DecodeableRpcInvocation增加入参类型校验 #6374
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
这个修复好像一点都拦不住恶意代码,看下面这个例子,藏在types和objects里的恶意代码,你根本识别不了,也无法判断到底是不是恶意代码。 |
抱歉...github这块操作我还不太熟悉..不小心点了很多奇怪的操作。
|
|
LGTM. |
|
@aquariuspj Thanks for the enhancement. Next time when discussing a vulnerability issue, please send an email to security@dubbo.apache.org. |
你的规则应该只能挡住调用$invoke的入参也是错误的情况吧,只要参数是符合String,String[],Object[],即使包含了恶意代码,也防不住的吧?
|
是的,入参类型正确,反序列化一定会被执行。
|
没太理解,要么加个钉钉详聊一下?钉钉:haiyang198542 |
mercyblitz
added a commit
that referenced
this pull request
Jul 2, 2020
* Polish #6296 : Adding the new methods into MetadataReport to manipulate the exported URLs for service introspection * Polish #6296 : Adding the new methods into MetadataReport to manipulate the exported URLs for service introspection * Polish #6171 : [Feature] Introducing the composite implementation of MetadataService * Revert "fix wrong check of InvokerListener when export a service (fix issue_6269) (#6271)" This reverts commit 91989ca. * Revert "fix wrong check of InvokerListener when export a service (fix issue_6269) (#6271)" This reverts commit 91989ca. * Revert the MetadataReport * Polish #6305 : [Refactor] ServiceConfig and ReferenceConfig publish the ServiceDefinition based on the Dubbo Event * Polish #6198 : [Issue] Fixing NacosDynamicConfiguration#publishConfig bug * Polish #6310 : Refactoring MetadataReport's methods * Polish #6198 : [Issue] Fixing NacosDynamicConfiguration#publishConfig bug * Polish #6198 : [Issue] Fixing NacosDynamicConfiguration#publishConfig bug * Polish #6315 : [Refactor] Refactoring the implementation of MetadataReport based on The Config-Center infrastructure Deprecated List : - NacosMetadataReport - ZookeeperMetadataReport * Polish #6315 : Refactoring by TreePathDynamicConfiguration * Polish #6315 : Refactoring ConsulDynamicConfiguration by TreePathDynamicConfiguration * Polish #6315 : Reset the config base path to be "metadata" for ConfigCenterBasedMetadataReportFactory * Polish #6315 : Bugfix * Polish #6315 : Bugfix * Polish #6315 : Correct words * sync wait netty server to finish shutdown (#6281) * Polish #6333 : [Refactor] Using mandatory implementation of Service Instance registration instead of the event * maybe we can remove null judge in this case (#6321) * update * update * Polish #6336 : [Refactor] org.apache.dubbo.metadata.ServiceNameMapping * Polish #6170 : [Feature] Introducing the externalized configuration for ServiceNameMapping * Polish #6342 : [Enhancement] Introducing the composite ServiceNameMapping * Refactor * fix method name typo in JValidator.java (#6344) * [Dubbo-6340]fix application cannot exit when use consul registry (#6341) * fix application cannot exit when use consul registry * make consul registry suppor ACL (#6313) * make consul registry suppor ACL * Polish #6172 : [Feature] Adding the "services" attribute methods into @DubboReference * Polish #6173 : [Feature] Adding the "services" attribute into <dubbo:reference> element * Polish #6346 : [Issue] Merging all subscribied URLs from the multiple services * Polish #6346 : [Issue] Merging all subscribied URLs from the multiple services * fix publish null value when use consul config center (#6351) * fix publish null value when use consul config center * Polish #6252 * Polish #6356 & #6171 * Polish #6356 & #6171 * Polish #6224 : Filter chain was not invoked with local calls since v2.7.6 * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : Adding META-INF/dubbo/internal/org.apache.dubbo.metadata.MetadataServiceExporter * fix the priority of ListenableRouter were not effective (#6148) fixes #4822 * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * when the url is generic, the log level should be info (#6363) * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * fix NPE when check=false is set and provider is empty. (#6376) fixes #6228 * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * fix #6306. support TypeBuilder sort (#6365) * fix #6306. support TypeBuilder sort * fix #6306. support TypeBuilder sort * fix #6306. support TypeBuilder sort * remove unused import * add license for test file * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * enhance ClusterInvoker & ExtensionLoader (#6343) - Introduce ClusterInvoker to better support multiple registries subscription - Wrapper sort and enable/disable - some small fixes * Polish #6322 : [Enhancement] Fix the issues of test-cases after refactoring * Fixed the test-cases * Enhancement, support Map auto recognize in PojoUtils (#6106) Fix #5939 * Polish #6389 : [Issue] Resolving the issues with ConsulServiceDiscovery * fix typo in CommonConstants (#6373) * Fix export provider error, change to catch throwable, handle NoClassDefFoundError (#6380) * check parameterTypesDesc of Generic and Echo (#6374) * add tps filter to SPI list (#6282) * Do not clear all configurator instances when override is empty (#6395) * Service callback throws "Not found exported service" when 'bind.port' is set (#6223) * Removing RpcContext after test finishes. (#6314) * Introduce ClusterInvoker to better support multiple registries subscription (#6343) * return same reference invokers as much as possible (#6083) fixes #6082 * fix ut * Fixes the test-cases * Fixes the test-cases * Fixes the test-cases Co-authored-by: tswstarplanet <tswstarplanet@apache.org> Co-authored-by: Nine <nine.yang.coding@gmail.com> Co-authored-by: 陈哈哈 <chenyongjia365@outlook.com> Co-authored-by: luoning810 <18311333766@163.com> Co-authored-by: cvictory <shenglicao2@gmail.com> Co-authored-by: ken.lj <ken.lj.hz@gmail.com> Co-authored-by: Siqu Chen <32302975+DIscord010@users.noreply.github.com> Co-authored-by: D-H-T <dht925nerd@126.com> Co-authored-by: skyguard1 <qhdxssm@qq.com> Co-authored-by: Jeff Lu <278400368@qq.com> Co-authored-by: Christophe·liwei <2484713618@qq.com> Co-authored-by: Joe Zou <joezou@apache.org> Co-authored-by: 李黄河 <jameslover121@gmail.com> Co-authored-by: OrDTesters <44483852+OrDTesters@users.noreply.github.com> Co-authored-by: zjseu2009 <zjseu2009@163.com>
|
不好意思,请问下 2.6.x 版本不修复这个漏洞吗? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
目的
加固 关于CVE-2020-1948 的问题修复。
问题
通过简单的修改CVE-2020-1948的POC示例,我在dubbo-2.7.7中再次复现了该问题。
修改为
注入的恶意代码ExploitMac.java依然会被执行。
提交内容