Input validation for serialization#1
Merged
Conversation
…be in the River 3.0.0 release, with improvements to documentation and some synchronization visibility correctness updates for RegistrarImpl, however I need to check atomicity is correct. These are not related to the security changes, but were lumped into the same patch at the time when this work was abandoned due to difficulties on river dev. @AtomicSerial, note that the trusted classes hasn't been completely implemented yet. AtomicSerial uses a custom ObjectInputStream to validate input, trusted classes will limit the classes that can be deserialized, for those with conventional Serialization that don't implement @AtomicSerial, but have been deemed safe. DeSerializationPermission, will limit the classes that can be deserialized. The intent is that a new default lookup method in ServiceRegistrar will return bootstrap proxy's, based on service matches, as well as services with compliant constraints. A bootstrap proxy is local code, that has DeSerializationPermission, during proxy preparation, the bootstrap proxy will be asked for the service proxy, after authentication using a bootstrap proxy, the codebase for the service proxy will be dynamically granted DownloadPermission and DeSerializationPermission.
…roxy's, based on service matches, as well as services with compliant constraints. A bootstrap proxy is local code, that has DeSerializationPermission, during proxy preparation, the bootstrap proxy will be asked for the service proxy, after authentication using a bootstrap proxy, the codebase for the service proxy will be dynamically granted DownloadPermission and DeSerializationPermission. Please comment
…ion. GetArg static convenience methods for common cases.
rename org.apache.river.start.ServiceProxyAccessor to net.jini.export.ServiceProxyAccessor
GetArg for ServiceItem, ServiceMatches and ServiceTemplate can be null in some tests, this is unrelated to @AtomicSerial Added comment to RemotePolicy to remind developers to use UnresolvedPermission when granting remote permissions ahead of time, when a Permission class may not yet exist at the client.
Improved messages for exceptional cases.
More implementations of @AtomicSerial
Added AtomicException for Exception implementations with state. Refactored some constructors so that object construction doesn't occur when exception occur.
Added AtomicExternal. Added security checks prior to allowing deserialization. Limited Serializable support to objects without state and primitive fields only.
DeSerializationPermission improvements. Serialization now restricted in AtomicMarshalInputStream, limiting objects to those that are stateless or only have primitive fields. Updated test policies and service proxy's META-INF/PERMISSIONS.LIST files to include DeSerializationPermission's
…ng them to classes with primitive fields, no readObject() or readObjectNoData() methods. These restrictions don't apply to @AtomicSerial, @AtomicExternal, dynamic proxy's and Externalizable classes, which are governed by Permissions.
More support for @AtomicSerial Update serializers. Update Bean's to support ConstructorProperties constructor. Update test policy files.
…input validation of invariants during deserialization. Update test policy files. More classes converted to implement @AtomicSerial Change Landlord API for security hardening purposes: Don't return a Map from a remote call, since this could contain unvalidated objects - replaced cancellAll method with a default method, to ensure the Map was locally created. Ensure that arrays in RenewResults have private access and copied defensively during deserialization, serial form hasn't changed, but the api has.
…ior to becoming a security manager, to prevent class loading deadlock.
…iles in test suite. Other minor refactoring tidy up, such as using two arg constructors for Exception classes, where they've been added in newer java versions.
Added new public readObject methods that perform stream type checks. Changes made that allow covariant returns for readResolve() methods. Policy updates for tests. Reverted Landlord default method as this is a dumb proxy interface and as such, the Map returned is always serialized, not local, changed LandlordLeaseMap to validate returned Map and defensively copy it.
…ryptography Update supported cyphers, exclude those that are now disabled in Java 8. Update strong cyphers, remove protocols no longer considered as strong encryption.
…uture support for custom serializers. Some refactoring and improvements, more support for @AtomicSerial Added support for conventional ObjectInputStream in package private Serializer's.
SHA256withDSA SHA512withECDSA SHA512withRSA
SHA256withDSA SHA512withECDSA SHA512withRSA
… obtain bootstrap proxy's directly. This ensures that clients and services don't need to implement ProxyTrust as smart proxy's are obtained after authentication of the bootstrap proxy. Note that Proxy preparation and constraints are still required. Added new interfaces to allow clients to retrieve attributes, ServiceID and smart proxy's from a bootstrap proxy, rather than the lookup service.
… obtain bootstrap proxy's directly. This ensures that clients and services don't need to implement ProxyTrust as smart proxy's are obtained after authentication of the bootstrap proxy. Note that Proxy preparation and constraints are still required. Added new interfaces to allow clients ProxyPreparer to retrieve codebase properties, in order to dynamically grant DownloadPermission and DeSerializationPermission, to allow the smart proxy to be retrieved.
pfirmstone
added a commit
that referenced
this pull request
Feb 24, 2016
Input validation for serialization
2 tasks
pfirmstone
added a commit
that referenced
this pull request
Jun 18, 2026
Review finding #1: PreferredAnalyzer.computeSerializable resolves supertypes only within the analyzed module, so a class that is Serializable only via a base in another module (java.security.Permission, Throwable, EventObject, ...) is not detected as cross-boundary. A class that is Serializable-via-base AND carries a strong criterion-(b) hazard would therefore classify PREFER without review -- a silent ClassCastException risk across the loader divide, most likely in the -dl/proxy modules where proxies routinely extend Serializable bases. Safety net: hasUnresolvedSupertype walks the superclass chain; if it leaves the analyzed set, a would-be strong-(b) PREFER is downgraded to SHARE + review (with an explanatory ClassDecision.reviewNote) rather than silently preferred. The guard is conservative and complete for the superclass path; the fuller fix (classpath supertype resolution) remains a follow-up before the -dl rollout. No change to the jgdms-platform result (both prefers extend Object): live list and samples are byte-identical, the drift gate still passes. Adds 2 fixtures and tests (guard fires on an external base; does not fire through an in-set chain); 43 tests green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
pfirmstone
added a commit
that referenced
this pull request
Jun 23, 2026
… strict-mode io gap) The strict-mode verification review found that org.apache.river.api.io has no registered MarshalDelegate for its built-in @AtomicSerial serializer helpers (MapSerializer.Ent, ProxySerializer, the Set/List/File/Permission/URI/... serializers), so strict marshalling died on the first Map/collection in any object graph (InvalidClassException on MapSerializer$Ent). This is the review's #1 must-fix for strict-green. The MarshalDelegateProcessor already generates a correct per-package delegate; it was only running in validateOnly mode for the platform. This overrides the parent's compilerArgs (combine.self="override") to DROP -Amarshaldelegate.validateOnly for jgdms-platform only, so the processor generates and registers a per-package GeneratedMarshalDelegate for the 6 platform packages that need in-package dispatch (org.apache.river.api.io, net.jini.id, net.jini.security, net.jini.core.constraint, org.apache.river.discovery, org.apache.river.logging). All other modules stay in validateOnly (the gate still emits its worklist warnings). Adds GeneratedMarshalDelegateTest: verifies the generated delegate resolves and serves the package-private helpers (MapSerializer.Ent, ProxySerializer, Set/ListSerializer) and round-trips Map/List/Set. Green in normal mode AND under -Dorg.apache.river.api.io.marshalDelegate.strict=true (4/4, no setAccessible fallback) on the DirtyChai SM-capable JDK; full reactor compiles. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Input validation for serialization back into trunk branch.
Note that this includes the following: