From 510ff3e6e39c26ccf933c83e22b49be327ade289 Mon Sep 17 00:00:00 2001 From: leizhiyuan Date: Wed, 2 Jan 2019 12:18:42 +0800 Subject: [PATCH 1/4] optimize sec black list --- .../internal/InternalNameBlackListFilter.java | 100 ++++++------------ .../resources/security/serialize.blacklist | 66 ++++++++++++ 2 files changed, 97 insertions(+), 69 deletions(-) create mode 100644 src/main/resources/security/serialize.blacklist diff --git a/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java b/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java index 6af1b30..238e8ad 100644 --- a/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java +++ b/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java @@ -18,8 +18,12 @@ import com.alipay.hessian.NameBlackListFilter; -import java.util.Arrays; +import java.io.File; +import java.io.IOException; +import java.net.URL; +import java.util.ArrayList; import java.util.List; +import java.util.Scanner; /** * 内置黑名单列表过滤器 @@ -28,74 +32,10 @@ */ public class InternalNameBlackListFilter extends NameBlackListFilter { - static final List INTERNAL_BLACK_LIST = Arrays - .asList( - "org.codehaus.groovy.runtime.MethodClosure", - "clojure.core$constantly", - "clojure.main$eval_opt", - "com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactory", - "com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactoryImpl", - "com.alibaba.citrus.springext.util.SpringExtUtil.AbstractProxy", - "com.alipay.custrelation.service.model.redress.Pair", - "com.caucho.hessian.test.TestCons", - "com.mchange.v2.c3p0.JndiRefForwardingDataSource", - "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource", - "com.rometools.rome.feed.impl.EqualsBean", - "com.rometools.rome.feed.impl.ToStringBean", - "com.sun.jndi.rmi.registry.BindingEnumeration", - "com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl", - "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", - "com.sun.rowset.JdbcRowSetImpl", - "com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data", - "java.rmi.server.UnicastRemoteObject", - "java.security.SignedObject", - "java.util.ServiceLoader$LazyIterator", - "javax.imageio.ImageIO$ContainsFilter", - "javax.imageio.spi.ServiceRegistry", - "javax.management.BadAttributeValueExpException", - "javax.naming.InitialContext", - "javax.naming.spi.ObjectFactory", - "javax.script.ScriptEngineManager", - "javax.sound.sampled.AudioFormat$Encoding", - "org.apache.carbondata.core.scan.expression.ExpressionResult", - "org.apache.commons.dbcp.datasources.SharedPoolDataSource", - "org.apache.ibatis.executor.loader.AbstractSerialStateHolder", - "org.apache.ibatis.executor.loader.CglibSerialStateHolder", - "org.apache.ibatis.executor.loader.JavassistSerialStateHolder", - "org.apache.ibatis.executor.loader.cglib.CglibProxyFactory", - "org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder", - "org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource", - "org.apache.wicket.util.upload.DiskFileItem", - "org.apache.xalan.xsltc.trax.TemplatesImpl", - "org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding", - "org.apache.xpath.XPathContext", - "org.eclipse.jetty.util.log.LoggerLog", - "org.geotools.filter.ConstantExpression", - "org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder", - "org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor", - "org.springframework.beans.factory.BeanFactory", - "org.springframework.beans.factory.config.PropertyPathFactoryBean", - "org.springframework.beans.factory.support.DefaultListableBeanFactory", - "org.springframework.jndi.support.SimpleJndiBeanFactory", - "org.springframework.orm.jpa.AbstractEntityManagerFactoryBean", - "org.springframework.transaction.jta.JtaTransactionManager", - "org.yaml.snakeyaml.tokens.DirectiveToken", - "sun.rmi.server.UnicastRef", - "javax.management.ImmutableDescriptor", - "org.springframework.jndi.JndiObjectTargetSource", - "ch.qos.logback.core.db.JNDIConnectionSource", - "java.beans.Expression", - "javassist.bytecode", - "org.apache.ibatis.javassist.bytecode", - "org.springframework.beans.factory.config.MethodInvokingFactoryBean", - "com.alibaba.druid.pool.DruidDataSource", - "com.sun.org.apache.bcel.internal.util.ClassLoader", - "com.alibaba.druid.stat.JdbcDataSourceStat", - "org.apache.tomcat.dbcp.dbcp.BasicDataSource", - "com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput", - "javassist.tools.web.Viewer", - "net.bytebuddy.dynamic.loading.ByteArrayClassLoader", - "org.apache.commons.beanutils.BeanMap"); + private static final String blackListFile = System.getProperty("serialize.blacklist.file", + "security/serialize.blacklist"); + + static final List INTERNAL_BLACK_LIST = readBlackList(blackListFile); /** * 构造函数 @@ -112,4 +52,26 @@ public InternalNameBlackListFilter() { public InternalNameBlackListFilter(int maxCacheSize) { super(INTERNAL_BLACK_LIST, maxCacheSize); } + + private static List readBlackList(String relativePath) { + + List result = new ArrayList(); + //Get file from resources folder + ClassLoader classLoader = InternalNameBlackListFilter.class.getClassLoader(); + final URL resource = classLoader.getResource(relativePath); + if (resource != null) { + File file = new File(resource.getFile()); + try { + Scanner scanner = new Scanner(file); + while (scanner.hasNextLine()) { + String line = scanner.nextLine(); + result.add(line); + } + scanner.close(); + } catch (IOException e) { + //ignore + } + } + return result; + } } diff --git a/src/main/resources/security/serialize.blacklist b/src/main/resources/security/serialize.blacklist new file mode 100644 index 0000000..74e6c32 --- /dev/null +++ b/src/main/resources/security/serialize.blacklist @@ -0,0 +1,66 @@ +org.codehaus.groovy.runtime.MethodClosure +clojure.core$constantly +clojure.main$eval_opt +com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactory +com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactoryImpl +com.alibaba.citrus.springext.util.SpringExtUtil.AbstractProxy +com.alipay.custrelation.service.model.redress.Pair +com.caucho.hessian.test.TestCons +com.mchange.v2.c3p0.JndiRefForwardingDataSource +com.mchange.v2.c3p0.WrapperConnectionPoolDataSource +com.rometools.rome.feed.impl.EqualsBean +com.rometools.rome.feed.impl.ToStringBean +com.sun.jndi.rmi.registry.BindingEnumeration +com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl +com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl +com.sun.rowset.JdbcRowSetImpl +com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data +java.rmi.server.UnicastRemoteObject +java.security.SignedObject +java.util.ServiceLoader$LazyIterator +javax.imageio.ImageIO$ContainsFilter +javax.imageio.spi.ServiceRegistry +javax.management.BadAttributeValueExpException +javax.naming.InitialContext +javax.naming.spi.ObjectFactory +javax.script.ScriptEngineManager +javax.sound.sampled.AudioFormat$Encoding +org.apache.carbondata.core.scan.expression.ExpressionResult +org.apache.commons.dbcp.datasources.SharedPoolDataSource +org.apache.ibatis.executor.loader.AbstractSerialStateHolder +org.apache.ibatis.executor.loader.CglibSerialStateHolder +org.apache.ibatis.executor.loader.JavassistSerialStateHolder +org.apache.ibatis.executor.loader.cglib.CglibProxyFactory +org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder +org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource +org.apache.wicket.util.upload.DiskFileItem +org.apache.xalan.xsltc.trax.TemplatesImpl +org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding +org.apache.xpath.XPathContext +org.eclipse.jetty.util.log.LoggerLog +org.geotools.filter.ConstantExpression +org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder +org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor +org.springframework.beans.factory.BeanFactory +org.springframework.beans.factory.config.PropertyPathFactoryBean +org.springframework.beans.factory.support.DefaultListableBeanFactory +org.springframework.jndi.support.SimpleJndiBeanFactory +org.springframework.orm.jpa.AbstractEntityManagerFactoryBean +org.springframework.transaction.jta.JtaTransactionManager +org.yaml.snakeyaml.tokens.DirectiveToken +sun.rmi.server.UnicastRef +javax.management.ImmutableDescriptor +org.springframework.jndi.JndiObjectTargetSource +ch.qos.logback.core.db.JNDIConnectionSource +java.beans.Expression +javassist.bytecode +org.apache.ibatis.javassist.bytecode +org.springframework.beans.factory.config.MethodInvokingFactoryBean +com.alibaba.druid.pool.DruidDataSource +com.sun.org.apache.bcel.internal.util.ClassLoader +com.alibaba.druid.stat.JdbcDataSourceStat +org.apache.tomcat.dbcp.dbcp.BasicDataSource +com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput +javassist.tools.web.Viewer +net.bytebuddy.dynamic.loading.ByteArrayClassLoader +org.apache.commons.beanutils.BeanMap \ No newline at end of file From 14cc94f852d1ae4aa387bf99d9c107b6368bcde1 Mon Sep 17 00:00:00 2001 From: leizhiyuan Date: Wed, 2 Jan 2019 14:23:21 +0800 Subject: [PATCH 2/4] include resource file --- pom.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pom.xml b/pom.xml index 4429d5e..a1f7c7f 100644 --- a/pom.xml +++ b/pom.xml @@ -86,6 +86,9 @@ LICENSE + + src/main/resources + From 901bb2c97973e072defc7e4bd250b07c4a24b0cd Mon Sep 17 00:00:00 2001 From: leizhiyuan Date: Wed, 2 Jan 2019 15:33:19 +0800 Subject: [PATCH 3/4] optimize for multi classloader --- .../internal/InternalNameBlackListFilter.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java b/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java index 238e8ad..bcbb2cf 100644 --- a/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java +++ b/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java @@ -32,8 +32,10 @@ */ public class InternalNameBlackListFilter extends NameBlackListFilter { - private static final String blackListFile = System.getProperty("serialize.blacklist.file", - "security/serialize.blacklist"); + private static final String DEFAULT_BLACK_LIST = "security/serialize.blacklist"; + + private static final String blackListFile = System + .getProperty("serialize.blacklist.file", DEFAULT_BLACK_LIST); static final List INTERNAL_BLACK_LIST = readBlackList(blackListFile); @@ -57,7 +59,13 @@ private static List readBlackList(String relativePath) { List result = new ArrayList(); //Get file from resources folder - ClassLoader classLoader = InternalNameBlackListFilter.class.getClassLoader(); + ClassLoader classLoader; + + if (blackListFile.equals(DEFAULT_BLACK_LIST)) { + classLoader = InternalNameBlackListFilter.class.getClassLoader(); + } else { + classLoader = Thread.currentThread().getContextClassLoader(); + } final URL resource = classLoader.getResource(relativePath); if (resource != null) { File file = new File(resource.getFile()); From 7f5c1aa7894e2328b0a68d7177d8565e740f8b1d Mon Sep 17 00:00:00 2001 From: leizhiyuan Date: Wed, 2 Jan 2019 20:36:24 +0800 Subject: [PATCH 4/4] add test and cr --- .../internal/InternalNameBlackListFilter.java | 35 ++++++++++++++----- .../InternalNameBlackListFilterTest.java | 13 +++++++ src/test/resources/test.blacklist | 3 ++ 3 files changed, 43 insertions(+), 8 deletions(-) create mode 100644 src/test/resources/test.blacklist diff --git a/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java b/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java index bcbb2cf..4ca36cb 100644 --- a/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java +++ b/src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java @@ -19,7 +19,6 @@ import com.alipay.hessian.NameBlackListFilter; import java.io.File; -import java.io.IOException; import java.net.URL; import java.util.ArrayList; import java.util.List; @@ -55,7 +54,7 @@ public InternalNameBlackListFilter(int maxCacheSize) { super(INTERNAL_BLACK_LIST, maxCacheSize); } - private static List readBlackList(String relativePath) { + static List readBlackList(String blackListFile) { List result = new ArrayList(); //Get file from resources folder @@ -66,20 +65,40 @@ private static List readBlackList(String relativePath) { } else { classLoader = Thread.currentThread().getContextClassLoader(); } - final URL resource = classLoader.getResource(relativePath); + final URL resource = classLoader.getResource(blackListFile); if (resource != null) { File file = new File(resource.getFile()); + Scanner scanner = null; try { - Scanner scanner = new Scanner(file); + scanner = new Scanner(file); while (scanner.hasNextLine()) { - String line = scanner.nextLine(); - result.add(line); + final String nextLine = scanner.nextLine(); + if (!isBlank(nextLine)) { + result.add(nextLine); + } } - scanner.close(); - } catch (IOException e) { + } catch (Exception e) { //ignore + } finally { + if (scanner != null) { + scanner.close(); + } } } return result; } + + //is blank + static boolean isBlank(String cs) { + int strLen; + if (cs == null || (strLen = cs.length()) == 0) { + return true; + } + for (int i = 0; i < strLen; i++) { + if (!Character.isWhitespace(cs.charAt(i))) { + return false; + } + } + return true; + } } diff --git a/src/test/java/com/alipay/hessian/internal/InternalNameBlackListFilterTest.java b/src/test/java/com/alipay/hessian/internal/InternalNameBlackListFilterTest.java index 50d107c..3dcd515 100644 --- a/src/test/java/com/alipay/hessian/internal/InternalNameBlackListFilterTest.java +++ b/src/test/java/com/alipay/hessian/internal/InternalNameBlackListFilterTest.java @@ -19,6 +19,8 @@ import org.junit.Assert; import org.junit.Test; +import java.util.List; + /** * Created by zhanggeng on 2017/8/5. * @@ -47,4 +49,15 @@ public void testAll() { Assert.assertTrue(pass); Assert.assertEquals(className, "com.alipay.xx"); } + + @Test + public void readBlackList() { + + InternalNameBlackListFilter filter = new InternalNameBlackListFilter(3); + List result = filter.readBlackList("test.blacklist"); + Assert.assertEquals(2, result.size()); + Assert.assertEquals("aa", result.get(0)); + Assert.assertEquals("bb", result.get(1)); + + } } \ No newline at end of file diff --git a/src/test/resources/test.blacklist b/src/test/resources/test.blacklist new file mode 100644 index 0000000..0b21f36 --- /dev/null +++ b/src/test/resources/test.blacklist @@ -0,0 +1,3 @@ +aa + +bb \ No newline at end of file