rpms/jackson-databind
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Better patch for CVE-2017-17485

Browse Source
This commit is contained in:
Mat Booth 2018-01-15 10:52:42 +00:00
parent d969abf0d4
commit 46016810f4
4 changed files with 250 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

201
CVE-2017-17485-1.patch Normal file
View File

@ -0,0 +1,201 @@
From 2235894210c75f624a3d0cd60bfb0434a20a18bf Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Mon, 18 Dec 2017 21:41:51 -0800
Subject: [PATCH] Fix #1855
---
.../databind/deser/BeanDeserializerFactory.java | 54 ++----------
.../databind/jsontype/impl/SubTypeValidator.java | 98 ++++++++++++++++++++++
2 files changed, 103 insertions(+), 49 deletions(-)
create mode 100644 src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index 217ffd9c6..b462c0c74 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -12,6 +12,7 @@
import com.fasterxml.jackson.databind.deser.std.ThrowableDeserializer;
import com.fasterxml.jackson.databind.introspect.*;
import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
+import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator;
import com.fasterxml.jackson.databind.util.ArrayBuilders;
import com.fasterxml.jackson.databind.util.ClassUtil;
import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition;
@@ -40,44 +41,6 @@
private final static Class<?>[] NO_VIEWS = new Class<?>[0];
- /**
- * Set of well-known "nasty classes", deserialization of which is considered dangerous
- * and should (and is) prevented by default.
- */
- protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
- static {
- Set<String> s = new HashSet<String>();
- // Courtesy of [https://github.com/kantega/notsoserial]:
- // (and wrt [databind#1599])
- s.add("org.apache.commons.collections.functors.InvokerTransformer");
- s.add("org.apache.commons.collections.functors.InstantiateTransformer");
- s.add("org.apache.commons.collections4.functors.InvokerTransformer");
- s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
- // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf]
- // this is NOT likely to be exploitable via Jackson. But keep excluded just in case.
- s.add("org.codehaus.groovy.runtime.ConvertedClosure");
- s.add("org.codehaus.groovy.runtime.MethodClosure");
- s.add("org.springframework.beans.factory.ObjectFactory");
- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
- s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
- // [databind#1680]: may or may not be problem, take no chance
- s.add("com.sun.rowset.JdbcRowSetImpl");
- // [databind#1737]; JDK provided
- s.add("java.util.logging.FileHandler");
- s.add("java.rmi.server.UnicastRemoteObject");
- // [databind#1737]; 3rd party
- s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
- s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-
- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
- }
-
- /**
- * Set of class names of types that are never to be deserialized.
- */
- protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
/*
/**********************************************************
@@ -179,7 +142,7 @@ public DeserializerFactory withConfig(DeserializerFactoryConfig config)
return null;
}
// For checks like [databind#1599]
- checkIllegalTypes(ctxt, type, beanDesc);
+ _validateSubType(ctxt, type, beanDesc);
// Use generic bean introspection to build deserializer
return buildBeanDeserializer(ctxt, type, beanDesc);
}
@@ -868,17 +831,10 @@
return (status == null) ? false : status.booleanValue();
}
- protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+ protected void _validateSubType(DeserializationContext ctxt, JavaType type,
BeanDescription beanDesc)
throws JsonMappingException
{
- // There are certain nasty classes that could cause problems, mostly
- // via default typing -- catch them here.
- String full = type.getRawClass().getName();
-
- if (_cfgIllegalClassNames.contains(full)) {
- throw JsonMappingException.from(ctxt,
- String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
- }
+ SubTypeValidator.instance().validateSubType(ctxt, type);
}
}
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
new file mode 100644
index 000000000..8a273cc15
--- /dev/null
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -0,0 +1,98 @@
+package com.fasterxml.jackson.databind.jsontype.impl;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.JsonMappingException;
+
+/**
+ * Helper class used to encapsulate rules that determine subtypes that
+ * are invalid to use, even with default typing, mostly due to security
+ * concerns.
+ * Used by <code>BeanDeserializerFacotry</code>
+ *
+ * @since 2.8.11
+ */
+public class SubTypeValidator
+{
+ protected final static String PREFIX_STRING = "org.springframework.";
+ /**
+ * Set of well-known "nasty classes", deserialization of which is considered dangerous
+ * and should (and is) prevented by default.
+ */
+ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+ static {
+ Set<String> s = new HashSet<String>();
+ // Courtesy of [https://github.com/kantega/notsoserial]:
+ // (and wrt [databind#1599])
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+ s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+ s.add("org.codehaus.groovy.runtime.MethodClosure");
+ s.add("org.springframework.beans.factory.ObjectFactory");
+ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+ // [databind#1680]: may or may not be problem, take no chance
+ s.add("com.sun.rowset.JdbcRowSetImpl");
+ // [databind#1737]; JDK provided
+ s.add("java.util.logging.FileHandler");
+ s.add("java.rmi.server.UnicastRemoteObject");
+ // [databind#1737]; 3rd party
+//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+ // [databind#1855]: more 3rd party
+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
+ /**
+ * Set of class names of types that are never to be deserialized.
+ */
+ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+
+ private final static SubTypeValidator instance = new SubTypeValidator();
+
+ protected SubTypeValidator() { }
+
+ public static SubTypeValidator instance() { return instance; }
+
+ public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+ final Class<?> raw = type.getRawClass();
+ String full = raw.getName();
+
+ do {
+ if (_cfgIllegalClassNames.contains(full)) {
+ break;
+ }
+
+ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
+ // for some Spring framework types
+ if (full.startsWith(PREFIX_STRING)) {
+ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
+ String name = cls.getSimpleName();
+ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
+ if ("AbstractPointcutAdvisor".equals(name)
+ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
+ || "AbstractApplicationContext.equals".equals(name)) {
+ break;
+ }
+ }
+ }
+ return;
+ } while (false);
+
+ throw JsonMappingException.from(ctxt,
+ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
+ }
+}

41
CVE-2017-17485-2.patch Normal file
View File

@ -0,0 +1,41 @@
From bb45fb16709018842f858f1a6e1118676aaa34bd Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Tue, 19 Dec 2017 08:31:15 -0800
Subject: [PATCH] Fix issues with earlier fix for #1855
---
.../jackson/databind/jsontype/impl/SubTypeValidator.java | 5 +++--
.../jackson/databind/interop/IllegalTypesCheckTest.java | 7 +++++++
.../springframework/jacksontest/AbstractApplicationContext.java | 5 +++++
.../org/springframework/jacksontest/AbstractPointcutAdvisor.java | 5 +++++
.../org/springframework/jacksontest/BogusApplicationContext.java | 9 +++++++++
.../org/springframework/jacksontest/BogusPointcutAdvisor.java | 9 +++++++++
6 files changed, 38 insertions(+), 2 deletions(-)
create mode 100644 src/test/java/org/springframework/jacksontest/AbstractApplicationContext.java
create mode 100644 src/test/java/org/springframework/jacksontest/AbstractPointcutAdvisor.java
create mode 100644 src/test/java/org/springframework/jacksontest/BogusApplicationContext.java
create mode 100644 src/test/java/org/springframework/jacksontest/BogusPointcutAdvisor.java
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 8a273cc15..45a76169f 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -71,6 +71,7 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J
final Class<?> raw = type.getRawClass();
String full = raw.getName();
+ main_check:
do {
if (_cfgIllegalClassNames.contains(full)) {
break;
@@ -84,8 +85,8 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J
// looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
if ("AbstractPointcutAdvisor".equals(name)
// ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
- || "AbstractApplicationContext.equals".equals(name)) {
- break;
+ || "AbstractApplicationContext".equals(name)) {
+ break main_check;
}
}
}

12
CVE-2017-17485.patch
View File

@ -1,12 +0,0 @@
--- src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java.orig 2018-01-11 13:52:07.289025352 +0000
+++ src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2018-01-11 13:52:33.253913719 +0000
@@ -70,6 +70,9 @@
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+ // [databind#1855]: more 3rd party
+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

11
jackson-databind.spec
View File

@ -1,6 +1,6 @@
Name: jackson-databind
Version: 2.7.6
Release: 6%{?dist}
Release: 7%{?dist}
Summary: General data-binding package for Jackson (2.x)
License: ASL 2.0 and LGPLv2+
URL: http://wiki.fasterxml.com/JacksonHome
@ -9,7 +9,8 @@ Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{v
# These patches can go when we update to jackson >= 2.8.11 OR jackson >= 2.7.9.2
Patch0: CVE-2017-7525.patch
Patch1: CVE-2017-15095.patch
Patch2: CVE-2017-17485.patch
Patch2: CVE-2017-17485-1.patch
Patch3: CVE-2017-17485-2.patch
BuildRequires: maven-local
BuildRequires: mvn(com.fasterxml.jackson:jackson-parent:pom:)
@ -36,7 +37,8 @@ This package contains javadoc for %{name}.
%setup -q -n %{name}-%{name}-%{version}
%patch0 -p1
%patch1
%patch2
%patch2 -p1
%patch3 -p1
cp -p src/main/resources/META-INF/LICENSE .
cp -p src/main/resources/META-INF/NOTICE .
@ -75,6 +77,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
%license LICENSE NOTICE
%changelog
* Mon Jan 15 2018 Mat Booth <mat.booth@redhat.com> - 2.7.6-7
- Better patch for CVE-2017-17485
* Thu Jan 11 2018 Mat Booth <mat.booth@redhat.com> - 2.7.6-6
- Backport a patch to fix CVE-2017-17485