Prevent known vulnerable classes from being deserialized.

harawata · harawata · commit 489f564cd539 · 2018-06-24T02:10:40.000+09:00
The recommended way would be to configure the deserialization filter provided by JDK (JEP-290). http://openjdk.java.net/jeps/290
diff --git a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
@@ -19,11 +19,13 @@
 import java.io.ByteArrayOutputStream;
 import java.io.Externalizable;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.InvalidClassException;
 import java.io.ObjectInput;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutput;
 import java.io.ObjectOutputStream;
+import java.io.ObjectStreamClass;
 import java.io.ObjectStreamException;
 import java.io.StreamCorruptedException;
 import java.util.Arrays;
@@ -107,8 +109,7 @@ protected final Object readResolve() throws ObjectStreamException {
     }
 
     /* First run */
-    try {
-      final ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(this.userBeanBytes));
+    try (final ObjectInputStream in = new LookAheadObjectInputStream(new ByteArrayInputStream(this.userBeanBytes))) {
       this.userBean = in.readObject();
       this.unloadedProperties = (Map<String, ResultLoaderMap.LoadPair>) in.readObject();
       this.objectFactory = (ObjectFactory) in.readObject();
@@ -129,4 +130,30 @@ protected final Object readResolve() throws ObjectStreamException {
 
   protected abstract Object createDeserializationProxy(Object target, Map<String, ResultLoaderMap.LoadPair> unloadedProperties, ObjectFactory objectFactory,
           List<Class<?>> constructorArgTypes, List<Object> constructorArgs);
+
+  private static class LookAheadObjectInputStream extends ObjectInputStream {
+    private static final List<String> blacklist = Arrays.asList(
+        "org.apache.commons.collections.functors.InvokerTransformer",
+        "org.apache.commons.collections.functors.InstantiateTransformer",
+        "org.apache.commons.collections4.functors.InvokerTransformer",
+        "org.apache.commons.collections4.functors.InstantiateTransformer",
+        "org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.MethodClosure",
+        "org.springframework.beans.factory.ObjectFactory",
+        "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+
+    public LookAheadObjectInputStream(InputStream in) throws IOException {
+      super(in);
+    }
+
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+      String className = desc.getName();
+      if (blacklist.contains(className)) {
+        throw new InvalidClassException(className, "Deserialization is not allowed for security reasons. "
+            + "It is strongly recommended to configure the deserialization filter provided by JDK. "
+            + "See http://openjdk.java.net/jeps/290 for the details.");
+      }
+      return super.resolveClass(desc);
+    }
+  }
 }
