mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-10-08 14:51:49 +00:00
3f00433ac8
119078 adavis: Merged 5.1.N (5.1.1) to 5.1-MC1 (5.1.0)
118305 nsmintanca: Merged 5.0.N (5.0.4) to 5.1.N (5.1.1)
118217 adavis: Merged V4.2-BUG-FIX (4.2.6) to 5.0.N (5.0.4)
118216 adavis: Merged 5.0.2-CLOUD42 (Cloud ) to V4.2-BUG-FIX (4.2.6)
118215 adavis: Merged 5.0.2-CLOUD (Cloud ) to 5.0.2-CLOUD42 (Cloud )
118214 adavis: Merged 5.0.2-PLUS (5.0.2-PLUS) to 5.0.2-CLOUD (Cloud )
118213 adavis: Merged CLOUD39.6 (Cloud 39.6.6) to 5.0.2-PLUS (5.0.2-PLUS)
116649 cturlica: MNT-15229/MNT-15170: [Security] Java unserialize remote code execution
- added bootstrap unserializer validator: a bootstrap bean that checks that the classes that would favor Java unserialize remote code execution are not available. Check is needed because libs could be introduced by the application server (attached jars should be uploaded).
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@119917 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
153 lines
4.5 KiB
Java
153 lines
4.5 KiB
Java
/*
|
|
* Copyright (C) 2005-2015 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
package org.alfresco.repo.admin;
|
|
|
|
import java.lang.reflect.Field;
|
|
|
|
import org.alfresco.error.AlfrescoRuntimeException;
|
|
import org.springframework.context.ApplicationEvent;
|
|
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
|
|
|
|
/**
|
|
* Bootstrap unserializer validator: a bootstrap bean that checks that the
|
|
* classes that would favor Java unserialize remote code execution are not
|
|
* available. Check is needed because libs could be introduced by the
|
|
* application server.
|
|
*
|
|
* </p>See MNT-15170 for details.
|
|
*
|
|
* </p> Checked conditions: <br>
|
|
* org.apache.xalan.xsltc.trax.TemplatesImpl and
|
|
* org.springframework.core.SerializableTypeWrapper;<br>
|
|
* org.apache.commons.collections.functors.InvokerTransformer.
|
|
*/
|
|
public class UnserializerValidatorBootstrap extends AbstractLifecycleBean
|
|
{
|
|
|
|
// Bootstrap performed?
|
|
private boolean bootstrapPerformed = false;
|
|
|
|
/**
|
|
* @deprecated Was never used
|
|
*/
|
|
public void setLog(boolean logEnabled)
|
|
{
|
|
// Ignore
|
|
}
|
|
|
|
/**
|
|
* Determine if bootstrap was performed?
|
|
*
|
|
* @return true => bootstrap was performed
|
|
*/
|
|
public boolean hasPerformedBootstrap()
|
|
{
|
|
return bootstrapPerformed;
|
|
}
|
|
|
|
private boolean classInPath(String className)
|
|
{
|
|
try
|
|
{
|
|
Class.forName(className, false, this.getClass().getClassLoader());
|
|
|
|
// it exists on the classpath
|
|
return true;
|
|
}
|
|
catch (ClassNotFoundException e)
|
|
{
|
|
|
|
// it does not exist on the classpath
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Check if Java unserialize remote code execution is already fixed on this
|
|
* <b>commons collections</b> version of <b>InvokerTransformer</b>.
|
|
*
|
|
* @return
|
|
*/
|
|
private boolean isCommonsCollectionsDeserializerFixed()
|
|
{
|
|
try
|
|
{
|
|
Class<?> invokerTransformerClass = Class.forName("org.apache.commons.collections.functors.InvokerTransformer", true, this
|
|
.getClass().getClassLoader());
|
|
|
|
if (invokerTransformerClass != null)
|
|
{
|
|
Field deserialize = invokerTransformerClass.getField("DESERIALIZE");
|
|
if (deserialize != null)
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
catch (NoSuchFieldException e)
|
|
{
|
|
}
|
|
catch (SecurityException e)
|
|
{
|
|
}
|
|
catch (ClassNotFoundException e)
|
|
{
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Bootstrap unserializer validator.
|
|
*/
|
|
public void bootstrap()
|
|
{
|
|
if (classInPath("org.apache.xalan.xsltc.trax.TemplatesImpl") && classInPath("org.springframework.core.SerializableTypeWrapper"))
|
|
{
|
|
throw new AlfrescoRuntimeException(
|
|
"Bootstrap failed: both org.apache.xalan.xsltc.trax.TemplatesImpl and org.springframework.core.SerializableTypeWrapper appear at the same time in classpath ");
|
|
}
|
|
|
|
// Check if Java unserialize remote code execution is available and not
|
|
// fixed on this <b>commons collections</b> version of
|
|
// <b>InvokerTransformer</b>.
|
|
if (classInPath("org.apache.commons.collections.functors.InvokerTransformer") && !isCommonsCollectionsDeserializerFixed())
|
|
{
|
|
throw new AlfrescoRuntimeException(
|
|
"Bootstrap failed: org.apache.commons.collections.functors.InvokerTransformer was found in classpath.");
|
|
}
|
|
|
|
// a bootstrap was performed
|
|
bootstrapPerformed = true;
|
|
}
|
|
|
|
@Override
|
|
protected void onBootstrap(ApplicationEvent event)
|
|
{
|
|
bootstrap();
|
|
}
|
|
|
|
@Override
|
|
protected void onShutdown(ApplicationEvent event)
|
|
{
|
|
// NOOP
|
|
}
|
|
|
|
}
|