From 9f0097c876f4e6da63549af43c213e04aedac370 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Wed, 27 Nov 2024 20:51:27 -0500
Subject: [PATCH] Introduced protections against deserialization attacks (#2)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
---
paimon-flink/paimon-flink-common/pom.xml | 4 ++++
.../paimon/flink/SchemaChangeSerializationTest.java | 2 ++
paimon-flink/pom.xml | 12 ++++++++++++
paimon-hive/paimon-hive-catalog/pom.xml | 4 ++++
.../org/apache/paimon/hive/SerializableHiveConf.java | 2 ++
.../apache/paimon/hive/SerializableHiveConfTest.java | 2 ++
paimon-hive/paimon-hive-connector-common/pom.xml | 4 ++++
.../paimon/hive/mapred/PaimonOutputCommitter.java | 2 ++
paimon-hive/pom.xml | 12 +++++++++++-
paimon-service/paimon-service-client/pom.xml | 4 ++++
.../service/network/messages/MessageSerializer.java | 3 +++
paimon-service/pom.xml | 12 ++++++++++++
12 files changed, 62 insertions(+), 1 deletion(-)
diff --git a/paimon-flink/paimon-flink-common/pom.xml b/paimon-flink/paimon-flink-common/pom.xml
index 91222983bf6b..bbdb37c20a75 100644
--- a/paimon-flink/paimon-flink-common/pom.xml
+++ b/paimon-flink/paimon-flink-common/pom.xml
@@ -169,6 +169,10 @@ under the License.
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/paimon-flink/paimon-flink-common/src/test/java/org/apache/paimon/flink/SchemaChangeSerializationTest.java b/paimon-flink/paimon-flink-common/src/test/java/org/apache/paimon/flink/SchemaChangeSerializationTest.java
index cb9dc5084550..02703203e796 100644
--- a/paimon-flink/paimon-flink-common/src/test/java/org/apache/paimon/flink/SchemaChangeSerializationTest.java
+++ b/paimon-flink/paimon-flink-common/src/test/java/org/apache/paimon/flink/SchemaChangeSerializationTest.java
@@ -18,6 +18,7 @@
package org.apache.paimon.flink;
+import io.github.pixee.security.ObjectInputFilters;
import org.apache.paimon.schema.SchemaChange;
import org.apache.paimon.types.DataTypes;
@@ -58,6 +59,7 @@ private void runTest(SchemaChange schemaChange) throws Exception {
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais);
+ ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
Object actual = ois.readObject();
assertThat(actual).isEqualTo(schemaChange);
}
diff --git a/paimon-flink/pom.xml b/paimon-flink/pom.xml
index 031570c0e684..ed031a4e2012 100644
--- a/paimon-flink/pom.xml
+++ b/paimon-flink/pom.xml
@@ -185,4 +185,16 @@ under the License.
+
+
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+
+
+
+
+ 1.2.0
+
diff --git a/paimon-hive/paimon-hive-catalog/pom.xml b/paimon-hive/paimon-hive-catalog/pom.xml
index e56d46182df7..7948c16c23ed 100644
--- a/paimon-hive/paimon-hive-catalog/pom.xml
+++ b/paimon-hive/paimon-hive-catalog/pom.xml
@@ -213,6 +213,10 @@ under the License.
jar
test
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/paimon-hive/paimon-hive-catalog/src/main/java/org/apache/paimon/hive/SerializableHiveConf.java b/paimon-hive/paimon-hive-catalog/src/main/java/org/apache/paimon/hive/SerializableHiveConf.java
index 38011ef797be..599666d430c0 100644
--- a/paimon-hive/paimon-hive-catalog/src/main/java/org/apache/paimon/hive/SerializableHiveConf.java
+++ b/paimon-hive/paimon-hive-catalog/src/main/java/org/apache/paimon/hive/SerializableHiveConf.java
@@ -18,6 +18,7 @@
package org.apache.paimon.hive;
+import io.github.pixee.security.ObjectInputFilters;
import org.apache.hadoop.hive.conf.HiveConf;
import java.io.ByteArrayInputStream;
@@ -53,6 +54,7 @@ public HiveConf conf() {
private void deSerializeConf() {
try (ByteArrayInputStream bis = new ByteArrayInputStream(serializedConf);
ObjectInputStream ois = new ObjectInputStream(bis)) {
+ ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
this.conf = new HiveConf();
conf.readFields(ois);
} catch (IOException e) {
diff --git a/paimon-hive/paimon-hive-catalog/src/test/java/org/apache/paimon/hive/SerializableHiveConfTest.java b/paimon-hive/paimon-hive-catalog/src/test/java/org/apache/paimon/hive/SerializableHiveConfTest.java
index f10cb742e573..696b1e020ae4 100644
--- a/paimon-hive/paimon-hive-catalog/src/test/java/org/apache/paimon/hive/SerializableHiveConfTest.java
+++ b/paimon-hive/paimon-hive-catalog/src/test/java/org/apache/paimon/hive/SerializableHiveConfTest.java
@@ -18,6 +18,7 @@
package org.apache.paimon.hive;
+import io.github.pixee.security.ObjectInputFilters;
import org.apache.hadoop.hive.conf.HiveConf;
import org.junit.jupiter.api.Test;
@@ -48,6 +49,7 @@ public void testSerializeHiveConf() throws IOException, ClassNotFoundException {
// deserialize
ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
ObjectInputStream ois = new ObjectInputStream(bais);
+ ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
SerializableHiveConf deserializedHiveConf = (SerializableHiveConf) ois.readObject();
ois.close();
diff --git a/paimon-hive/paimon-hive-connector-common/pom.xml b/paimon-hive/paimon-hive-connector-common/pom.xml
index f22b73dea71e..910d23a1aca3 100644
--- a/paimon-hive/paimon-hive-connector-common/pom.xml
+++ b/paimon-hive/paimon-hive-connector-common/pom.xml
@@ -581,6 +581,10 @@ under the License.
test
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/paimon-hive/paimon-hive-connector-common/src/main/java/org/apache/paimon/hive/mapred/PaimonOutputCommitter.java b/paimon-hive/paimon-hive-connector-common/src/main/java/org/apache/paimon/hive/mapred/PaimonOutputCommitter.java
index 94bc4a675ae8..763d442a3bf8 100644
--- a/paimon-hive/paimon-hive-connector-common/src/main/java/org/apache/paimon/hive/mapred/PaimonOutputCommitter.java
+++ b/paimon-hive/paimon-hive-connector-common/src/main/java/org/apache/paimon/hive/mapred/PaimonOutputCommitter.java
@@ -18,6 +18,7 @@
package org.apache.paimon.hive.mapred;
+import io.github.pixee.security.ObjectInputFilters;
import org.apache.paimon.fs.FileIO;
import org.apache.paimon.fs.Path;
import org.apache.paimon.table.FileStoreTable;
@@ -273,6 +274,7 @@ private static void createPreCommitFile(
private static List readPreCommitFile(Path location, FileIO io) {
try (ObjectInputStream objectInputStream =
new ObjectInputStream(io.newInputStream(location))) {
+ ObjectInputFilters.enableObjectFilterIfUnprotected(objectInputStream);
return (List) objectInputStream.readObject();
} catch (ClassNotFoundException | IOException e) {
throw new RuntimeException(
diff --git a/paimon-hive/pom.xml b/paimon-hive/pom.xml
index 7d1d0f2c499c..aef26d7ae51f 100644
--- a/paimon-hive/pom.xml
+++ b/paimon-hive/pom.xml
@@ -50,6 +50,7 @@ under the License.
0.9.8
1.12.319
1.19
+ 1.2.0
@@ -130,5 +131,14 @@ under the License.
test
-
+
+
+
+ io.github.pixee
+ java-security-toolkit
+
+ ${versions.java-security-toolkit}
+
+
+
diff --git a/paimon-service/paimon-service-client/pom.xml b/paimon-service/paimon-service-client/pom.xml
index 68d8aabdc245..90a776bf27cf 100644
--- a/paimon-service/paimon-service-client/pom.xml
+++ b/paimon-service/paimon-service-client/pom.xml
@@ -57,6 +57,10 @@ under the License.
paimon-shade-guava-30
${paimon.shade.guava.version}-${paimon.shade.version}
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/paimon-service/paimon-service-client/src/main/java/org/apache/paimon/service/network/messages/MessageSerializer.java b/paimon-service/paimon-service-client/src/main/java/org/apache/paimon/service/network/messages/MessageSerializer.java
index 838131e5f057..00360e665081 100644
--- a/paimon-service/paimon-service-client/src/main/java/org/apache/paimon/service/network/messages/MessageSerializer.java
+++ b/paimon-service/paimon-service-client/src/main/java/org/apache/paimon/service/network/messages/MessageSerializer.java
@@ -18,6 +18,7 @@
package org.apache.paimon.service.network.messages;
+import io.github.pixee.security.ObjectInputFilters;
import org.apache.paimon.service.network.NetworkClient;
import org.apache.paimon.service.network.NetworkServer;
import org.apache.paimon.utils.Preconditions;
@@ -301,6 +302,7 @@ public static RequestFailure deserializeRequestFailure(final ByteBuf buf)
Throwable cause;
try (ByteBufInputStream bis = new ByteBufInputStream(buf);
ObjectInputStream in = new ObjectInputStream(bis)) {
+ ObjectInputFilters.enableObjectFilterIfUnprotected(in);
cause = (Throwable) in.readObject();
}
return new RequestFailure(requestId, cause);
@@ -321,6 +323,7 @@ public static Throwable deserializeServerFailure(final ByteBuf buf)
throws IOException, ClassNotFoundException {
try (ByteBufInputStream bis = new ByteBufInputStream(buf);
ObjectInputStream in = new ObjectInputStream(bis)) {
+ ObjectInputFilters.enableObjectFilterIfUnprotected(in);
return (Throwable) in.readObject();
}
}
diff --git a/paimon-service/pom.xml b/paimon-service/pom.xml
index b46369a9b384..ed4cb8e2dbab 100644
--- a/paimon-service/pom.xml
+++ b/paimon-service/pom.xml
@@ -37,4 +37,16 @@ under the License.
paimon-service-client
paimon-service-runtime
+
+
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+
+
+
+
+ 1.2.0
+