[COLLECTIONS-580] Removed serialization support for the identified unsafe classes in the collections4 branch.

git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/trunk@1714262 13f79535-47bb-0310-9956-ffa450edef68

src/changes/changes.xml

@@ -22,6 +22,13 @@
   <body>
 
   <release version="4.1" date="TBD" description="">
+    <action issue="COLLECTIONS-580" dev="tn" type="update">
+      Serialization support for unsafe classes in the functor package
+      has been removed as this can be exploited for remote code execution
+      attacks. Classes considered to be unsafe are: CloneTransformer,
+      ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer,
+      PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.
+    </action>
     <action issue="COLLECTIONS-576" dev="tn" type="fix" due-to="Stephan Roch">
       Subclasses of MultiKey did not re-calculate their hashcode after de-serialization.
     </action>

src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java

@@ -16,22 +16,22 @@
  */
 package org.apache.commons.collections4.functors;
 
-import java.io.Serializable;
-
 import org.apache.commons.collections4.Transformer;
 
 /**
  * Transformer implementation that returns a clone of the input object.
  * <p>
  * Clone is performed using <code>PrototypeFactory.prototypeFactory(input).create()</code>.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer to
+ * <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>
+ * for more details.
  *
  * @since 3.0
  * @version $Id$
  */
-public class CloneTransformer<T> implements Transformer<T, T>, Serializable {
+public class CloneTransformer<T> implements Transformer<T, T> {
-
-    /** Serial version UID */
-    private static final long serialVersionUID = -8188742709499652567L;
 
     /** Singleton predicate instance */
     @SuppressWarnings("rawtypes") // the singleton instance works for all types
@@ -46,7 +46,7 @@ public class CloneTransformer<T> implements Transformer<T, T>, Serializable {
      */
     @SuppressWarnings("unchecked") // the singleton instance works for all types
     public static <T> Transformer<T, T> cloneTransformer() {
-        return (Transformer<T, T>) INSTANCE;
+        return INSTANCE;
     }
 
     /**
@@ -62,6 +62,7 @@ public class CloneTransformer<T> implements Transformer<T, T>, Serializable {
      * @param input  the input object to transform
      * @return the transformed result
      */
+    @Override
     public T transform(final T input) {
         if (input == null) {
             return null;
@@ -69,8 +70,4 @@ public class CloneTransformer<T> implements Transformer<T, T>, Serializable {
         return PrototypeFactory.prototypeFactory(input).create();
     }
 
-    private Object readResolve() {
-        return INSTANCE;
-    }
-
 }

src/main/java/org/apache/commons/collections4/functors/ForClosure.java

@@ -16,20 +16,20 @@
  */
 package org.apache.commons.collections4.functors;
 
-import java.io.Serializable;
-
 import org.apache.commons.collections4.Closure;
 
 /**
  * Closure implementation that calls another closure n times, like a for loop.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer to
+ * <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>
+ * for more details.
  *
  * @since 3.0
  * @version $Id$
  */
-public class ForClosure<E> implements Closure<E>, Serializable {
+public class ForClosure<E> implements Closure<E> {
-
-    /** Serial version UID */
-    private static final long serialVersionUID = -1190120533393621674L;
 
     /** The number of times to loop */
     private final int iCount;
@@ -76,6 +76,7 @@ public class ForClosure<E> implements Closure<E>, Serializable {
      *
      * @param input  the input object
      */
+    @Override
     public void execute(final E input) {
         for (int i = 0; i < iCount; i++) {
             iClosure.execute(input);

src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java

@@ -16,7 +16,6 @@
  */
 package org.apache.commons.collections4.functors;
 
-import java.io.Serializable;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 
@@ -25,14 +24,16 @@ import org.apache.commons.collections4.FunctorException;
 
 /**
  * Factory implementation that creates a new object instance by reflection.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer to
+ * <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>
+ * for more details.
  *
  * @since 3.0
  * @version $Id$
  */
-public class InstantiateFactory<T> implements Factory<T>, Serializable {
+public class InstantiateFactory<T> implements Factory<T> {
-
-    /** The serial version */
-    private static final long serialVersionUID = -7732226881069447957L;
 
     /** The class to create */
     private final Class<T> iClassToInstantiate;
@@ -118,6 +119,7 @@ public class InstantiateFactory<T> implements Factory<T>, Serializable {
      *
      * @return the new object
      */
+    @Override
     public T create() {
         // needed for post-serialization
         if (iConstructor == null) {

src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java

@@ -16,7 +16,6 @@
  */
 package org.apache.commons.collections4.functors;
 
-import java.io.Serializable;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 
@@ -25,14 +24,16 @@ import org.apache.commons.collections4.Transformer;
 
 /**
  * Transformer implementation that creates a new object instance by reflection.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer to
+ * <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>
+ * for more details.
  *
  * @since 3.0
  * @version $Id$
  */
-public class InstantiateTransformer<T> implements Transformer<Class<? extends T>, T>, Serializable {
+public class InstantiateTransformer<T> implements Transformer<Class<? extends T>, T> {
-
-    /** The serial version */
-    private static final long serialVersionUID = 3786388740793356347L;
 
     /** Singleton instance that uses the no arg constructor */
     @SuppressWarnings("rawtypes")
@@ -51,7 +52,7 @@ public class InstantiateTransformer<T> implements Transformer<Class<? extends T>
      */
     @SuppressWarnings("unchecked")
     public static <T> Transformer<Class<? extends T>, T> instantiateTransformer() {
-        return (Transformer<Class<? extends T>, T>) NO_ARG_INSTANCE;
+        return NO_ARG_INSTANCE;
     }
 
     /**
@@ -107,6 +108,7 @@ public class InstantiateTransformer<T> implements Transformer<Class<? extends T>
      * @param input  the input object to transform
      * @return the transformed result
      */
+    @Override
     public T transform(final Class<? extends T> input) {
         try {
             if (input == null) {

src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java

@@ -16,7 +16,6 @@
  */
 package org.apache.commons.collections4.functors;
 
-import java.io.Serializable;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 
@@ -25,14 +24,16 @@ import org.apache.commons.collections4.Transformer;
 
 /**
  * Transformer implementation that creates a new object instance by reflection.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer to
+ * <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>
+ * for more details.
  *
  * @since 3.0
  * @version $Id$
  */
-public class InvokerTransformer<I, O> implements Transformer<I, O>, Serializable {
+public class InvokerTransformer<I, O> implements Transformer<I, O> {
-
-    /** The serial version */
-    private static final long serialVersionUID = -8653385846894047688L;
 
     /** The method name to call */
     private final String iMethodName;
@@ -121,6 +122,7 @@ public class InvokerTransformer<I, O> implements Transformer<I, O>, Serializable
      * @param input  the input object to transform
      * @return the transformed result, null if null input
      */
+    @Override
     @SuppressWarnings("unchecked")
     public O transform(final Object input) {
         if (input == null) {

src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java

@@ -30,6 +30,12 @@ import org.apache.commons.collections4.FunctorException;
 
 /**
  * Factory implementation that creates a new instance each time based on a prototype.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards {@link Factory} instances returned by
+ * {@link #prototypeFactory(Object)} will <b>not</b> be serializable anymore in order
+ * to prevent potential remote code execution exploits. Please refer to
+ * <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>
+ * for more details.
  *
  * @since 3.0
  * @version $Id$
@@ -91,10 +97,7 @@ public class PrototypeFactory {
     /**
      * PrototypeCloneFactory creates objects by copying a prototype using the clone method.
      */
-    static class PrototypeCloneFactory<T> implements Factory<T>, Serializable {
+    static class PrototypeCloneFactory<T> implements Factory<T> {
-
-        /** The serial version */
-        private static final long serialVersionUID = 5604271422565175555L;
 
         /** The object to clone each time */
         private final T iPrototype;
@@ -126,6 +129,7 @@ public class PrototypeFactory {
          *
          * @return the new object
          */
+        @Override
         @SuppressWarnings("unchecked")
         public T create() {
             // needed for post-serialization
@@ -148,10 +152,7 @@ public class PrototypeFactory {
     /**
      * PrototypeSerializationFactory creates objects by cloning a prototype using serialization.
      */
-    static class PrototypeSerializationFactory<T extends Serializable> implements Factory<T>, Serializable {
+    static class PrototypeSerializationFactory<T extends Serializable> implements Factory<T> {
-
-        /** The serial version */
-        private static final long serialVersionUID = -8704966966139178833L;
 
         /** The object to clone via serialization each time */
         private final T iPrototype;
@@ -169,6 +170,7 @@ public class PrototypeFactory {
          *
          * @return the new object
          */
+        @Override
         @SuppressWarnings("unchecked")
         public T create() {
             final ByteArrayOutputStream baos = new ByteArrayOutputStream(512);

src/main/java/org/apache/commons/collections4/functors/WhileClosure.java

@@ -16,22 +16,22 @@
  */
 package org.apache.commons.collections4.functors;
 
-import java.io.Serializable;
-
 import org.apache.commons.collections4.Closure;
 import org.apache.commons.collections4.Predicate;
 
 /**
  * Closure implementation that executes a closure repeatedly until a condition is met,
  * like a do-while or while loop.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer to
+ * <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>
+ * for more details.
  *
  * @since 3.0
  * @version $Id$
  */
-public class WhileClosure<E> implements Closure<E>, Serializable {
+public class WhileClosure<E> implements Closure<E> {
-
-    /** Serial version UID */
-    private static final long serialVersionUID = -3110538116913760108L;
 
     /** The test condition */
     private final Predicate<? super E> iPredicate;
@@ -81,6 +81,7 @@ public class WhileClosure<E> implements Closure<E>, Serializable {
      *
      * @param input  the input object
      */
+    @Override
     public void execute(final E input) {
         if (iDoLoop) {
             iClosure.execute(input);

src/main/java/org/apache/commons/collections4/functors/package-info.java

@@ -21,6 +21,22 @@
  * {@link org.apache.commons.collections4.Transformer Transformer} and
  * {@link org.apache.commons.collections4.Factory Factory} interfaces.
  * These provide simple callbacks for processing with collections.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards several unsafe classes in this package
+ * will not be serializable anymore in order to prevent potential remote
+ * code execution exploits.
+ * <p>
+ * Classes considered to be unsafe are:
+ * <ul>
+ * <li>CloneTransformer</li>
+ * <li>ForClosure</li>
+ * <li>InstantiateFactory</li>
+ * <li>InstantiateTransformer</li>
+ * <li>InvokerTransformer</li>
+ * <li>PrototypeFactory$PrototypeCloneFactory</li>
+ * <li>PrototypeFactory$PrototypeSerializationFactory</li>
+ * <li>WhileClosure</li>
+ * </ul>
  *
  * @version $Id$
  */