geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bschucha...@apache.org
Subject [geode] branch whitelist_wip updated: work-in-progress branch for whitelisting classes that can be deserialized
Date Wed, 08 Nov 2017 00:25:49 GMT
This is an automated email from the ASF dual-hosted git repository.

bschuchardt pushed a commit to branch whitelist_wip
in repository https://gitbox.apache.org/repos/asf/geode.git


The following commit(s) were added to refs/heads/whitelist_wip by this push:
     new 5153465  work-in-progress branch for whitelisting classes that can be deserialized
5153465 is described below

commit 51534653ef265dc59021769fac792104d3bc9ffc
Author: Bruce Schuchardt <bschuchardt@pivotal.io>
AuthorDate: Tue Nov 7 16:24:56 2017 -0800

    work-in-progress branch for whitelisting classes that can be deserialized
    
    working on a new test for the white-listed serializables
---
 .../geode/internal/InternalDataSerializer.java     |  8 +--
 .../geode/internal/sanctionedSerializables.txt     |  3 +-
 .../AnalyzeSerializablesJUnitTest.java             | 63 ++++++++++++++++++++++
 .../apache/geode/codeAnalysis/excludedClasses.txt  |  1 +
 4 files changed, 70 insertions(+), 5 deletions(-)

diff --git a/geode-core/src/main/java/org/apache/geode/internal/InternalDataSerializer.java
b/geode-core/src/main/java/org/apache/geode/internal/InternalDataSerializer.java
index 78dc397..1836183 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/InternalDataSerializer.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/InternalDataSerializer.java
@@ -206,7 +206,7 @@ public abstract class InternalDataSerializer extends DataSerializer implements
D
    */
   public static void initialize(DistributionConfig distributionConfig, Collection<DistributedSystemService>
services) {
     String serializationFilterSpec; // get from configuration
-    serializationFilterSpec = "!*";
+    serializationFilterSpec = "java.**;!*";
     if (serializationFilterSpec != null) {
       if (!ClassUtils.isClassAvailable("sun.misc.ObjectInputFilter")) {
         throw new GemFireConfigException(
@@ -246,7 +246,8 @@ public abstract class InternalDataSerializer extends DataSerializer implements
D
       String className = filterInfo.serialClass().getName();
       logger.debug("checking whether {} can be deserialized", className);
       if (sanctionedClasses.contains(className)) {
-        return ObjectInputFilter.Status.ALLOWED;
+//        return ObjectInputFilter.Status.ALLOWED;
+        return ObjectInputFilter.Status.UNDECIDED;
       } else {
         ObjectInputFilter.Status status = userFilter.checkInput(filterInfo);
         return status;
@@ -272,7 +273,8 @@ public abstract class InternalDataSerializer extends DataSerializer implements
D
         if (line.startsWith("#") || line.startsWith("//")) {
           // comment line
         } else {
-          result.add(line.substring(0, line.indexOf(',')-1));
+          line = line.replaceAll("/", ".");
+          result.add(line.substring(0, line.indexOf(',')));
         }
       }
     }
diff --git a/geode-core/src/main/resources/org/apache/geode/internal/sanctionedSerializables.txt
b/geode-core/src/main/resources/org/apache/geode/internal/sanctionedSerializables.txt
index 7898aeb..1c74e11 100755
--- a/geode-core/src/main/resources/org/apache/geode/internal/sanctionedSerializables.txt
+++ b/geode-core/src/main/resources/org/apache/geode/internal/sanctionedSerializables.txt
@@ -1,7 +1,6 @@
 org/apache/geode/CancelException,true,3215578659523282642
 org/apache/geode/CopyException,true,-1143711608610323585
 org/apache/geode/DeltaSerializationException,true,-2630435945840206466
-org/apache/geode/ForcedDisconnectException,true,4977003259880566257
 org/apache/geode/GemFireCacheException,true,-2844020916351682908
 org/apache/geode/GemFireCheckedException,true,-8659184576090173188
 org/apache/geode/GemFireConfigException,true,7791789785331120991
@@ -817,4 +816,4 @@ org/apache/geode/redis/internal/executor/list/ListExecutor$ListDirection,false
 org/apache/geode/security/AuthenticationFailedException,true,-8202866472279088879
 org/apache/geode/security/AuthenticationRequiredException,true,4675976651103154919
 org/apache/geode/security/GemFireSecurityException,true,3814254578203076926,cause:java/lang/Throwable
-org/apache/geode/security/NotAuthorizedException,true,419215768216387745,principal:java/security/Principal
\ No newline at end of file
+org/apache/geode/security/NotAuthorizedException,true,419215768216387745,principal:java/security/Principal
diff --git a/geode-core/src/test/java/org/apache/geode/codeAnalysis/AnalyzeSerializablesJUnitTest.java
b/geode-core/src/test/java/org/apache/geode/codeAnalysis/AnalyzeSerializablesJUnitTest.java
index 8a383fa..96701d0 100644
--- a/geode-core/src/test/java/org/apache/geode/codeAnalysis/AnalyzeSerializablesJUnitTest.java
+++ b/geode-core/src/test/java/org/apache/geode/codeAnalysis/AnalyzeSerializablesJUnitTest.java
@@ -54,6 +54,7 @@ import java.io.FileReader;
 import java.io.IOException;
 import java.io.InvalidClassException;
 import java.io.Serializable;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -62,6 +63,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 
+import java.lang.reflect.Modifier;
+
 @Category(IntegrationTest.class)
 public class AnalyzeSerializablesJUnitTest {
 
@@ -203,6 +206,45 @@ public class AnalyzeSerializablesJUnitTest {
     }
   }
 
+  @Test
+  public void sanctionedClassesExistAndDoDeserialize() throws Exception {
+    setUp();
+
+    DistributionConfig distributionConfig = new DistributionConfigImpl(new Properties());
+    InternalDataSerializer.initialize(distributionConfig, new ArrayList<DistributedSystemService>());
+
+    for (ClassAndVariableDetails details : expectedSerializables) {
+      String className = details.className.replaceAll("/", ".");
+      System.out.println("testing class " + className);
+
+      Class sanctionedClass = Class.forName(className);
+      assertTrue(sanctionedClass.getName() + " is not Serializable and should be removed
from sanctionedSerializables.txt",
+          Serializable.class.isAssignableFrom(sanctionedClass));
+
+      if (Modifier.isAbstract(sanctionedClass.getModifiers())) {
+        // we detect whether these are modified in another test, but cannot instantiate them.
+        continue;
+      }
+      if (sanctionedClass.isEnum()) {
+        // geode enums are special cased by DataSerializer and are never java-serialized
+        for (Object instance: sanctionedClass.getEnumConstants()) {
+          serializeAndDeserializeSanctionedObject(instance);
+        }
+      } else {
+        final Object sanctionedInstance;
+        try {
+          sanctionedInstance = sanctionedClass.newInstance();
+        } catch (InstantiationException e) {
+          throw new AssertionError("Unable to instantiate " + className + " - please move
it from sanctionedSerializables.txt to excludedClasses.txt", e);
+        }
+        if (sanctionedInstance instanceof Throwable) {
+          ((Throwable)sanctionedInstance).initCause(null);
+        }
+        serializeAndDeserializeSanctionedObject(sanctionedInstance);
+      }
+    }
+  }
+
   private void serializeAndDeserializeObject(Object object) throws Exception {
     HeapDataOutputStream outputStream = new HeapDataOutputStream(Version.CURRENT);
     try {
@@ -225,6 +267,27 @@ public class AnalyzeSerializablesJUnitTest {
     }
   }
 
+  private void serializeAndDeserializeSanctionedObject(Object object) throws Exception {
+    HeapDataOutputStream outputStream = new HeapDataOutputStream(Version.CURRENT);
+    try {
+      DataSerializer.writeObject(object, outputStream);
+    } catch (IOException e) {
+      // some classes, such as BackupLock, are Serializable because the extend something
+      // like ReentrantLock but we never serialize them & it doesn't work to try to do
so
+      System.out.println("Not Serializable: " + object.getClass().getName());
+      e.printStackTrace();
+      return;
+    }
+    try {
+      Object
+          instance =
+          DataSerializer.readObject(
+              new DataInputStream(new ByteArrayInputStream(outputStream.toByteArray())));
+    } catch (InvalidClassException e) {
+      fail("I was unable to deserialize " + object.getClass().getName());
+    }
+  }
+
   private String getSrcPathFor(File file) {
     return getSrcPathFor(file, "test");
   }
diff --git a/geode-core/src/test/resources/org/apache/geode/codeAnalysis/excludedClasses.txt
b/geode-core/src/test/resources/org/apache/geode/codeAnalysis/excludedClasses.txt
index f28c54f..cae579f 100644
--- a/geode-core/src/test/resources/org/apache/geode/codeAnalysis/excludedClasses.txt
+++ b/geode-core/src/test/resources/org/apache/geode/codeAnalysis/excludedClasses.txt
@@ -45,3 +45,4 @@ org/apache/geode/internal/security/shiro/GeodeAuthenticationToken
 org/apache/geode/internal/cache/InitialImageOperation$GIITestHook
 org/apache/geode/internal/AvailablePort$Keeper
 org/apache/geode/internal/admin/remote/DistributionLocatorId
+org/apache/geode/ForcedDisconnectException

-- 
To stop receiving notification emails like this one, please contact
['"commits@geode.apache.org" <commits@geode.apache.org>'].

Mime
View raw message