From e585cd0433ae4cfbc56e58572b9869bd0c86b611 Mon Sep 17 00:00:00 2001 From: Thomas Neidhart Date: Fri, 13 Nov 2015 20:08:45 +0000 Subject: [PATCH] [COLLECTIONS-580] Removed serialization support for the identified unsafe classes in the collections4 branch. git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/trunk@1714262 13f79535-47bb-0310-9956-ffa450edef68 --- src/changes/changes.xml | 7 +++++++ .../functors/CloneTransformer.java | 19 ++++++++----------- .../collections4/functors/ForClosure.java | 13 +++++++------ .../functors/InstantiateFactory.java | 12 +++++++----- .../functors/InstantiateTransformer.java | 14 ++++++++------ .../functors/InvokerTransformer.java | 12 +++++++----- .../functors/PrototypeFactory.java | 18 ++++++++++-------- .../collections4/functors/WhileClosure.java | 13 +++++++------ .../collections4/functors/package-info.java | 16 ++++++++++++++++ 9 files changed, 77 insertions(+), 47 deletions(-) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 61ee47151..19a75b19e 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -22,6 +22,13 @@ + + Serialization support for unsafe classes in the functor package + has been removed as this can be exploited for remote code execution + attacks. Classes considered to be unsafe are: CloneTransformer, + ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, + PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure. + Subclasses of MultiKey did not re-calculate their hashcode after de-serialization. diff --git a/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java b/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java index d99d492ba..4361845a7 100644 --- a/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java +++ b/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java @@ -16,22 +16,22 @@ */ package org.apache.commons.collections4.functors; -import java.io.Serializable; - import org.apache.commons.collections4.Transformer; /** * Transformer implementation that returns a clone of the input object. *

* Clone is performed using PrototypeFactory.prototypeFactory(input).create(). + *

+ * WARNING: from v4.1 onwards this class will not be serializable anymore + * in order to prevent potential remote code execution exploits. Please refer to + * COLLECTIONS-580 + * for more details. * * @since 3.0 * @version $Id$ */ -public class CloneTransformer implements Transformer, Serializable { - - /** Serial version UID */ - private static final long serialVersionUID = -8188742709499652567L; +public class CloneTransformer implements Transformer { /** Singleton predicate instance */ @SuppressWarnings("rawtypes") // the singleton instance works for all types @@ -46,7 +46,7 @@ public class CloneTransformer implements Transformer, Serializable { */ @SuppressWarnings("unchecked") // the singleton instance works for all types public static Transformer cloneTransformer() { - return (Transformer) INSTANCE; + return INSTANCE; } /** @@ -62,6 +62,7 @@ public class CloneTransformer implements Transformer, Serializable { * @param input the input object to transform * @return the transformed result */ + @Override public T transform(final T input) { if (input == null) { return null; @@ -69,8 +70,4 @@ public class CloneTransformer implements Transformer, Serializable { return PrototypeFactory.prototypeFactory(input).create(); } - private Object readResolve() { - return INSTANCE; - } - } diff --git a/src/main/java/org/apache/commons/collections4/functors/ForClosure.java b/src/main/java/org/apache/commons/collections4/functors/ForClosure.java index da2ecf0e3..e2e945949 100644 --- a/src/main/java/org/apache/commons/collections4/functors/ForClosure.java +++ b/src/main/java/org/apache/commons/collections4/functors/ForClosure.java @@ -16,20 +16,20 @@ */ package org.apache.commons.collections4.functors; -import java.io.Serializable; - import org.apache.commons.collections4.Closure; /** * Closure implementation that calls another closure n times, like a for loop. + *

+ * WARNING: from v4.1 onwards this class will not be serializable anymore + * in order to prevent potential remote code execution exploits. Please refer to + * COLLECTIONS-580 + * for more details. * * @since 3.0 * @version $Id$ */ -public class ForClosure implements Closure, Serializable { - - /** Serial version UID */ - private static final long serialVersionUID = -1190120533393621674L; +public class ForClosure implements Closure { /** The number of times to loop */ private final int iCount; @@ -76,6 +76,7 @@ public class ForClosure implements Closure, Serializable { * * @param input the input object */ + @Override public void execute(final E input) { for (int i = 0; i < iCount; i++) { iClosure.execute(input); diff --git a/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java b/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java index 1179b5e71..457643c89 100644 --- a/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java +++ b/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java @@ -16,7 +16,6 @@ */ package org.apache.commons.collections4.functors; -import java.io.Serializable; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; @@ -25,14 +24,16 @@ import org.apache.commons.collections4.FunctorException; /** * Factory implementation that creates a new object instance by reflection. + *

+ * WARNING: from v4.1 onwards this class will not be serializable anymore + * in order to prevent potential remote code execution exploits. Please refer to + * COLLECTIONS-580 + * for more details. * * @since 3.0 * @version $Id$ */ -public class InstantiateFactory implements Factory, Serializable { - - /** The serial version */ - private static final long serialVersionUID = -7732226881069447957L; +public class InstantiateFactory implements Factory { /** The class to create */ private final Class iClassToInstantiate; @@ -118,6 +119,7 @@ public class InstantiateFactory implements Factory, Serializable { * * @return the new object */ + @Override public T create() { // needed for post-serialization if (iConstructor == null) { diff --git a/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java b/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java index e5a000ea0..757f2a9ac 100644 --- a/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java +++ b/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java @@ -16,7 +16,6 @@ */ package org.apache.commons.collections4.functors; -import java.io.Serializable; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; @@ -25,14 +24,16 @@ import org.apache.commons.collections4.Transformer; /** * Transformer implementation that creates a new object instance by reflection. + *

+ * WARNING: from v4.1 onwards this class will not be serializable anymore + * in order to prevent potential remote code execution exploits. Please refer to + * COLLECTIONS-580 + * for more details. * * @since 3.0 * @version $Id$ */ -public class InstantiateTransformer implements Transformer, T>, Serializable { - - /** The serial version */ - private static final long serialVersionUID = 3786388740793356347L; +public class InstantiateTransformer implements Transformer, T> { /** Singleton instance that uses the no arg constructor */ @SuppressWarnings("rawtypes") @@ -51,7 +52,7 @@ public class InstantiateTransformer implements Transformer */ @SuppressWarnings("unchecked") public static Transformer, T> instantiateTransformer() { - return (Transformer, T>) NO_ARG_INSTANCE; + return NO_ARG_INSTANCE; } /** @@ -107,6 +108,7 @@ public class InstantiateTransformer implements Transformer * @param input the input object to transform * @return the transformed result */ + @Override public T transform(final Class input) { try { if (input == null) { diff --git a/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java b/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java index 09d79ef2d..45d90b2ff 100644 --- a/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java +++ b/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java @@ -16,7 +16,6 @@ */ package org.apache.commons.collections4.functors; -import java.io.Serializable; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; @@ -25,14 +24,16 @@ import org.apache.commons.collections4.Transformer; /** * Transformer implementation that creates a new object instance by reflection. + *

+ * WARNING: from v4.1 onwards this class will not be serializable anymore + * in order to prevent potential remote code execution exploits. Please refer to + * COLLECTIONS-580 + * for more details. * * @since 3.0 * @version $Id$ */ -public class InvokerTransformer implements Transformer, Serializable { - - /** The serial version */ - private static final long serialVersionUID = -8653385846894047688L; +public class InvokerTransformer implements Transformer { /** The method name to call */ private final String iMethodName; @@ -121,6 +122,7 @@ public class InvokerTransformer implements Transformer, Serializable * @param input the input object to transform * @return the transformed result, null if null input */ + @Override @SuppressWarnings("unchecked") public O transform(final Object input) { if (input == null) { diff --git a/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java b/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java index 9d808c4ef..13186cd31 100644 --- a/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java +++ b/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java @@ -30,6 +30,12 @@ import org.apache.commons.collections4.FunctorException; /** * Factory implementation that creates a new instance each time based on a prototype. + *

+ * WARNING: from v4.1 onwards {@link Factory} instances returned by + * {@link #prototypeFactory(Object)} will not be serializable anymore in order + * to prevent potential remote code execution exploits. Please refer to + * COLLECTIONS-580 + * for more details. * * @since 3.0 * @version $Id$ @@ -91,10 +97,7 @@ public class PrototypeFactory { /** * PrototypeCloneFactory creates objects by copying a prototype using the clone method. */ - static class PrototypeCloneFactory implements Factory, Serializable { - - /** The serial version */ - private static final long serialVersionUID = 5604271422565175555L; + static class PrototypeCloneFactory implements Factory { /** The object to clone each time */ private final T iPrototype; @@ -126,6 +129,7 @@ public class PrototypeFactory { * * @return the new object */ + @Override @SuppressWarnings("unchecked") public T create() { // needed for post-serialization @@ -148,10 +152,7 @@ public class PrototypeFactory { /** * PrototypeSerializationFactory creates objects by cloning a prototype using serialization. */ - static class PrototypeSerializationFactory implements Factory, Serializable { - - /** The serial version */ - private static final long serialVersionUID = -8704966966139178833L; + static class PrototypeSerializationFactory implements Factory { /** The object to clone via serialization each time */ private final T iPrototype; @@ -169,6 +170,7 @@ public class PrototypeFactory { * * @return the new object */ + @Override @SuppressWarnings("unchecked") public T create() { final ByteArrayOutputStream baos = new ByteArrayOutputStream(512); diff --git a/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java b/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java index 525bc9a90..8f1834907 100644 --- a/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java +++ b/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java @@ -16,22 +16,22 @@ */ package org.apache.commons.collections4.functors; -import java.io.Serializable; - import org.apache.commons.collections4.Closure; import org.apache.commons.collections4.Predicate; /** * Closure implementation that executes a closure repeatedly until a condition is met, * like a do-while or while loop. + *

+ * WARNING: from v4.1 onwards this class will not be serializable anymore + * in order to prevent potential remote code execution exploits. Please refer to + * COLLECTIONS-580 + * for more details. * * @since 3.0 * @version $Id$ */ -public class WhileClosure implements Closure, Serializable { - - /** Serial version UID */ - private static final long serialVersionUID = -3110538116913760108L; +public class WhileClosure implements Closure { /** The test condition */ private final Predicate iPredicate; @@ -81,6 +81,7 @@ public class WhileClosure implements Closure, Serializable { * * @param input the input object */ + @Override public void execute(final E input) { if (iDoLoop) { iClosure.execute(input); diff --git a/src/main/java/org/apache/commons/collections4/functors/package-info.java b/src/main/java/org/apache/commons/collections4/functors/package-info.java index 198fc541c..c30ba19b7 100644 --- a/src/main/java/org/apache/commons/collections4/functors/package-info.java +++ b/src/main/java/org/apache/commons/collections4/functors/package-info.java @@ -21,6 +21,22 @@ * {@link org.apache.commons.collections4.Transformer Transformer} and * {@link org.apache.commons.collections4.Factory Factory} interfaces. * These provide simple callbacks for processing with collections. + *

+ * WARNING: from v4.1 onwards several unsafe classes in this package + * will not be serializable anymore in order to prevent potential remote + * code execution exploits. + *

+ * Classes considered to be unsafe are: + *

* * @version $Id$ */