Skip to content

Commit

Permalink
[Keycloak-10162] Usage of ObjectInputStream without checking the obje…
Browse files Browse the repository at this point in the history 
…ct types
  • Loading branch information
@douglaspalmer
douglaspalmer committed May 9, 2020
1 parent 75acc27 commit 2e34cd4
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 2 deletions.
6 changes: 4 additions & 2 deletions common/src/main/java/org/keycloak/common/util/KerberosSerializationUtils.java
View file
Expand Up @@ -18,12 +18,12 @@
package org.keycloak.common.util;

import org.ietf.jgss.GSSCredential;
import sun.misc.ObjectInputFilter;

import javax.security.auth.kerberos.KerberosTicket;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInput;
import java.io.ObjectInputStream;
import java.io.ObjectOutput;
import java.io.ObjectOutputStream;
Expand Down Expand Up @@ -109,9 +109,11 @@ private static String serialize(Serializable obj) throws IOException {
private static Object deserialize(String serialized) throws ClassNotFoundException, IOException {
byte[] bytes = Base64.decode(serialized);
ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
ObjectInput in = null;
ObjectInputStream in = null;
try {
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter("javax.security.auth.kerberos.KerberosTicket;javax.security.auth.kerberos.KerberosPrincipal;javax.security.auth.kerberos.KeyImpl;java.net.InetAddress;java.util.Date;!*");
in = new ObjectInputStream(bis);
ObjectInputFilter.Config.setObjectInputFilter(in, filter);
return in.readObject();
} finally {
try {
Expand Down
10 changes: 10 additions & 0 deletions core/src/main/java/org/keycloak/KeycloakPrincipal.java
View file
Expand Up @@ -17,6 +17,10 @@

package org.keycloak;

import sun.misc.ObjectInputFilter;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.security.Principal;

Expand Down Expand Up @@ -63,4 +67,10 @@ public int hashCode() {
public String toString() {
return name;
}

private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter("org.keycloak.KeycloakSecurityContext;org.keycloak.KeycloakPrincipal;!*");
ObjectInputFilter.Config.setObjectInputFilter(in, filter);
in.defaultReadObject();
}
}
6 changes: 6 additions & 0 deletions core/src/main/java/org/keycloak/KeycloakSecurityContext.java
View file
Expand Up @@ -21,6 +21,7 @@
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.util.JsonSerialization;
import sun.misc.ObjectInputFilter;

import java.io.IOException;
import java.io.ObjectInputStream;
Expand Down Expand Up @@ -85,6 +86,11 @@ private void writeObject(ObjectOutputStream out) throws IOException {
}

private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
if(ObjectInputFilter.Config.getObjectInputFilter(in) == null)
{
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter("org.keycloak.KeycloakSecurityContext;!*");
ObjectInputFilter.Config.setObjectInputFilter(in, filter);
}
in.defaultReadObject();

token = parseToken(tokenString, AccessToken.class);
Expand Down

0 comments on commit 2e34cd4

Please sign in to comment.