From 7018a3609c7bcc9dc7bf5903509901a986e5f578 Mon Sep 17 00:00:00 2001 From: Ceki Gulcu Date: Fri, 1 Dec 2023 12:44:31 +0100 Subject: [PATCH] fix missing deseialization filter init call, enable commented out test case Signed-off-by: Ceki Gulcu --- .../core/net/HardenedObjectInputStream.java | 2 +- .../net/HardenedObjectInputStreamTest.java | 74 ++++++++++--------- 2 files changed, 40 insertions(+), 36 deletions(-) diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java index 185d8fbd73..19cbbdd3f2 100755 --- a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java +++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java @@ -60,7 +60,7 @@ private void initObjectFilter() { } public HardenedObjectInputStream(InputStream in, List whitelist) throws IOException { super(in); - + this.initObjectFilter(); this.whitelistedClassNames = new ArrayList(); this.whitelistedClassNames.addAll(whitelist); } diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java index 968b4b0fe0..b2ca525ac3 100755 --- a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java +++ b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java @@ -3,13 +3,18 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.InvalidClassException; import java.io.ObjectOutputStream; +import java.util.HashSet; +import java.util.Set; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; public class HardenedObjectInputStreamTest { @@ -53,39 +58,38 @@ private void writeObject(ObjectOutputStream oos, Object o) throws IOException { oos.close(); } -// @Ignore -// @Test -// public void denialOfService() throws ClassNotFoundException, IOException { -// ByteArrayInputStream bis = new ByteArrayInputStream(payload()); -// inputStream = new HardenedObjectInputStream(bis, whitelist); -// try { -// Set set = (Set) inputStream.readObject(); -// assertNotNull(set); -// } finally { -// inputStream.close(); -// } -// } -// -// private byte[] payload() throws IOException { -// Set root = buildEvilHashset(); -// return serialize(root); -// } -// -// private Set buildEvilHashset() { -// Set root = new HashSet(); -// Set s1 = root; -// Set s2 = new HashSet(); -// for (int i = 0; i < 100; i++) { -// Set t1 = new HashSet(); -// Set t2 = new HashSet(); -// t1.add("foo"); // make it not equal to t2 -// s1.add(t1); -// s1.add(t2); -// s2.add(t1); -// s2.add(t2); -// s1 = t1; -// s2 = t2; -// } -// return root; -// } + @Test + public void denialOfService() throws ClassNotFoundException, IOException { + ByteArrayInputStream bis = new ByteArrayInputStream(payload()); + inputStream = new HardenedObjectInputStream(bis, whitelist); + try { + assertThrows(InvalidClassException.class, () -> inputStream.readObject()); + } finally { + inputStream.close(); + } + } + + private byte[] payload() throws IOException { + Set root = buildEvilHashset(); + writeObject(oos, root); + return bos.toByteArray(); + } + + private Set buildEvilHashset() { + Set root = new HashSet(); + Set s1 = root; + Set s2 = new HashSet(); + for (int i = 0; i < 100; i++) { + Set t1 = new HashSet(); + Set t2 = new HashSet(); + t1.add("foo"); // make it not equal to t2 + s1.add(t1); + s1.add(t2); + s2.add(t1); + s2.add(t2); + s1 = t1; + s2 = t2; + } + return root; + } }