diff --git a/cli/src/main/java/hudson/cli/Connection.java b/cli/src/main/java/hudson/cli/Connection.java index 165a6deb7e6af83adf0ccda8cbe86a474414a65e..7f0bd9bbb1beea63d2edb94c7c9947970f5a7658 100644 --- a/cli/src/main/java/hudson/cli/Connection.java +++ b/cli/src/main/java/hudson/cli/Connection.java @@ -23,6 +23,8 @@ */ package hudson.cli; +import hudson.remoting.ClassFilter; +import hudson.remoting.ObjectInputStreamEx; import hudson.remoting.SocketChannelStream; import org.apache.commons.codec.binary.Base64; @@ -107,7 +109,8 @@ public class Connection { * Receives an object sent by {@link #writeObject(Object)} */ public T readObject() throws IOException, ClassNotFoundException { - ObjectInputStream ois = new ObjectInputStream(in); + ObjectInputStream ois = new ObjectInputStreamEx(in, + ClassFilter.DEFAULT.decorate(getClass().getClassLoader())); return (T)ois.readObject(); } diff --git a/core/src/main/java/jenkins/security/RemotingFilterClassLoader.java b/core/src/main/java/jenkins/security/RemotingFilterClassLoader.java deleted file mode 100644 index 4c621c2dfffe58ed63b99c591f92f3a11a407479..0000000000000000000000000000000000000000 --- a/core/src/main/java/jenkins/security/RemotingFilterClassLoader.java +++ /dev/null @@ -1,125 +0,0 @@ -package jenkins.security; - - -/** - * Prevents problematic classes from getting de-serialized. - * - * @author Kohsuke Kawaguchi - */ -public class RemotingFilterClassLoader extends ClassLoader { - private final ClassLoader actual; - - public RemotingFilterClassLoader(ClassLoader actual) { - // intentionally not passing 'actual' as the parent classloader to the super type - // to prevent accidental bypassing of a filter. - this.actual = actual; - } - - @Override - public Class loadClass(String name) throws ClassNotFoundException { - if (isBlacklisted(name)) throw new ClassNotFoundException(name); - Class c = actual.loadClass(name); - if (isBlacklisted(c)) throw new ClassNotFoundException(name); - return c; - } - - protected boolean isBlacklisted(String name) { - // these are coming from libraries, so protecting it by name is better as - // some plugins might be bundling them and choosing to mask ones from core. - if (name.startsWith("org.codehaus.groovy.runtime.")) - return true; // ConvertedClosure is named in exploit - if (name.startsWith("org.apache.commons.collections.functors.")) - return true; // InvokerTransformer, InstantiateFactory, InstantiateTransformer are particularly scary - - // this package can appear in ordinary xalan.jar or com.sun.org.apache.xalan - // the target is trax.TemplatesImpl - if (name.contains("org.apache.xalan")) - return true; - return false; - } - - protected boolean isBlacklisted(Class c) { - /* Switched to blacklisting by name. - -import org.apache.commons.collections.Transformer; -import org.codehaus.groovy.runtime.ConversionHandler; - -import javax.xml.transform.Templates; - - if (Transformer.class.isAssignableFrom(c)) - return true; - if (ConversionHandler.class.isAssignableFrom(c)) - return true; - if (Templates.class.isAssignableFrom(c)) - return true; - */ - - return false; - } -} - -/* - Publicized attack payload: - - ObjectInputStream.readObject() - PriorityQueue.readObject() - Comparator.compare() (Proxy) - ConvertedClosure.invoke() - MethodClosure.call() - ... - Method.invoke() - Runtime.exec() - - - ObjectInputStream.readObject() - AnnotationInvocationHandler.readObject() - Map(Proxy).entrySet() - AnnotationInvocationHandler.invoke() - LazyMap.get() - ChainedTransformer.transform() - ConstantTransformer.transform() - InvokerTransformer.transform() - Method.invoke() - Class.getMethod() - InvokerTransformer.transform() - Method.invoke() - Runtime.getRuntime() - InvokerTransformer.transform() - Method.invoke() - Runtime.exec() - - - ObjectInputStream.readObject() - PriorityQueue.readObject() - ... - TransformingComparator.compare() - InvokerTransformer.transform() - Method.invoke() - Runtime.exec() - - - ObjectInputStream.readObject() - SerializableTypeWrapper.MethodInvokeTypeProvider.readObject() - SerializableTypeWrapper.TypeProvider(Proxy).getType() - AnnotationInvocationHandler.invoke() - HashMap.get() - ReflectionUtils.findMethod() - SerializableTypeWrapper.TypeProvider(Proxy).getType() - AnnotationInvocationHandler.invoke() - HashMap.get() - ReflectionUtils.invokeMethod() - Method.invoke() - Templates(Proxy).newTransformer() - AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke() - ObjectFactory(Proxy).getObject() - AnnotationInvocationHandler.invoke() - HashMap.get() - Method.invoke() - TemplatesImpl.newTransformer() - TemplatesImpl.getTransletInstance() - TemplatesImpl.defineTransletClasses() - TemplatesImpl.TransletClassLoader.defineClass() - Pwner*(Javassist-generated). - Runtime.exec() - - */ diff --git a/pom.xml b/pom.xml index cdd35ea1966bb773551c60c54da54a6f5d617b2c..1583deeb0e50d367751532e7fe381742c265e004 100644 --- a/pom.xml +++ b/pom.xml @@ -174,7 +174,7 @@ THE SOFTWARE. org.jenkins-ci.main remoting - 2.47 + 2.53-SNAPSHOT