Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#15346] Fix deserialization filtering for Externalizables and Deadlock in Map index #15358

Merged
merged 3 commits into from
Jul 24, 2019
Merged

[#15346] Fix deserialization filtering for Externalizables and Deadlock in Map index #15358

merged 3 commits into from
Jul 24, 2019

Conversation

kwart
Copy link
Member

@kwart kwart commented Jul 23, 2019

Fixes #15346 and also leaking record lock in the Records class.

@kwart kwart added this to the 4.0 milestone Jul 23, 2019
@kwart kwart self-assigned this Jul 23, 2019
@kwart kwart mentioned this pull request Jul 23, 2019
Merged
vbekiaris
vbekiaris approved these changes Jul 23, 2019
View reviewed changes
Copy link
Contributor

@vbekiaris vbekiaris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice job, some minor comments

hazelcast/src/test/java/com/hazelcast/cluster/MulticastDeserializationTest.java Outdated

sendJoinDatagram(new TestDeserialized());
Thread.sleep(500L);
assertTrueEventually(() -> assertTrue("Object was not deserializaed", TestDeserialized.isDeserialized));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor: typo in deserializaed

hazelcast/src/test/java/com/hazelcast/cluster/MulticastDeserializationTest.java Outdated
Hazelcast.newHazelcastInstance(config);

sendJoinDatagram(new TestDeserialized());
Thread.sleep(500L);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need to sleep here since we use assertTrueEventually next

hazelcast/src/main/java/com/hazelcast/map/impl/record/Records.java
Object object = serializationService.toObject(valueBeforeCas);
Object object = null;
try {
object = serializationService.toObject(valueBeforeCas);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch!

@kwart
Copy link
Member Author

kwart commented Jul 24, 2019

Thanks for review, @vbekiaris. The findings are fixed in a new commit.

@kwart kwart merged commit f029f9f into hazelcast:master Jul 24, 2019
@kwart kwart deleted the deserialization-externalizable branch July 24, 2019 09:37
@mmedenjak mmedenjak added the Source: Internal PR or issue was opened by an employee label Apr 13, 2020
@mmedenjak mmedenjak added Module: Security security Pull requests that address a security vulnerability labels Jan 4, 2022
@chefhoobajoob
Copy link

@kwart , @vbekiaris @mmedenjak : is it possible to pick up a build of the 3.12.2 jar containing this fix? If so, how/where?

@kwart
Copy link
Member Author

kwart commented Jan 5, 2022

@chefhoobajoob Latest 3.12.z build is the 3.12.12.
You can find the released bits

@chefhoobajoob
Copy link

@kwart : great! thank you, the visa tag was explicitly mentioned in security scans as the version to update to, so pretty confusing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vbekiaris vbekiaris vbekiaris approved these changes

@ahmetmircik ahmetmircik ahmetmircik approved these changes

Assignees

@kwart kwart

Labels
Module: Security Module: Serialization security Pull requests that address a security vulnerability Source: Internal PR or issue was opened by an employee Team: Core Type: Defect
Projects
None yet
Milestone
4.0
Development

Successfully merging this pull request may close these issues.

Leaking deserialization protection on Externalizables
5 participants
@kwart @chefhoobajoob @vbekiaris @ahmetmircik @mmedenjak