Skip to content

Commit

Permalink
Replace opensearch class names with opendistro class names during ser…
Browse files Browse the repository at this point in the history 
…ialization and restore them back during deserialization
  • Loading branch information
@vrozov
vrozov committed Jun 18, 2021
1 parent 80c1208 commit c7ee229
Showing 1 changed file with 36 additions and 0 deletions.
36 changes: 36 additions & 0 deletions src/main/java/org/opensearch/security/support/Base64Helper.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@
package org.opensearch.security.support;

import com.amazon.dlic.auth.ldap.LdapUser;
import org.apache.commons.lang3.SerializationUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.ldaptive.AbstractLdapBean;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
Expand All @@ -46,6 +49,7 @@
import java.io.ObjectStreamClass;
import java.io.OutputStream;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
Expand All @@ -70,6 +74,7 @@
import com.google.common.io.BaseEncoding;

public class Base64Helper {
private static final Logger logger = LogManager.getLogger(Base64Helper.class);

private static final Set<Class<?>> SAFE_CLASSES = ImmutableSet.of(
String.class,
Expand Down Expand Up @@ -138,6 +143,7 @@ static ObjectOutputStream create(ByteArrayOutputStream out) throws IOException {

private SafeObjectOutputStream(OutputStream out) throws IOException {
super(out);
//useProtocolVersion(PROTOCOL_VERSION_2);

SecurityManager sm = System.getSecurityManager();
if (sm != null) {
Expand All @@ -149,6 +155,24 @@ private SafeObjectOutputStream(OutputStream out) throws IOException {
);
}

@Override
protected void writeClassDescriptor(ObjectStreamClass desc) throws IOException {
if (desc.getName().equals(User.class.getName())) {
final Field name;
try {
desc = SerializationUtils.clone(desc);
name = desc.getClass().getDeclaredField("name");
name.setAccessible(true);
name.set(desc, "com.amazon.opendistroforelasticsearch.security.user.User");
logger.warn("Changed desc {}", desc);
} catch (ReflectiveOperationException e) {
logger.error("Failed to change desc {} name", desc, e);
}
//desc = ObjectStreamClass.lookup(com.amazon.opendistroforelasticsearch.security.user.User.class);
}
super.writeClassDescriptor(desc);
}

@Override
protected Object replaceObject(Object obj) throws IOException {
Class<?> clazz = obj.getClass();
Expand Down Expand Up @@ -202,5 +226,17 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, Clas

throw new InvalidClassException("Unauthorized deserialization attempt ", clazz.getName());
}

@Override
protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException {
ObjectStreamClass desc = super.readClassDescriptor();

if (desc.getName().equals("com.amazon.opendistroforelasticsearch.security.user.User")) {
desc = ObjectStreamClass.lookup(org.opensearch.security.user.User.class);
logger.warn("replaced class desc {}", desc);
}

return desc;
}
}
}

0 comments on commit c7ee229

Please sign in to comment.