fix(command): restrict allowed_classes in ClosureJob unserialize() to prevent RCE#41583
Open
DeepDiver1975 wants to merge 3 commits into
Open
fix(command): restrict allowed_classes in ClosureJob unserialize() to prevent RCE#41583DeepDiver1975 wants to merge 3 commits into
DeepDiver1975 wants to merge 3 commits into
Conversation
… prevent RCE ClosureJob::run() called unserialize() without allowed_classes restriction on data from the oc_jobs.argument database column. An attacker with DB write access could inject a gadget chain payload. The post-deserialization method_exists check provides no protection since __wakeup()/__destruct() fire during unserialize() before any check is reached. Add an explicit allowed_classes list covering the six Laravel SerializableClosure classes that legitimately appear in a serialized closure payload. All other classes are rejected before instantiation. Signed-off-by: Thomas Müller <thomas.mueller@owncloud.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
…on of test class Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ClosureJob::run()called bareunserialize()on DB-sourced data; same gadget-chain RCE risk as CommandJobmethod_existscheck doesn't help —__wakeup()/__destruct()already firedallowed_classesrestricted to the 6laravel/serializable-closureclasses that legitimately appear in serialized closure payloadsSecurity Impact
High (defense-in-depth) — requires prior DB write access to exploit
Test plan
__wakeup()is NOT triggered (test would fail without fix)make test TEST_PHP_SUITE=lib/Command🤖 Generated with Claude Code