New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require registration of types before they can be used in a session #1592
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments. Happy to discuss 1:1 if needed.
* @see SessionModule | ||
* @since 1.9 | ||
*/ | ||
@Inherited |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bad idea. I would not suggest making this an @Inherited
annotation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the annotation is gone entirely.
It turns out that inspecting class annotations causes the class to be initialized. Theoretically, a class could do something malicious in its static initializer.
|
||
import ratpack.session.SessionTypeFilter; | ||
|
||
public class AllowAllSessionTypeFilter implements SessionTypeFilter { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should have a name like "Unsafe" or "Insecure" in the name and also be marked Deprecated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
static { | ||
ALLOWED_PACKAGES.add(String.class.getPackage()); // java.lang | ||
ALLOWED_PACKAGES.add(List.class.getPackage()); // java.util |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this mean that all subtypes are also supported? If so, this is not a good idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ended up removing this.
} | ||
} | ||
|
||
private static final class TypeFilteringObjectInputStream extends ObjectInputStream { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is a less feature-rich version of the ValidatingObjectInputStream
from Apache Commons.
I just want to make sure that you're not reinventing the wheel here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't need any of those features, or the extra dependency.
public class ClassWithStaticInit { | ||
|
||
static { | ||
System.out.println("HERE!!!!!!!!!!!!!!!!!!!"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like a debugging class that shouldn't have been committed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What gave it away?
Will remove.
expect: | ||
test(String, "foo") | ||
test(Integer, 1) | ||
test(List, [[1, 2] as int[]]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is serializing a List of integer arrays, correct? Is JdkSessionTypeFilterPlugin
thus allowing serialization of any class as long as you embed it in a List
or Map
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, you also need to register the component type.
If Integer
wasn't registered this would fail.
public class AllowedAnnotationSessionTypeFilterPlugin implements SessionTypeFilterPlugin { | ||
|
||
@Override | ||
public boolean allow(String className) { | ||
return false; | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm confused what this is doing. It seems like it just forbids all classes? Some documentation explaining what's going on here would be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Relic. Now removed.
@@ -19,12 +19,16 @@ | |||
import ratpack.api.Nullable; | |||
import ratpack.session.SessionKey; | |||
|
|||
import java.util.Objects; | |||
|
|||
public class DefaultSessionKey<T> implements SessionKey<T> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have enough context here, but doesn't unintentionally having a DefaultSessionKey(null, null)
potentially introduce a security risk in itself?
I don't know if it would/wouldn't. I'm asking to try to understand the security implications of such a configuration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That state isn't possible. I've moved the check to make that clearer.
I can't see how it would be a risk. There'd be a runtime error before trying to do anything with it.
This change is