Complete COLLECTIONS-580: remove Serializable from bridge functors#697
Closed
lucianjohnhouse wants to merge 1 commit into
Closed
Complete COLLECTIONS-580: remove Serializable from bridge functors#697lucianjohnhouse wants to merge 1 commit into
lucianjohnhouse wants to merge 1 commit into
Conversation
…functors ClosureTransformer, TransformerClosure, and FactoryTransformer bridge between Closure, Transformer, and Factory type hierarchies. Despite COLLECTIONS-580 removing Serializable from InvokerTransformer, these bridge classes remained Serializable, allowing deserialization gadget chains to survive via ClosureTransformer↔TransformerClosure round-trips. This patch removes Serializable and serialVersionUID from all three bridge classes to close the remaining attack surface. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Member
|
-1 and closing: we are not breaking binary compatibility in a minor version. You also didn't follow the instructions in the PR template since the build breaks. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
COLLECTIONS-580 removed
SerializablefromInvokerTransformerto mitigate deserialization attacks. However, three bridge classes that convert betweenClosure,Transformer, andFactorytype hierarchies remainedSerializable:ClosureTransformer— bridges Closure → TransformerTransformerClosure— bridges Transformer → ClosureFactoryTransformer— bridges Factory → TransformerThese bridge classes allow deserialization gadget chains to survive via round-trip serialization. Specifically,
ClosureTransformer↔TransformerClosurecan wrap anyTransformerin aClosureand back, bypassing theInvokerTransformerserialization block by building equivalent chains through the bridge path.POC Verification
Verified on Java 21 (OpenJDK 21.0.11):
ClosureTransformer(TransformerClosure(transformer))survives serialization round-trip (427 bytes)DefaultedMaptriggers the transformer onget()after deserializationserialVersionUIDcollision found:NOPClosure = SwitchClosure = IfClosure = 3518477308466486130Changes
implements SerializablefromClosureTransformer,TransformerClosure,FactoryTransformerserialVersionUIDfieldsImpact
This is a breaking change for any code that serializes
ClosureTransformer,TransformerClosure, orFactoryTransformerinstances. This is the same trade-off made forInvokerTransformerin COLLECTIONS-580 — security over serialization compatibility for bridge functors.CVSS
CVSS 3.1: 8.1 (HIGH) —
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HDeserialization of untrusted data via bridge functor chain, achieving arbitrary code execution.
Test plan
DefaultedMap,TransformedMapetc. still function correctly without serialization of bridge functors