Skip to content

Commit

Permalink
Backported CVE-2018-7489 (#3176)
Browse files Browse the repository at this point in the history
Co-authored-by: Chin Wei Low <[email protected]>
  • Loading branch information
lowchinwei and Chin Wei Low authored Jun 16, 2021
1 parent 2118e71 commit ca2bfc8
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 7 deletions.
1 change: 1 addition & 0 deletions release-notes/VERSION
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Backported all CVE fixes up to CVE-2021-20190
#2986: Block 2 more gadget types (commons-dbcp2, CVE-2020-35490 / CVE-2020-35491)
#2854: Block one more gadget type (javax.swing, CVE-2021-20190)
#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750)
#1931: Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489)

2.6.7.4 (25-Oct-2020)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ public class BeanDeserializerFactory
{
private static final long serialVersionUID = 1;

protected final static String PREFIX_SPRING = "org.springframework.";

protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";

/**
* Signature of <b>Throwable.initCause</b> method.
*/
Expand Down Expand Up @@ -1072,13 +1076,47 @@ private void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
{
// There are certain nasty classes that could cause problems, mostly
// via default typing -- catch them here.
String full = type.getRawClass().getName();
final Class<?> raw = type.getRawClass();
String full = raw.getName();

if (_cfgIllegalClassNames.contains(full)) {
String message = String.format("Illegal type (%s) to deserialize: prevented for security reasons",
full);
throw ctxt.mappingException("Invalid type definition for type %s: %s",
beanDesc, message);
}
main_check:
do {
if (_cfgIllegalClassNames.contains(full)) {
break;
}

// 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
// for some Spring framework types
// 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
if (raw.isInterface()) {
;
} else if (full.startsWith(PREFIX_SPRING)) {
for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
String name = cls.getSimpleName();
// looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
if ("AbstractPointcutAdvisor".equals(name)
// ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
|| "AbstractApplicationContext".equals(name)) {
break main_check;
}
}
} else if (full.startsWith(PREFIX_C3P0)) {
// [databind#1737]; more 3rd party
// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
// [databind#1931]; more 3rd party
// com.mchange.v2.c3p0.ComboPooledDataSource
// com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
if (full.endsWith("DataSource")) {
break main_check;
}
}
return;
} while (false);

String message = String.format("Illegal type (%s) to deserialize: prevented for security reasons",
full);
throw ctxt.mappingException("Invalid type definition for type %s: %s",
beanDesc, message);
}
}

0 comments on commit ca2bfc8

Please sign in to comment.