Skip to content
Permalink
Browse files Browse the repository at this point in the history
Do not deserialize data from job nodes in Kubernetes resource to avoid
security vulnerability
  • Loading branch information
robinshine committed Nov 19, 2020
1 parent f864053 commit 9637fc8
Show file tree
Hide file tree
Showing 15 changed files with 23 additions and 23 deletions.
4 changes: 2 additions & 2 deletions pom.xml
Expand Up @@ -9,7 +9,7 @@
<version>1.0.5</version>
</parent>
<artifactId>server</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
<packaging>pom</packaging>
<build>
<finalName>${project.groupId}.${project.artifactId}-${project.version}</finalName>
Expand Down Expand Up @@ -574,7 +574,7 @@
</repositories>
<properties>
<commons.version>1.1.21</commons.version>
<k8shelper.version>1.0.20</k8shelper.version>
<k8shelper.version>1.0.21</k8shelper.version>
<slf4j.version>1.7.5</slf4j.version>
<logback.version>1.0.11</logback.version>
<antlr.version>4.7.2</antlr.version>
Expand Down
2 changes: 1 addition & 1 deletion server-core/pom.xml
Expand Up @@ -7,7 +7,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<build>
<plugins>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-archetype/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<build>
<resources>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-authenticator-ldap/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.authenticator.ldap.LdapModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-buildspec-gradle/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-buildspec-maven/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.buildspec.maven.MavenModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-buildspec-node/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.buildspec.node.NodePluginModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-executor-docker/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.docker.DockerModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-executor-kubernetes/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.executor.kubernetes.KubernetesModule</moduleClass>
Expand Down
Expand Up @@ -25,6 +25,7 @@

import org.apache.commons.lang.SerializationUtils;

import com.google.common.base.Splitter;
import com.google.common.collect.Lists;

import io.onedev.commons.utils.TarUtils;
Expand Down Expand Up @@ -73,20 +74,19 @@ public byte[] getJobContext() {
@Consumes(MediaType.APPLICATION_OCTET_STREAM)
@Produces(MediaType.APPLICATION_OCTET_STREAM)
@POST
public byte[] allocateJobCaches(byte[] cacheAllocationRequestBytes) {
CacheAllocationRequest allocationRequest = (CacheAllocationRequest) SerializationUtils
.deserialize(cacheAllocationRequestBytes);
public byte[] allocateJobCaches(String cacheAllocationRequestString) {
CacheAllocationRequest cacheAllocationRequest = CacheAllocationRequest.fromString(cacheAllocationRequestString);
return SerializationUtils.serialize((Serializable) jobManager.allocateJobCaches(
getJobToken(), allocationRequest.getCurrentTime(), allocationRequest.getInstances()));
getJobToken(), cacheAllocationRequest.getCurrentTime(), cacheAllocationRequest.getInstances()));
}

@Path("/report-job-caches")
@Consumes(MediaType.APPLICATION_OCTET_STREAM)
@POST
public void reportJobCaches(byte[] cacheInstanceBytes) {
@SuppressWarnings("unchecked")
Collection<CacheInstance> cacheInstances = (Collection<CacheInstance>) SerializationUtils
.deserialize(cacheInstanceBytes);
public void reportJobCaches(String cacheInstancesString) {
Collection<CacheInstance> cacheInstances = new ArrayList<>();
for (String field: Splitter.on(';').omitEmptyStrings().split(cacheInstancesString))
cacheInstances.add(CacheInstance.fromString(field));
jobManager.reportJobCaches(getJobToken(), cacheInstances);
}

Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-html/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.report.html.HtmlReportModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-markdown/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.report.markdown.MarkdownReportModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-sso-openid/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-product/pom.xml
Expand Up @@ -7,7 +7,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<dependencies>
<dependency>
Expand Down

0 comments on commit 9637fc8

Please sign in to comment.