Skip to content

Commit

Permalink
Change Defaults
Browse files Browse the repository at this point in the history
**cherry-pick to 3.0.x, 2.4.x**
  • Loading branch information
garyrussell committed Oct 2, 2023
1 parent 8e3dd19 commit 09c612c
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 17 deletions.
2 changes: 2 additions & 0 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,8 @@ configure(javaProjects) { subproject ->
if (name ==~ /(testAll)/) {
systemProperty 'RUN_LONG_INTEGRATION_TESTS', 'true'
}
environment "SPRING_AMQP_DESERIALIZATION_TRUST_ALL", "true"

useJUnitPlatform()
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2006-2019 the original author or authors.
* Copyright 2006-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -38,6 +38,17 @@
*/
public final class SerializationUtils {

private static final String TRUST_ALL_ENV = "SPRING_AMQP_DESERIALIZATION_TRUST_ALL";

private static final String TRUST_ALL_PROP = "spring.amqp.deserialization.trust.all";

private static final boolean TRUST_ALL;

static {
TRUST_ALL = Boolean.parseBoolean(System.getenv(TRUST_ALL_ENV))
|| Boolean.parseBoolean(System.getProperty(TRUST_ALL_PROP));
}

private SerializationUtils() {
}

Expand Down Expand Up @@ -137,11 +148,12 @@ protected Class<?> resolveClass(ObjectStreamClass classDesc)
* @since 2.1
*/
public static void checkAllowedList(Class<?> clazz, Set<String> patterns) {
if (ObjectUtils.isEmpty(patterns)) {
if (TRUST_ALL && ObjectUtils.isEmpty(patterns)) {
return;
}
if (clazz.isArray() || clazz.isPrimitive() || clazz.equals(String.class)
|| Number.class.isAssignableFrom(clazz)) {
|| Number.class.isAssignableFrom(clazz)
|| String.class.equals(clazz)) {
return;
}
String className = clazz.getName();
Expand All @@ -150,7 +162,10 @@ public static void checkAllowedList(Class<?> clazz, Set<String> patterns) {
return;
}
}
throw new SecurityException("Attempt to deserialize unauthorized " + clazz);
throw new SecurityException("Attempt to deserialize unauthorized " + clazz
+ "; add allowed class name patterns to the message converter or, if you trust the message orginiator, "
+ "set environment variable '"
+ TRUST_ALL_ENV + "' or system property '" + TRUST_ALL_PROP + "' to true");
}

}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2016-2019 the original author or authors.
* Copyright 2016-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -17,7 +17,7 @@
package org.springframework.amqp.support.converter;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;

import java.io.Serializable;
import java.util.Collections;
Expand All @@ -40,7 +40,11 @@ public void testAllowedList() throws Exception {
SerializerMessageConverter converter = new SerializerMessageConverter();
TestBean testBean = new TestBean("foo");
Message message = converter.toMessage(testBean, new MessageProperties());
Object fromMessage = converter.fromMessage(message);
// when env var not set
// assertThatExceptionOfType(SecurityException.class).isThrownBy(() -> converter.fromMessage(message));
Object fromMessage;
// when env var set.
fromMessage = converter.fromMessage(message);
assertThat(fromMessage).isEqualTo(testBean);

converter.setAllowedListPatterns(Collections.singletonList("*"));
Expand All @@ -54,15 +58,8 @@ public void testAllowedList() throws Exception {
fromMessage = converter.fromMessage(message);
assertThat(fromMessage).isEqualTo(testBean);

try {
converter.setAllowedListPatterns(Collections.singletonList("foo.*"));
fromMessage = converter.fromMessage(message);
assertThat(fromMessage).isEqualTo(testBean);
fail("Expected SecurityException");
}
catch (SecurityException e) {

}
converter.setAllowedListPatterns(Collections.singletonList("foo.*"));
assertThatExceptionOfType(SecurityException.class).isThrownBy(() -> converter.fromMessage(message));
}

@SuppressWarnings("serial")
Expand Down
3 changes: 2 additions & 1 deletion src/reference/asciidoc/amqp.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -4407,14 +4407,15 @@ consider configuring which packages and classes are allowed to be deserialized.
This applies to both the `SimpleMessageConverter` and `SerializerMessageConverter` when it is configured to use a
`DefaultDeserializer` either implicitly or via configuration.
By default, the allowed list is empty, meaning all classes are deserialized.
By default, the allowed list is empty, meaning no classes will be deserialized.
You can set a list of patterns, such as `thing1.*`, `thing1.thing2.Cat` or `*.MySafeClass`.
The patterns are checked in order until a match is found.
If there is no match, a `SecurityException` is thrown.
You can set the patterns using the `allowedListPatterns` property on these converters.
Alternatively, if you trust all message originators, you can set the environment variable `SPRING_AMQP_DESERIALIZATION_TRUST_ALL` or system property `spring.amqp.deserialization.trust.all` to `true`.
====

[[message-properties-converters]]
Expand Down

2 comments on commit 09c612c

@PatricioMP
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,

Is there a way to set this in the spring application configuration file?

I say this configuration: spring.activemq.packages.trust-all=true here

but it doesn't do anything

Thanks

@garyrussell
Copy link
Contributor Author

@garyrussell garyrussell commented on 09c612c Oct 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the same as Boot auto configuration for ActiveMQ; this is AMQP.

Unfortunately, no; it has to be either a system property (-D...) on the command line) or an environment variable only.

You can add this to your main method before creating the SpringApplication...

System.setProperty(...);

Please sign in to comment.