packages/avro
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-47561

Browse Source 
(cherry picked from commit d6e355b683266451ffd8fa02ad4101c9a884ded6)
This commit is contained in:
starlet-dx 2024-10-10 09:49:11 +08:00 committed by openeuler-sync-bot
parent 5a0a9ca8f6
commit 7e44f83082
2 changed files with 120 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
CVE-2024-47561.patch Normal file
View File

@ -0,0 +1,115 @@
From 8f89868d29272e3afea2ff8de8c85cb81a57d900 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?JB=20Onofr=C3=A9?= <jbonofre@apache.org>
Date: Wed, 26 Jun 2024 15:16:40 +0200
Subject: [PATCH] AVRO-3985: Add trusted packages support in SpecificData
(#2980)
---
.../org/apache/avro/reflect/ReflectData.java | 10 ----
.../avro/specific/SpecificDatumReader.java | 47 ++++++++++++++++++-
2 files changed, 46 insertions(+), 11 deletions(-)
diff --git a/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java b/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java
index ec490979477..8cfbdb0529c 100644
--- a/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java
+++ b/lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java
@@ -427,16 +427,6 @@ private FieldAccessor getFieldAccessor(Class<?> c, String fieldName) {
return null;
}
- /** @deprecated Replaced by {@link SpecificData#CLASS_PROP} */
- @Deprecated
- static final String CLASS_PROP = "java-class";
- /** @deprecated Replaced by {@link SpecificData#KEY_CLASS_PROP} */
- @Deprecated
- static final String KEY_CLASS_PROP = "java-key-class";
- /** @deprecated Replaced by {@link SpecificData#ELEMENT_PROP} */
- @Deprecated
- static final String ELEMENT_PROP = "java-element-class";
-
private static final Map<String, Class> CLASS_CACHE = new ConcurrentHashMap<>();
static Class getClassProp(Schema schema, String prop) {
diff --git a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
index d924c8e04b7..8950f165991 100644
--- a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
+++ b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
@@ -24,12 +24,25 @@
import org.apache.avro.io.ResolvingDecoder;
import org.apache.avro.util.ClassUtils;
import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
/**
* {@link org.apache.avro.io.DatumReader DatumReader} for generated Java
* classes.
*/
public class SpecificDatumReader<T> extends GenericDatumReader<T> {
+
+ public static final String[] SERIALIZABLE_PACKAGES;
+
+ static {
+ SERIALIZABLE_PACKAGES = System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES",
+ "java.lang,java.math,java.io,java.net,org.apache.avro.reflect").split(",");
+ }
+
+ private final List<String> trustedPackages = new ArrayList<>();
+
public SpecificDatumReader() {
this(null, null, SpecificData.get());
}
@@ -55,6 +68,7 @@ public SpecificDatumReader(Schema writer, Schema reader) {
*/
public SpecificDatumReader(Schema writer, Schema reader, SpecificData data) {
super(writer, reader, data);
+ trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES));
}
/** Construct given a {@link SpecificData}. */
@@ -101,12 +115,43 @@ private Class getPropAsClass(Schema schema, String prop) {
if (name == null)
return null;
try {
- return ClassUtils.forName(getData().getClassLoader(), name);
+ Class clazz = ClassUtils.forName(getData().getClassLoader(), name);
+ checkSecurity(clazz);
+ return clazz;
} catch (ClassNotFoundException e) {
throw new AvroRuntimeException(e);
}
}
+ private boolean trustAllPackages() {
+ return (trustedPackages.size() == 1 && "*".equals(trustedPackages.get(0)));
+ }
+
+ private void checkSecurity(Class clazz) throws ClassNotFoundException {
+ if (trustAllPackages() || clazz.isPrimitive()) {
+ return;
+ }
+
+ boolean found = false;
+ Package thePackage = clazz.getPackage();
+ if (thePackage != null) {
+ for (String trustedPackage : getTrustedPackages()) {
+ if (thePackage.getName().equals(trustedPackage) || thePackage.getName().startsWith(trustedPackage + ".")) {
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ throw new SecurityException("Forbidden " + clazz
+ + "! This class is not trusted to be included in Avro schema using java-class. Please set org.apache.avro.SERIALIZABLE_PACKAGES system property with the packages you trust.");
+ }
+ }
+ }
+
+ public final List<String> getTrustedPackages() {
+ return trustedPackages;
+ }
+
@Override
protected Object readRecord(Object old, Schema expected, ResolvingDecoder in) throws IOException {
SpecificData data = getSpecificData();

6
avro.spec
View File

@ -3,7 +3,7 @@
Name: avro Name: avro
Version: 1.10.2 Version: 1.10.2
Release: 5 Release: 6
Summary: Data serialization system Summary: Data serialization system
License: Apache-2.0 License: Apache-2.0
URL: http://avro.apache.org URL: http://avro.apache.org
@ -13,6 +13,7 @@ Source0: https://github.com/apache/avro/archive/refs/tags/release-1.10.
Source1: xmvn-reactor Source1: xmvn-reactor
Patch3000: CVE-2021-43045.patch Patch3000: CVE-2021-43045.patch
Patch3001: CVE-2023-39410.patch Patch3001: CVE-2023-39410.patch
Patch3002: CVE-2024-47561.patch
ExclusiveArch: aarch64 x86_64 ExclusiveArch: aarch64 x86_64
@ -111,6 +112,9 @@ install -m 0755 lang/java/tools/target/avro-tools-1.10.2-nodeps.jar %{buildroot}
%{_datadir}/java/avro/avro-tools-nodeps.jar %{_datadir}/java/avro/avro-tools-nodeps.jar
%changelog %changelog
* Thu Oct 10 2024 yaoxin <yao_xin001@hoperun.com> - 1.10.2-6
- Fix CVE-2024-47561
* Tue Jul 02 2024 wangkai <13474090681@163.com> - 1.10.2-5 * Tue Jul 02 2024 wangkai <13474090681@163.com> - 1.10.2-5
- Fix CVE-2023-39410 - Fix CVE-2023-39410