mirror of
				https://github.com/Alfresco/alfresco-community-repo.git
				synced 2025-10-22 15:12:38 +00:00 
			
		
		
		
	118435 cturlica: Merged V4.2-BUG-FIX (4.2.6) to 5.0.N (5.0.4)
      118397 cturlica: MNT-15229: Add check of vulnerable classes to bootstrap
         -  changes on bootstrap bean validator and bootstrap-context.xml 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.1.N/root@118524 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
		
	
		
			
				
	
	
		
			241 lines
		
	
	
		
			8.3 KiB
		
	
	
	
		
			Java
		
	
	
	
	
	
			
		
		
	
	
			241 lines
		
	
	
		
			8.3 KiB
		
	
	
	
		
			Java
		
	
	
	
	
	
| /*
 | |
|  * Copyright (C) 2005-2015 Alfresco Software Limited.
 | |
|  *
 | |
|  * This file is part of Alfresco
 | |
|  *
 | |
|  * Alfresco is free software: you can redistribute it and/or modify
 | |
|  * it under the terms of the GNU Lesser General Public License as published by
 | |
|  * the Free Software Foundation, either version 3 of the License, or
 | |
|  * (at your option) any later version.
 | |
|  *
 | |
|  * Alfresco is distributed in the hope that it will be useful,
 | |
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
|  * GNU Lesser General Public License for more details.
 | |
|  *
 | |
|  * You should have received a copy of the GNU Lesser General Public License
 | |
|  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 | |
|  */
 | |
| package org.alfresco.repo.admin;
 | |
| 
 | |
| import java.io.ByteArrayOutputStream;
 | |
| import java.io.IOException;
 | |
| import java.io.ObjectOutputStream;
 | |
| import java.lang.reflect.Constructor;
 | |
| import java.lang.reflect.InvocationTargetException;
 | |
| 
 | |
| import org.alfresco.error.AlfrescoRuntimeException;
 | |
| import org.apache.commons.logging.Log;
 | |
| import org.apache.commons.logging.LogFactory;
 | |
| import org.springframework.context.ApplicationEvent;
 | |
| import org.springframework.extensions.surf.util.AbstractLifecycleBean;
 | |
| 
 | |
| /**
 | |
|  * Bootstrap unserializer validator: a bootstrap bean that checks that the
 | |
|  * classes that would favor Java unserialize remote code execution are not
 | |
|  * available. Check is needed because libs could be introduced by the
 | |
|  * application server.
 | |
|  * 
 | |
|  * </p>See MNT-15170 for details.
 | |
|  * 
 | |
|  * </p> Checked conditions: <br>
 | |
|  * org.apache.xalan.xsltc.trax.TemplatesImpl and
 | |
|  * org.springframework.core.SerializableTypeWrapper;<br>
 | |
|  * org.apache.commons.collections.functors.InvokerTransformer
 | |
|  * org.apache.commons.collections.functors.InstantiateFactory
 | |
|  * org.apache.commons.collections.functors.InstantiateTransformer
 | |
|  * org.apache.commons.collections.functors.PrototypeCloneFactory
 | |
|  * org.apache.commons.collections.functors.PrototypeSerializationFactory
 | |
|  * org.apache.commons.collections.functors.WhileClosure
 | |
|  * org.apache.commons.collections.functors.CloneTransformer
 | |
|  * org.apache.commons.collections.functors.ForClosure
 | |
|  */
 | |
| public class UnserializerValidatorBootstrap extends AbstractLifecycleBean
 | |
| {
 | |
| 
 | |
|     private static Log logger = LogFactory.getLog(UnserializerValidatorBootstrap.class);
 | |
|     
 | |
|     private static final String ERR_UNEXPECTED_ERROR = "unserializer.validator.err.unexpectederror";
 | |
|     
 | |
|     // Bootstrap performed?
 | |
|     private boolean bootstrapPerformed = false;
 | |
| 
 | |
|     /**
 | |
|      * @deprecated Was never used
 | |
|      */
 | |
|     public void setLog(boolean logEnabled)
 | |
|     {
 | |
|         // Ignore
 | |
|     }
 | |
| 
 | |
|     /**
 | |
|      * Determine if bootstrap was performed?
 | |
|      * 
 | |
|      * @return true => bootstrap was performed
 | |
|      */
 | |
|     public boolean hasPerformedBootstrap()
 | |
|     {
 | |
|         return bootstrapPerformed;
 | |
|     }
 | |
| 
 | |
|     private boolean classInPath(String className)
 | |
|     {
 | |
|         try
 | |
|         {
 | |
|             Class.forName(className, false, this.getClass().getClassLoader());
 | |
| 
 | |
|             // it exists on the classpath
 | |
|             return true;
 | |
|         }
 | |
|         catch (ClassNotFoundException e)
 | |
|         {
 | |
| 
 | |
|             // it does not exist on the classpath
 | |
|             return false;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     /**
 | |
|      * Check if Java unserialize remote code execution is already fixed on this
 | |
|      * <b>commons collections</b> version.
 | |
|      * 
 | |
|      * @return
 | |
|      */
 | |
|     private boolean isCommonsCollectionsDeserializerFixed()
 | |
|     {
 | |
| 
 | |
|         try
 | |
|         {
 | |
|             Class<?> invokerTransformerClass = Class.forName(
 | |
|                     "org.apache.commons.collections.functors.InvokerTransformer", true, this
 | |
|                             .getClass().getClassLoader());
 | |
| 
 | |
|             if (invokerTransformerClass != null)
 | |
|             {
 | |
|                 Constructor<?> invokerTransformerConstructor = invokerTransformerClass
 | |
|                         .getConstructor(String.class, Class[].class, Object[].class);
 | |
| 
 | |
|                 Object invokerTransformerInstance = invokerTransformerConstructor.newInstance(null,
 | |
|                         null, null);
 | |
| 
 | |
|                 ObjectOutputStream objectOut = null;
 | |
|                 ByteArrayOutputStream byteOut = null;
 | |
|                 try
 | |
|                 {
 | |
|                     // Write the object out to a byte array
 | |
|                     byteOut = new ByteArrayOutputStream();
 | |
|                     objectOut = new ObjectOutputStream(byteOut);
 | |
|                     objectOut.writeObject(invokerTransformerInstance);
 | |
|                     objectOut.flush();
 | |
|                 }
 | |
|                 catch (UnsupportedOperationException e)
 | |
|                 {
 | |
|                     // Expected: Serialization support is disabled for security
 | |
|                     // reasons.
 | |
|                     return true;
 | |
|                 }
 | |
|                 catch (IOException e)
 | |
|                 {
 | |
|                     throw new AlfrescoRuntimeException(ERR_UNEXPECTED_ERROR, e);
 | |
|                 }
 | |
|                 finally
 | |
|                 {
 | |
|                     if (objectOut != null)
 | |
|                     {
 | |
|                         try
 | |
|                         {
 | |
|                             objectOut.close();
 | |
|                         }
 | |
|                         catch (Throwable e)
 | |
|                         {
 | |
|                         }
 | |
|                     }
 | |
|                     if (byteOut != null)
 | |
|                     {
 | |
|                         try
 | |
|                         {
 | |
|                             byteOut.close();
 | |
|                         }
 | |
|                         catch (Throwable e)
 | |
|                         {
 | |
|                         }
 | |
|                     }
 | |
|                 }
 | |
|             }
 | |
|         }
 | |
|         catch (SecurityException e)
 | |
|         {
 | |
|             // This is and expected, acceptable exception that we can ignore.
 | |
|         }
 | |
|         catch (ClassNotFoundException e)
 | |
|         {
 | |
|             // This is and expected, acceptable exception that we can ignore.
 | |
|         }
 | |
|         catch (InstantiationException e)
 | |
|         {
 | |
|             // This is and expected, acceptable exception that we can ignore.
 | |
|         }
 | |
|         catch (IllegalAccessException e)
 | |
|         {
 | |
|             // This is and expected, acceptable exception that we can ignore.
 | |
|         }
 | |
|         catch (NoSuchMethodException e)
 | |
|         {
 | |
|             throw new AlfrescoRuntimeException(ERR_UNEXPECTED_ERROR, e);
 | |
|         }
 | |
|         catch (IllegalArgumentException e)
 | |
|         {
 | |
|             throw new AlfrescoRuntimeException(ERR_UNEXPECTED_ERROR, e);
 | |
|         }
 | |
|         catch (InvocationTargetException e)
 | |
|         {
 | |
|             // This is and expected, acceptable exception that we can ignore.
 | |
|         }
 | |
| 
 | |
|         return false;
 | |
|     }
 | |
| 
 | |
|     /**
 | |
|      * Bootstrap unserializer validator.
 | |
|      */
 | |
|     public void bootstrap()
 | |
|     {
 | |
|         if (classInPath("org.apache.xalan.xsltc.trax.TemplatesImpl") && classInPath("org.springframework.core.SerializableTypeWrapper"))
 | |
|         {
 | |
|             throw new AlfrescoRuntimeException(
 | |
|                     "Bootstrap failed: both org.apache.xalan.xsltc.trax.TemplatesImpl and org.springframework.core.SerializableTypeWrapper appear at the same time in classpath ");
 | |
|         }
 | |
| 
 | |
|         // Check if Java unserialize remote code execution is available and not
 | |
|         // fixed on this <b>commons collections</b>
 | |
|         if ((classInPath("org.apache.commons.collections.functors.InvokerTransformer")
 | |
|                 || classInPath("org.apache.commons.collections.functors.InstantiateFactory")
 | |
|                 || classInPath("org.apache.commons.collections.functors.InstantiateTransformer")
 | |
|                 || classInPath("org.apache.commons.collections.functors.PrototypeCloneFactory")
 | |
|                 || classInPath("org.apache.commons.collections.functors.PrototypeSerializationFactory")
 | |
|                 || classInPath("org.apache.commons.collections.functors.WhileClosure")
 | |
|                 || classInPath("org.apache.commons.collections.functors.CloneTransformer") || classInPath("org.apache.commons.collections.functors.ForClosure"))
 | |
|                 && !isCommonsCollectionsDeserializerFixed())
 | |
|         {
 | |
|             throw new AlfrescoRuntimeException(
 | |
|                     "Bootstrap failed: org.apache.commons.collections.functors.* unsafe serialization classes found in classpath.");
 | |
|         }
 | |
| 
 | |
|         // a bootstrap was performed
 | |
|         bootstrapPerformed = true;
 | |
|     }
 | |
| 
 | |
|     @Override
 | |
|     protected void onBootstrap(ApplicationEvent event)
 | |
|     {
 | |
|         bootstrap();
 | |
|     }
 | |
| 
 | |
|     @Override
 | |
|     protected void onShutdown(ApplicationEvent event)
 | |
|     {
 | |
|         // NOOP
 | |
|     }
 | |
| 
 | |
| }
 |