From 9f0097c876f4e6da63549af43c213e04aedac370 Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 20:51:27 -0500 Subject: [PATCH] Introduced protections against deserialization attacks (#2) Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> --- paimon-flink/paimon-flink-common/pom.xml | 4 ++++ .../paimon/flink/SchemaChangeSerializationTest.java | 2 ++ paimon-flink/pom.xml | 12 ++++++++++++ paimon-hive/paimon-hive-catalog/pom.xml | 4 ++++ .../org/apache/paimon/hive/SerializableHiveConf.java | 2 ++ .../apache/paimon/hive/SerializableHiveConfTest.java | 2 ++ paimon-hive/paimon-hive-connector-common/pom.xml | 4 ++++ .../paimon/hive/mapred/PaimonOutputCommitter.java | 2 ++ paimon-hive/pom.xml | 12 +++++++++++- paimon-service/paimon-service-client/pom.xml | 4 ++++ .../service/network/messages/MessageSerializer.java | 3 +++ paimon-service/pom.xml | 12 ++++++++++++ 12 files changed, 62 insertions(+), 1 deletion(-) diff --git a/paimon-flink/paimon-flink-common/pom.xml b/paimon-flink/paimon-flink-common/pom.xml index 91222983bf6b..bbdb37c20a75 100644 --- a/paimon-flink/paimon-flink-common/pom.xml +++ b/paimon-flink/paimon-flink-common/pom.xml @@ -169,6 +169,10 @@ under the License. + + io.github.pixee + java-security-toolkit + diff --git a/paimon-flink/paimon-flink-common/src/test/java/org/apache/paimon/flink/SchemaChangeSerializationTest.java b/paimon-flink/paimon-flink-common/src/test/java/org/apache/paimon/flink/SchemaChangeSerializationTest.java index cb9dc5084550..02703203e796 100644 --- a/paimon-flink/paimon-flink-common/src/test/java/org/apache/paimon/flink/SchemaChangeSerializationTest.java +++ b/paimon-flink/paimon-flink-common/src/test/java/org/apache/paimon/flink/SchemaChangeSerializationTest.java @@ -18,6 +18,7 @@ package org.apache.paimon.flink; +import io.github.pixee.security.ObjectInputFilters; import org.apache.paimon.schema.SchemaChange; import org.apache.paimon.types.DataTypes; @@ -58,6 +59,7 @@ private void runTest(SchemaChange schemaChange) throws Exception { ByteArrayInputStream bais = new ByteArrayInputStream(bytes); ObjectInputStream ois = new ObjectInputStream(bais); + ObjectInputFilters.enableObjectFilterIfUnprotected(ois); Object actual = ois.readObject(); assertThat(actual).isEqualTo(schemaChange); } diff --git a/paimon-flink/pom.xml b/paimon-flink/pom.xml index 031570c0e684..ed031a4e2012 100644 --- a/paimon-flink/pom.xml +++ b/paimon-flink/pom.xml @@ -185,4 +185,16 @@ under the License. + + + + io.github.pixee + java-security-toolkit + ${versions.java-security-toolkit} + + + + + 1.2.0 + diff --git a/paimon-hive/paimon-hive-catalog/pom.xml b/paimon-hive/paimon-hive-catalog/pom.xml index e56d46182df7..7948c16c23ed 100644 --- a/paimon-hive/paimon-hive-catalog/pom.xml +++ b/paimon-hive/paimon-hive-catalog/pom.xml @@ -213,6 +213,10 @@ under the License. jar test + + io.github.pixee + java-security-toolkit + diff --git a/paimon-hive/paimon-hive-catalog/src/main/java/org/apache/paimon/hive/SerializableHiveConf.java b/paimon-hive/paimon-hive-catalog/src/main/java/org/apache/paimon/hive/SerializableHiveConf.java index 38011ef797be..599666d430c0 100644 --- a/paimon-hive/paimon-hive-catalog/src/main/java/org/apache/paimon/hive/SerializableHiveConf.java +++ b/paimon-hive/paimon-hive-catalog/src/main/java/org/apache/paimon/hive/SerializableHiveConf.java @@ -18,6 +18,7 @@ package org.apache.paimon.hive; +import io.github.pixee.security.ObjectInputFilters; import org.apache.hadoop.hive.conf.HiveConf; import java.io.ByteArrayInputStream; @@ -53,6 +54,7 @@ public HiveConf conf() { private void deSerializeConf() { try (ByteArrayInputStream bis = new ByteArrayInputStream(serializedConf); ObjectInputStream ois = new ObjectInputStream(bis)) { + ObjectInputFilters.enableObjectFilterIfUnprotected(ois); this.conf = new HiveConf(); conf.readFields(ois); } catch (IOException e) { diff --git a/paimon-hive/paimon-hive-catalog/src/test/java/org/apache/paimon/hive/SerializableHiveConfTest.java b/paimon-hive/paimon-hive-catalog/src/test/java/org/apache/paimon/hive/SerializableHiveConfTest.java index f10cb742e573..696b1e020ae4 100644 --- a/paimon-hive/paimon-hive-catalog/src/test/java/org/apache/paimon/hive/SerializableHiveConfTest.java +++ b/paimon-hive/paimon-hive-catalog/src/test/java/org/apache/paimon/hive/SerializableHiveConfTest.java @@ -18,6 +18,7 @@ package org.apache.paimon.hive; +import io.github.pixee.security.ObjectInputFilters; import org.apache.hadoop.hive.conf.HiveConf; import org.junit.jupiter.api.Test; @@ -48,6 +49,7 @@ public void testSerializeHiveConf() throws IOException, ClassNotFoundException { // deserialize ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray()); ObjectInputStream ois = new ObjectInputStream(bais); + ObjectInputFilters.enableObjectFilterIfUnprotected(ois); SerializableHiveConf deserializedHiveConf = (SerializableHiveConf) ois.readObject(); ois.close(); diff --git a/paimon-hive/paimon-hive-connector-common/pom.xml b/paimon-hive/paimon-hive-connector-common/pom.xml index f22b73dea71e..910d23a1aca3 100644 --- a/paimon-hive/paimon-hive-connector-common/pom.xml +++ b/paimon-hive/paimon-hive-connector-common/pom.xml @@ -581,6 +581,10 @@ under the License. test + + io.github.pixee + java-security-toolkit + diff --git a/paimon-hive/paimon-hive-connector-common/src/main/java/org/apache/paimon/hive/mapred/PaimonOutputCommitter.java b/paimon-hive/paimon-hive-connector-common/src/main/java/org/apache/paimon/hive/mapred/PaimonOutputCommitter.java index 94bc4a675ae8..763d442a3bf8 100644 --- a/paimon-hive/paimon-hive-connector-common/src/main/java/org/apache/paimon/hive/mapred/PaimonOutputCommitter.java +++ b/paimon-hive/paimon-hive-connector-common/src/main/java/org/apache/paimon/hive/mapred/PaimonOutputCommitter.java @@ -18,6 +18,7 @@ package org.apache.paimon.hive.mapred; +import io.github.pixee.security.ObjectInputFilters; import org.apache.paimon.fs.FileIO; import org.apache.paimon.fs.Path; import org.apache.paimon.table.FileStoreTable; @@ -273,6 +274,7 @@ private static void createPreCommitFile( private static List readPreCommitFile(Path location, FileIO io) { try (ObjectInputStream objectInputStream = new ObjectInputStream(io.newInputStream(location))) { + ObjectInputFilters.enableObjectFilterIfUnprotected(objectInputStream); return (List) objectInputStream.readObject(); } catch (ClassNotFoundException | IOException e) { throw new RuntimeException( diff --git a/paimon-hive/pom.xml b/paimon-hive/pom.xml index 7d1d0f2c499c..aef26d7ae51f 100644 --- a/paimon-hive/pom.xml +++ b/paimon-hive/pom.xml @@ -50,6 +50,7 @@ under the License. 0.9.8 1.12.319 1.19 + 1.2.0 @@ -130,5 +131,14 @@ under the License. test - + + + + io.github.pixee + java-security-toolkit + + ${versions.java-security-toolkit} + + + diff --git a/paimon-service/paimon-service-client/pom.xml b/paimon-service/paimon-service-client/pom.xml index 68d8aabdc245..90a776bf27cf 100644 --- a/paimon-service/paimon-service-client/pom.xml +++ b/paimon-service/paimon-service-client/pom.xml @@ -57,6 +57,10 @@ under the License. paimon-shade-guava-30 ${paimon.shade.guava.version}-${paimon.shade.version} + + io.github.pixee + java-security-toolkit + diff --git a/paimon-service/paimon-service-client/src/main/java/org/apache/paimon/service/network/messages/MessageSerializer.java b/paimon-service/paimon-service-client/src/main/java/org/apache/paimon/service/network/messages/MessageSerializer.java index 838131e5f057..00360e665081 100644 --- a/paimon-service/paimon-service-client/src/main/java/org/apache/paimon/service/network/messages/MessageSerializer.java +++ b/paimon-service/paimon-service-client/src/main/java/org/apache/paimon/service/network/messages/MessageSerializer.java @@ -18,6 +18,7 @@ package org.apache.paimon.service.network.messages; +import io.github.pixee.security.ObjectInputFilters; import org.apache.paimon.service.network.NetworkClient; import org.apache.paimon.service.network.NetworkServer; import org.apache.paimon.utils.Preconditions; @@ -301,6 +302,7 @@ public static RequestFailure deserializeRequestFailure(final ByteBuf buf) Throwable cause; try (ByteBufInputStream bis = new ByteBufInputStream(buf); ObjectInputStream in = new ObjectInputStream(bis)) { + ObjectInputFilters.enableObjectFilterIfUnprotected(in); cause = (Throwable) in.readObject(); } return new RequestFailure(requestId, cause); @@ -321,6 +323,7 @@ public static Throwable deserializeServerFailure(final ByteBuf buf) throws IOException, ClassNotFoundException { try (ByteBufInputStream bis = new ByteBufInputStream(buf); ObjectInputStream in = new ObjectInputStream(bis)) { + ObjectInputFilters.enableObjectFilterIfUnprotected(in); return (Throwable) in.readObject(); } } diff --git a/paimon-service/pom.xml b/paimon-service/pom.xml index b46369a9b384..ed4cb8e2dbab 100644 --- a/paimon-service/pom.xml +++ b/paimon-service/pom.xml @@ -37,4 +37,16 @@ under the License. paimon-service-client paimon-service-runtime + + + + io.github.pixee + java-security-toolkit + ${versions.java-security-toolkit} + + + + + 1.2.0 +