Restrict ZookeeperDistributedQueue deserialization to an allow-list (CWE-502)#49
Open
devin-ai-integration[bot] wants to merge 1 commit into
Open
Conversation
… (CWE-502) Apply a JEP 290 ObjectInputFilter allow-list in ZookeeperDistributedQueue.deserialize() so untrusted bytes read from Zookeeper can no longer instantiate arbitrary classes (RCE/CWE-502). Co-Authored-By: Arjun Mishra <arjunsaxmishra@gmail.com>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add proper title
Restricting
ZookeeperDistributedQueuedeserialization to an allow-list to prevent insecure deserialization / RCE (CWE-502).A Brief Overview
ZookeeperDistributedQueue.deserialize()calledObjectInputStream.readObject()on bytes read from Zookeeper with no class filtering. If an attacker can influence the data stored in Zookeeper, a crafted serialized payload could instantiate arbitrary classes during read and reach a gadget chain, leading to remote code execution.The fix installs a JDK-native JEP 290
ObjectInputFilter(no new dependency) on theObjectInputStreambeforereadObject(). The filter is an allow-list limited to the types this queue actually carries, plus resource limits to bound work per entry:!*rejects every other class (primitives stay allowed). The queue stores BroadleafSolrUpdateCommandsubtypes carryingorg.apache.solr.common.SolrInputDocument/SolrInputFieldplus JDK collections, and anIntegerfor the max-capacity config — all covered by the allow-list.Pseudo-diff of the hot path:
The filter is exposed via a new
protected ObjectInputFilter getDeserializationFilter()and theDESERIALIZATION_ALLOW_LISTconstant so subclasses that place additional types on the queue can extend it rather than disable filtering.serialize()is unchanged.Add Labels to the right panel and delete this list:
Additional context
Added
ZookeeperDistributedQueueDeserializationTest(run name matches the repo's documented single-test command) verifying that:Integerconfig value and anIncrementalUpdateCommand(with aSolrInputDocument) round-trip successfully, andInvalidClassExceptioncause (wrapped asDistributedQueueException).Local run:
mvn -pl core/broadleaf-framework -am test -Dtest=ZookeeperDistributedQueueDeserializationTest→ Tests run: 3, Failures: 0, Errors: 0.Link to Devin session: https://app.devin.ai/sessions/56cbb12633f4438ea09183d46eedf812
Devin Review