Disable rpc.enhancedClasses by default at runtime

Logs warnings at compile time, indicating which classes need to be cleaned up to remove this feature. Mitigation for gwtproject#9709
niloc132 · Dec 19, 2023 · 47a2b34 · 47a2b34
1 parent f439c5e
commit 47a2b34
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 0 deletions.
diff --git a/user/src/com/google/gwt/user/rebind/rpc/SerializableTypeOracleBuilder.java b/user/src/com/google/gwt/user/rebind/rpc/SerializableTypeOracleBuilder.java
@@ -869,6 +869,10 @@ public SerializableTypeOracle build(TreeLogger logger) throws UnableToCompleteEx
 
       if (tic.maybeEnhanced()
           || (enhancedClasses != null && enhancedClasses.contains(type.getQualifiedSourceName()))) {
+        logger.log(TreeLogger.WARN, "The class " + type.getQualifiedSourceName() + " is both " +
+                "referenced from configuration as rpc.enhancedClasses and has JPA annotations. " +
+                "This makes the server vulnerable to an issue with deserialization of unsafe " +
+                "data. See https://github.com/gwtproject/gwt/issues/9709 for more information.");
         type.setEnhanced();
       }
     }

diff --git a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
@@ -16,6 +16,8 @@
 package com.google.gwt.user.server.rpc;
 
 import static com.google.gwt.user.client.rpc.RpcRequestBuilder.MODULE_BASE_HEADER;
+import static com.google.gwt.user.server.rpc.SerializationPolicyLoader.ENABLE_ENHANCED_CLASSES;
+import static com.google.gwt.user.server.rpc.SerializationPolicyLoader.ENABLE_GWT_ENHANCED_CLASSES_PROPERTY;
 
 import com.google.gwt.user.client.rpc.IncompatibleRemoteServiceException;
 import com.google.gwt.user.client.rpc.RpcTokenException;
@@ -94,6 +96,20 @@ static SerializationPolicy loadSerializationPolicy(HttpServlet servlet,
           try {
             serializationPolicy = SerializationPolicyLoader.loadFromStream(is,
                 null);
+            if (serializationPolicy.hasClientFields()) {
+              if (ENABLE_ENHANCED_CLASSES) {
+                servlet.log("WARNING: Enhanced JPA client fields are in use for this " +
+                        "application. See https://github.com/gwtproject/gwt/issues/9709 for " +
+                        "more detail. on the vulnerability that this presents.");
+              } else {
+                servlet.log("ERROR: Service uses enhanced classes, which are unsafe. Review " +
+                        "build logs to see where this can be fixed, or set " +
+                        ENABLE_GWT_ENHANCED_CLASSES_PROPERTY + " to true to allow using this " +
+                        "service. See https://github.com/gwtproject/gwt/issues/9709 for more " +
+                        "detail.");
+                serializationPolicy = null;
+              }
+            }
           } catch (ParseException e) {
             servlet.log("ERROR: Failed to parse the policy file '"
                 + serializationPolicyFilePath + "'", e);

diff --git a/user/src/com/google/gwt/user/server/rpc/SerializationPolicy.java b/user/src/com/google/gwt/user/server/rpc/SerializationPolicy.java
@@ -82,4 +82,14 @@ public abstract void validateDeserialize(Class<?> clazz)
    */
   public abstract void validateSerialize(Class<?> clazz)
       throws SerializationException;
+
+  /**
+   * Returns true if there may be any unsafe client fields in the serialization policy. The default
+   * implementation returns true to ensure that custom implementations validate accordingly.
+   *
+   * @return true if the client may send unsafely serialized data, false otherwise
+   */
+  public boolean hasClientFields() {
+    return true;
+  }
 }
diff --git a/user/src/com/google/gwt/user/server/rpc/SerializationPolicyLoader.java b/user/src/com/google/gwt/user/server/rpc/SerializationPolicyLoader.java
@@ -51,6 +51,19 @@ public final class SerializationPolicyLoader {
    */
   public static final String SERIALIZATION_POLICY_FILE_ENCODING = "UTF-8";
 
+  /**
+   * System property to enable gwt-rpc enhanced classes. To use this, set the JVM system property
+   * with name {@value ENABLE_GWT_ENHANCED_CLASSES_PROPERTY} to {@code true}, any other value will
+   * leave this feature disabled in the server at runtime.
+   */
+  public static final String ENABLE_GWT_ENHANCED_CLASSES_PROPERTY = "gwt.enhancedClasses.enabled";
+
+  /**
+   * Flag to enable using enhanced classes, for applications that need them and are taking
+   * appropriate steps to secure them. Defaults to false.
+   */
+  public static final boolean ENABLE_ENHANCED_CLASSES = "true".equals(System.getProperty(ENABLE_GWT_ENHANCED_CLASSES_PROPERTY));
+
   private static final String FORMAT_ERROR_MESSAGE = "Expected: className, "
       + "[true | false], [true | false], [true | false], [true | false], typeId, signature";
 

diff --git a/user/src/com/google/gwt/user/server/rpc/impl/LegacySerializationPolicy.java b/user/src/com/google/gwt/user/server/rpc/impl/LegacySerializationPolicy.java
@@ -174,4 +174,9 @@ private boolean isInstantiable(Class<?> clazz) {
     }
     return SerializabilityUtil.hasCustomFieldSerializer(clazz) != null;
   }
+
+  @Override
+  public boolean hasClientFields() {
+    return false;
+  }
 }
diff --git a/user/src/com/google/gwt/user/server/rpc/impl/StandardSerializationPolicy.java b/user/src/com/google/gwt/user/server/rpc/impl/StandardSerializationPolicy.java
@@ -131,6 +131,11 @@ public Set<String> getClientFieldNamesForEnhancedClass(Class<?> clazz) {
     return fieldNames == null ? null : Collections.unmodifiableSet(fieldNames);
   }
 
+  @Override
+  public boolean hasClientFields() {
+    return clientFields != null && !clientFields.isEmpty();
+  }
+
   public final String getTypeIdForClass(Class<?> clazz)
       throws SerializationException {
     return typeIds.get(clazz);