Skip to content
Permalink
Browse files

Do not deserialize data from job nodes in Kubernetes resource to avoid

security vulnerability
  • Loading branch information
robinshine committed Nov 19, 2020
1 parent f864053 commit 9637fc8fa461c5777282a0021c3deb1e7a48f137
@@ -9,7 +9,7 @@
<version>1.0.5</version>
</parent>
<artifactId>server</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
<packaging>pom</packaging>
<build>
<finalName>${project.groupId}.${project.artifactId}-${project.version}</finalName>
@@ -574,7 +574,7 @@
</repositories>
<properties>
<commons.version>1.1.21</commons.version>
<k8shelper.version>1.0.20</k8shelper.version>
<k8shelper.version>1.0.21</k8shelper.version>
<slf4j.version>1.7.5</slf4j.version>
<logback.version>1.0.11</logback.version>
<antlr.version>4.7.2</antlr.version>
@@ -7,7 +7,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<build>
<plugins>
@@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<dependencies>
<dependency>
@@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<build>
<resources>
@@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.authenticator.ldap.LdapModule</moduleClass>
@@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<dependencies>
<dependency>
@@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.buildspec.maven.MavenModule</moduleClass>
@@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.buildspec.node.NodePluginModule</moduleClass>
@@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.docker.DockerModule</moduleClass>
@@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.executor.kubernetes.KubernetesModule</moduleClass>
@@ -25,6 +25,7 @@

import org.apache.commons.lang.SerializationUtils;

import com.google.common.base.Splitter;
import com.google.common.collect.Lists;

import io.onedev.commons.utils.TarUtils;
@@ -73,20 +74,19 @@ public KubernetesResource(JobManager jobManager) {
@Consumes(MediaType.APPLICATION_OCTET_STREAM)
@Produces(MediaType.APPLICATION_OCTET_STREAM)
@POST
public byte[] allocateJobCaches(byte[] cacheAllocationRequestBytes) {
CacheAllocationRequest allocationRequest = (CacheAllocationRequest) SerializationUtils
.deserialize(cacheAllocationRequestBytes);
public byte[] allocateJobCaches(String cacheAllocationRequestString) {
CacheAllocationRequest cacheAllocationRequest = CacheAllocationRequest.fromString(cacheAllocationRequestString);
return SerializationUtils.serialize((Serializable) jobManager.allocateJobCaches(
getJobToken(), allocationRequest.getCurrentTime(), allocationRequest.getInstances()));
getJobToken(), cacheAllocationRequest.getCurrentTime(), cacheAllocationRequest.getInstances()));
}

@Path("/report-job-caches")
@Consumes(MediaType.APPLICATION_OCTET_STREAM)
@POST
public void reportJobCaches(byte[] cacheInstanceBytes) {
@SuppressWarnings("unchecked")
Collection<CacheInstance> cacheInstances = (Collection<CacheInstance>) SerializationUtils
.deserialize(cacheInstanceBytes);
public void reportJobCaches(String cacheInstancesString) {
Collection<CacheInstance> cacheInstances = new ArrayList<>();
for (String field: Splitter.on(';').omitEmptyStrings().split(cacheInstancesString))
cacheInstances.add(CacheInstance.fromString(field));
jobManager.reportJobCaches(getJobToken(), cacheInstances);
}

@@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.report.html.HtmlReportModule</moduleClass>
@@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.report.markdown.MarkdownReportModule</moduleClass>
@@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<dependencies>
<dependency>
@@ -7,7 +7,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
</parent>
<dependencies>
<dependency>

0 comments on commit 9637fc8

Please sign in to comment.