Apache
/
httpcomponents-client
mirror of https://github.com/apache/httpcomponents-client.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HTTPCLIENT-1976: Unsafe deserialization in DefaultHttpCacheEntrySerializer

This commit is contained in:
Artem Smotrakov 2019-04-02 12:16:03 +02:00 committed by Oleg Kalnichevski
parent 2035aaed33
commit c8068487fb
2 changed files with 92 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
httpclient-cache/src/main/java/org/apache/http/impl/client/cache/DefaultHttpCacheEntrySerializer.java vendored
View File

@ -30,7 +30,12 @@ import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.ObjectInputStream; import java.io.ObjectInputStream;
import java.io.ObjectOutputStream; import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.io.OutputStream; import java.io.OutputStream;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.http.annotation.Contract; import org.apache.http.annotation.Contract;
import org.apache.http.annotation.ThreadingBehavior; import org.apache.http.annotation.ThreadingBehavior;
@ -49,6 +54,22 @@ import org.apache.http.client.cache.HttpCacheEntrySerializer;
@Contract(threading = ThreadingBehavior.IMMUTABLE) @Contract(threading = ThreadingBehavior.IMMUTABLE)
public class DefaultHttpCacheEntrySerializer implements HttpCacheEntrySerializer { public class DefaultHttpCacheEntrySerializer implements HttpCacheEntrySerializer {
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
Pattern.compile("^\\[B$")));
private final List<Pattern> allowedClassPatterns;
DefaultHttpCacheEntrySerializer(final Pattern... allowedClassPatterns) {
this.allowedClassPatterns = Collections.unmodifiableList(Arrays.asList(allowedClassPatterns));
}
public DefaultHttpCacheEntrySerializer() {
this.allowedClassPatterns = ALLOWED_CLASS_PATTERNS;
}
@Override @Override
public void writeTo(final HttpCacheEntry cacheEntry, final OutputStream os) throws IOException { public void writeTo(final HttpCacheEntry cacheEntry, final OutputStream os) throws IOException {
final ObjectOutputStream oos = new ObjectOutputStream(os); final ObjectOutputStream oos = new ObjectOutputStream(os);
@ -61,7 +82,7 @@ public class DefaultHttpCacheEntrySerializer implements HttpCacheEntrySerializer
@Override @Override
public HttpCacheEntry readFrom(final InputStream is) throws IOException { public HttpCacheEntry readFrom(final InputStream is) throws IOException {
final ObjectInputStream ois = new ObjectInputStream(is); final ObjectInputStream ois = new RestrictedObjectInputStream(is, allowedClassPatterns);
try { try {
return (HttpCacheEntry) ois.readObject(); return (HttpCacheEntry) ois.readObject();
} catch (final ClassNotFoundException ex) { } catch (final ClassNotFoundException ex) {
@ -71,4 +92,32 @@ public class DefaultHttpCacheEntrySerializer implements HttpCacheEntrySerializer
} }
} }
private static class RestrictedObjectInputStream extends ObjectInputStream {
private final List<Pattern> allowedClassPatterns;
private RestrictedObjectInputStream(final InputStream in, final List<Pattern> patterns) throws IOException {
super(in);
this.allowedClassPatterns = patterns;
}
@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (isProhibited(desc)) {
throw new HttpCacheEntrySerializationException(String.format(
"Class %s is not allowed for deserialization", desc.getName()));
}
return super.resolveClass(desc);
}
private boolean isProhibited(final ObjectStreamClass desc) {
for (final Pattern pattern : allowedClassPatterns) {
if (pattern.matcher(desc.getName()).matches()) {
return false;
}
}
return true;
}
}
} }

42
httpclient-cache/src/test/java/org/apache/http/impl/client/cache/TestHttpCacheEntrySerializers.java vendored
View File

@ -32,11 +32,13 @@ import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream; import java.io.ByteArrayOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.nio.charset.Charset; import java.nio.charset.Charset;
import java.util.Arrays; import java.util.Arrays;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.regex.Pattern;
import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Base64;
import org.apache.http.Header; import org.apache.http.Header;
@ -44,6 +46,7 @@ import org.apache.http.ProtocolVersion;
import org.apache.http.StatusLine; import org.apache.http.StatusLine;
import org.apache.http.client.cache.HeaderConstants; import org.apache.http.client.cache.HeaderConstants;
import org.apache.http.client.cache.HttpCacheEntry; import org.apache.http.client.cache.HttpCacheEntry;
import org.apache.http.client.cache.HttpCacheEntrySerializationException;
import org.apache.http.client.cache.HttpCacheEntrySerializer; import org.apache.http.client.cache.HttpCacheEntrySerializer;
import org.apache.http.client.cache.Resource; import org.apache.http.client.cache.Resource;
import org.apache.http.message.BasicHeader; import org.apache.http.message.BasicHeader;
@ -51,6 +54,8 @@ import org.apache.http.message.BasicStatusLine;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import com.sun.rowset.JdbcRowSetImpl;
public class TestHttpCacheEntrySerializers { public class TestHttpCacheEntrySerializers {
private static final Charset UTF8 = Charset.forName("UTF-8"); private static final Charset UTF8 = Charset.forName("UTF-8");
@ -67,6 +72,43 @@ public class TestHttpCacheEntrySerializers {
readWriteVerify(makeCacheEntryWithVariantMap()); readWriteVerify(makeCacheEntryWithVariantMap());
} }
@Test(expected = HttpCacheEntrySerializationException.class)
public void throwExceptionIfUnsafeDeserialization() throws IOException {
impl.readFrom(new ByteArrayInputStream(serializeProhibitedObject()));
}
@Test(expected = HttpCacheEntrySerializationException.class)
public void allowClassesToBeDeserialized() throws IOException {
impl = new DefaultHttpCacheEntrySerializer(
Pattern.compile("javax.sql.rowset.BaseRowSet"),
Pattern.compile("com.sun.rowset.JdbcRowSetImpl"));
readVerify(serializeProhibitedObject());
}
@Test(expected = HttpCacheEntrySerializationException.class)
public void allowClassesToBeDeserializedByRegex() throws IOException {
impl = new DefaultHttpCacheEntrySerializer(
Pattern.compile(("^com\\.sun\\.rowset\\.(.*)")),
Pattern.compile("^javax\\.sql\\.rowset\\.BaseRowSet$"));
readVerify(serializeProhibitedObject());
}
private byte[] serializeProhibitedObject() throws IOException {
final JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final ObjectOutputStream oos = new ObjectOutputStream(baos);
try {
oos.writeObject(jdbcRowSet);
} finally {
oos.close();
}
return baos.toByteArray();
}
private void readVerify(final byte[] data) throws IOException {
impl.readFrom(new ByteArrayInputStream(data));
}
public void readWriteVerify(final HttpCacheEntry writeEntry) throws IOException { public void readWriteVerify(final HttpCacheEntry writeEntry) throws IOException {
// write the entry // write the entry
final ByteArrayOutputStream out = new ByteArrayOutputStream(); final ByteArrayOutputStream out = new ByteArrayOutputStream();