Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use JDK ObjectInputFilter instead of calling AllowedListDeserializingMessageConverter::checkAllowedList in ConfigurableObjectInputStream::resolveClass #2687

Open
quaff opened this issue Apr 18, 2024 · 2 comments
Open

Use JDK ObjectInputFilter instead of calling AllowedListDeserializingMessageConverter::checkAllowedList in ConfigurableObjectInputStream::resolveClass #2687

quaff opened this issue Apr 18, 2024 · 2 comments
Labels
in: rabbitmq type: enhancement
Milestone
Backlog

Comments

@quaff
Copy link

quaff commented Apr 18, 2024
edited
Loading

I think it's better to use standard API.
see Java Serialization Filters

spring-amqp/spring-amqp/src/main/java/org/springframework/amqp/support/converter/SimpleMessageConverter.java

Lines 158 to 162 in 603e6c8

protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
Class<?> clazz = super.resolveClass(classDesc);
checkAllowedList(clazz);
return clazz;
}

spring-amqp/spring-amqp/src/main/java/org/springframework/amqp/support/converter/SerializerMessageConverter.java

Lines 167 to 172 in 603e6c8

protected Class<?> resolveClass(ObjectStreamClass classDesc)
throws IOException, ClassNotFoundException {
Class<?> clazz = super.resolveClass(classDesc);
checkAllowedList(clazz);
return clazz;
}

@artembilan
Copy link
Member

Well, the ConfigurableObjectInputStream is still going to be there since it relies on the specific ClassLoader:

/**
 * Special {@link ObjectInputStream} subclass that resolves class names
 * against a specific {@link ClassLoader}.
 *
 * @author Juergen Hoeller
 * @since 2.5.5
 * @see org.springframework.core.serializer.DefaultDeserializer
 */
public class ConfigurableObjectInputStream extends ObjectInputStream {

Please, revise your request about the logic we do in the AllowedListDeserializingMessageConverter to use that ObjectInputFilter instead of resolveClass() override.
Otherwise this is confusing and might be closed without the fix.

Thanks

@artembilan artembilan added this to the 3.2.0-M1 milestone Apr 18, 2024
@quaff quaff changed the title Use JDK ObjectInputFilter instead of spring ConfigurableObjectInputStream Use JDK ObjectInputFilter instead of calling AllowedListDeserializingMessageConverter::checkAllowedList in ConfigurableObjectInputStream::resolveClass Apr 18, 2024
artembilan added a commit to artembilan/spring-amqp that referenced this issue Jul 12, 2024
@artembilan
spring-projectsGH-2687: Use JDK ObjectInputFilter for serialization…
16c9e8f 
… security

Fixes: spring-projects#2687
@artembilan
Copy link
Member

I made the change: artembilan@16c9e8f.

But decided that it is a bit of breaking in the behavior since now we do not throw SecurityException directly, but though some stack trace dictated by the ObjectInputFilter with its InvalidClassException (which is a checked IOException).

So, pushing this to the future when we start a new major version.

@artembilan artembilan modified the milestones: 3.2.0-M1, Backlog Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: rabbitmq type: enhancement
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
2 participants
@quaff @artembilan