executePipelined with RedisCallback uses wrong serializer (RedisTemplate.java) [DATAREDIS-500]

[spring-projects-issues]

argszero opened DATAREDIS-500 and commented

RedisTemplate.executePipelined with RedisCallback uses wrong serializer when hashKeySerializer is different from hashValueSerializer.

@Test
public void testExecutePipelinedWidthDifferentHashKeySerializerAndHashValueSerializer() {
    assumeTrue(redisTemplate instanceof RedisTemplate);
    redisTemplate.setKeySerializer(new StringRedisSerializer());
    redisTemplate.setHashKeySerializer(new StringRedisSerializer());
    redisTemplate.setHashValueSerializer(new GenericToStringSerializer<Long>(Long.class));
    redisTemplate.opsForHash().put((K) "foo", "key", 1L);
    List<Object> results = redisTemplate.executePipelined(new RedisCallback() {
        public Object doInRedis(RedisConnection connection) throws DataAccessException {
            connection.hGetAll(((StringRedisSerializer) redisTemplate.getKeySerializer()).serialize("foo"));
            return null;
        }
    });
    assertEquals(((Map) results.get(0)).get("key"), 1L);
}

---

Affects: 1.7.1 (Hopper SR1), 1.8 M1 (Ingalls)

Referenced from: pull request #190

Backported to: 1.7.3 (Hopper SR3), 1.6.5 (Gosling SR5)

[spring-projects-issues]

Nebula commented

Last year your security team to send a message, they do not think security vulnerabilities：

https://jira.spring.io/browse/SPR-13656

AMQP is to confirm the security vulnerability,why?

https://pivotal.io/security/cve-2016-2173

JdkSerializationRedisSerializer also need to whitelist.

[spring-projects-issues]

argszero commented

174020160421053943

[spring-projects-issues]

Mark Paluch commented

argszero Could you provide us with your full name in English?

[spring-projects-issues]

Mark Paluch commented

Hi Nebula, thanks for reporting the issue.

JDK deserialization is always a possibility to exploits as we don't have any control over the data that is serialized/deserialized.

This issue requires a bit more thought as the JDK serializer is used by default. Introducing a white-list would break existing code and each application using Spring Data Redis with default settings needs adjustments. If users don't change the serializer, a large number of classes are handled by the serializer.

Take Spring Session for example which serializes the whole HTTP Session. Those are classes which are not under the control of Spring Data Redis and some users aren't even aware of the classes affected by serialization

[spring-projects-issues]

argszero commented

Hi, Mark Paluch why do i need to provide full name in English? Do you mean the full name used to sign Individual Contributor Agreement? I used "argszero true" when sign it.

[spring-projects-issues]

Mark Paluch commented

That's part of our contributor license requirement. No nicknames and no placeholders allowed. If you don't want to disclose your name then open source contributions might not be the best way to go

[spring-projects-issues]

argszero commented

Hi, Mark Paluch , My full Name is "Anqing Shao"(Chinese Name), I am sorry for all my mistakes

[spring-projects-issues]

Mark Paluch commented

No worries, contributing for the first time usually takes a while to get all the things into shape. Each team is different. We all learn by doing things and getting feedback. These are no mistakes. Thanks a lot for the details, going to merge your contribution