restrict XML decoding for plugin Configuration

Vladimir Kotal · Vladimir Kotal · commit 487154b7a51d · 2021-04-09T13:06:41.000+02:00
diff --git a/plugins/src/main/java/opengrok/auth/plugin/configuration/Configuration.java b/plugins/src/main/java/opengrok/auth/plugin/configuration/Configuration.java
@@ -161,7 +161,8 @@ public static Configuration makeXMLStringAsConfiguration(String xmlconfig) throw
     private static Configuration decodeObject(InputStream in) throws IOException {
         final Object ret;
 
-        try (XMLDecoder d = new XMLDecoder(new BufferedInputStream(in), null, null, Configuration.class.getClassLoader())) {
+        try (XMLDecoder d = new XMLDecoder(new BufferedInputStream(in), null, null,
+                new PluginConfigurationClassLoader())) {
             ret = d.readObject();
         }
 
diff --git a/plugins/src/main/java/opengrok/auth/plugin/configuration/PluginConfigurationClassLoader.java b/plugins/src/main/java/opengrok/auth/plugin/configuration/PluginConfigurationClassLoader.java
@@ -0,0 +1,62 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * See LICENSE.txt included in this distribution for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at LICENSE.txt.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ */
+package opengrok.auth.plugin.configuration;
+
+import opengrok.auth.plugin.ldap.LdapServer;
+
+import java.beans.XMLDecoder;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.stream.Collectors;
+
+/**
+ * Temporary hack to prevent {@link XMLDecoder} to deserialize other than allowed classes. This tries to prevent
+ * calling of methods on {@link ProcessBuilder} or {@link Runtime} (or similar) which could be used for code execution.
+ */
+public class PluginConfigurationClassLoader extends ClassLoader {
+
+    private static final Set<String> allowedClasses = Set.of(
+            ArrayList.class,
+            Collections.class,
+            Configuration.class,
+            Date.class,
+            HashMap.class,
+            LdapServer.class,
+            String.class,
+            TreeSet.class,
+            XMLDecoder.class
+    ).stream().map(Class::getName).collect(Collectors.toSet());
+
+    @Override
+    public Class<?> loadClass(final String name) throws ClassNotFoundException {
+        if (!allowedClasses.contains(name)) {
+            throw new IllegalAccessError(name + " is not allowed to be used in configuration");
+        }
+
+        return getClass().getClassLoader().loadClass(name);
+    }
+}
diff --git a/plugins/src/test/java/opengrok/auth/plugin/configuration/ConfigurationTest.java b/plugins/src/test/java/opengrok/auth/plugin/configuration/ConfigurationTest.java
@@ -27,6 +27,8 @@
 import java.beans.XMLEncoder;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
@@ -36,9 +38,12 @@
 import opengrok.auth.plugin.util.WebHook;
 import opengrok.auth.plugin.util.WebHooks;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 /**
  *
@@ -99,4 +104,60 @@ public void testEncodeDecode() {
             throw afe;
         }
     }
+
+    @ParameterizedTest
+    @ValueSource(strings = {
+            "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+                    "<java version=\"11.0.8\" class=\"java.beans.XMLDecoder\">\n" +
+                    "  <object class=\"java.lang.Runtime\" method=\"getRuntime\">\n" +
+                    "    <void method=\"exec\">\n" +
+                    "      <array class=\"java.lang.String\" length=\"2\">\n" +
+                    "        <void index=\"0\">\n" +
+                    "          <string>/usr/bin/nc</string>\n" +
+                    "        </void>\n" +
+                    "        <void index=\"1\">\n" +
+                    "          <string>-l</string>\n" +
+                    "        </void>\n" +
+                    "      </array>\n" +
+                    "    </void>\n" +
+                    "  </object>\n" +
+                    "</java>",
+            "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+                    "<java version=\"11.0.8\" class=\"java.beans.XMLDecoder\">\n" +
+                    "  <object class=\"java.lang.ProcessBuilder\">\n" +
+                    "    <array class=\"java.lang.String\" length=\"1\" >\n" +
+                    "      <void index=\"0\"> \n" +
+                    "        <string>/usr/bin/curl https://oracle.com</string>\n" +
+                    "      </void>\n" +
+                    "    </array>\n" +
+                    "    <void method=\"start\"/>\n" +
+                    "  </object>\n" +
+                    "</java>",
+            "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+                    "<java version=\"11.0.8\" class=\"java.beans.XMLDecoder\">\n" +
+                    "  <object class = \"java.io.FileOutputStream\"> \n" +
+                    "    <string>opengrok_test.txt</string>\n" +
+                    "    <method name = \"write\">\n" +
+                    "      <array class=\"byte\" length=\"3\">\n" +
+                    "        <void index=\"0\"><byte>96</byte></void>\n" +
+                    "        <void index=\"1\"><byte>96</byte></void>\n" +
+                    "        <void index=\"2\"><byte>96</byte></void>\n" +
+                    "      </array>\n" +
+                    "    </method>\n" +
+                    "    <method name=\"close\"/>\n" +
+                    "  </object>\n" +
+                    "</java>"
+    })
+    void testDeserializationOfNotWhiteListedClassThrowsError(final String exploit) {
+        assertThrows(IllegalAccessError.class, () -> Configuration.makeXMLStringAsConfiguration(exploit));
+    }
+
+    @Test
+    void testReadCacheValid() throws IOException {
+        File testFile = new File(ConfigurationTest.class.getClassLoader().
+                getResource("opengrok/auth/plugin/configuration/plugin-config.xml").getFile());
+        Configuration config = Configuration.read(testFile);
+        assertNotNull(config);
+        assertEquals(2, config.getServers().size());
+    }
 }
diff --git a/plugins/src/test/resources/opengrok/auth/plugin/configuration/plugin-config.xml b/plugins/src/test/resources/opengrok/auth/plugin/configuration/plugin-config.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<java version="1.8.0_65" class="java.beans.XMLDecoder">
+        <object class="opengrok.auth.plugin.configuration.Configuration">
+                <void property="interval">
+                        <int>900000</int>
+                </void>
+                <void property="searchTimeout">
+                        <int>500</int>
+                </void>
+                <void property="searchBase">
+                        <string>dc=foobar,dc=com</string>
+                </void>
+                <void property="connectTimeout">
+                        <int>5000</int>
+                </void>
+                <void property="countLimit">
+                        <int>100</int>
+                </void>
+                <void property="servers">
+                        <void method="add">
+                                <object class="opengrok.auth.plugin.ldap.LdapServer">
+                                        <void property="name">
+                                                <string>ldap://ldap1.foobar.com</string>
+                                        </void>
+                                        <void property="connectTimeout">
+                                                <int>5000</int>
+                                        </void>
+                                </object>
+                        </void>
+                        <void method="add">
+                                <object class="opengrok.auth.plugin.ldap.LdapServer">
+                                        <void property="name">
+                                                <string>ldap://ldap2.foobar.com</string>
+                                        </void>
+                                </object>
+                        </void>
+                </void>
+        </object>
+</java>

Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,8 @@ public static Configuration makeXMLStringAsConfiguration(String xmlconfig) throw`
`161`	`161`	`private static Configuration decodeObject(InputStream in) throws IOException {`
`162`	`162`	`final Object ret;`
`163`	`163`
`164`		`- try (XMLDecoder d = new XMLDecoder(new BufferedInputStream(in), null, null, Configuration.class.getClassLoader())) {`
	`164`	`+ try (XMLDecoder d = new XMLDecoder(new BufferedInputStream(in), null, null,`
	`165`	`+ new PluginConfigurationClassLoader())) {`
`165`	`166`	`ret = d.readObject();`
`166`	`167`	`}`
`167`	`168`