker(true);
 
         XStreamBrokerContext context = new XStreamBrokerContext();

activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/util/XStreamBrokerContext.java

@@ -23,6 +23,7 @@ import org.apache.activemq.broker.BrokerContext;
 import org.apache.activemq.transport.stomp.SamplePojo;
 
 import com.thoughtworks.xstream.XStream;
+import org.apache.activemq.transport.stomp.XStreamSupport;
 
 public class XStreamBrokerContext implements BrokerContext {
 
@@ -30,7 +31,7 @@ public class XStreamBrokerContext implements BrokerContext {
 
     public XStreamBrokerContext() {
 
-        XStream stream = new XStream();
+        XStream stream = XStreamSupport.createXStream();
         stream.processAnnotations(SamplePojo.class);
 
         beansMap.put("xstream", stream);

activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java

@@ -81,9 +81,9 @@ public class MessageQuery extends QueueBrowseQuery {
         if (message instanceof ObjectMessage) {
             try {
                 return ((ObjectMessage) message).getObject();
-            } catch (JMSException e) {
+            } catch (Exception e) {
                 //message could not be parsed, make the reason available
-                return e;
+                return new String("Cannot display ObjectMessage body. Reason: " + e.getMessage());
             }
         }
         if (message instanceof MapMessage) {