IGNITE-23594 Enhance object input stream filtering (#11642)

Author: petrov-mg

Diff for: checkstyle/checkstyle-suppressions.xml

@@ -25,5 +25,5 @@
               files="BCrypt\.java|ConcurrentLinkedDeque8\.java"/>
     <suppress checks="NoWhitespaceBefore" files="ConcurrentLinkedHashMap\.java"/>
     <suppress checks="LineLength"
-              files="ClusterTagGenerator\.java|PagesWriteSpeedBasedThrottle\.java|GridExecutorService\.java|CatboostClassificationModel\.java"/>
+              files="ClusterTagGenerator\.java|PagesWriteSpeedBasedThrottle\.java|GridExecutorService\.java|CatboostClassificationModel\.java|classnames\.properties"/>
 </suppressions>

Diff for: modules/clients/src/test/java/org/apache/ignite/internal/processors/rest/JettyRestProcessorAbstractSelfTest.java

@@ -77,10 +77,12 @@
 import org.apache.ignite.lang.IgnitePredicate;
 import org.apache.ignite.lang.IgniteUuid;
 import org.apache.ignite.testframework.GridTestUtils;
+import org.apache.ignite.testframework.junits.WithSystemProperty;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 
+import static org.apache.ignite.IgniteSystemProperties.IGNITE_ENABLE_OBJECT_INPUT_FILTER_AUTOCONFIGURATION;
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_MARSHALLER_BLACKLIST;
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_USE_BINARY_ARRAYS;
 import static org.apache.ignite.cache.CacheMode.PARTITIONED;
@@ -108,6 +110,7 @@
  */
 @SuppressWarnings("unchecked")
 @RunWith(Parameterized.class)
+@WithSystemProperty(key = IGNITE_ENABLE_OBJECT_INPUT_FILTER_AUTOCONFIGURATION, value = "false")
 public abstract class JettyRestProcessorAbstractSelfTest extends JettyRestProcessorCommonSelfTest {
     /** */
     private static boolean memoryMetricsEnabled;

Diff for: modules/clients/src/test/java/org/apache/ignite/internal/processors/rest/TcpRestUnmarshalVulnerabilityTest.java

@@ -37,9 +37,11 @@
 import org.apache.ignite.internal.util.lang.GridAbsPredicate;
 import org.apache.ignite.internal.util.typedef.internal.U;
 import org.apache.ignite.testframework.GridTestUtils;
+import org.apache.ignite.testframework.junits.WithSystemProperty;
 import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest;
 import org.junit.Test;
 
+import static org.apache.ignite.IgniteSystemProperties.IGNITE_ENABLE_OBJECT_INPUT_FILTER_AUTOCONFIGURATION;
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_MARSHALLER_BLACKLIST;
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_MARSHALLER_WHITELIST;
 import static org.apache.ignite.internal.processors.rest.protocols.tcp.GridMemcachedMessage.IGNITE_HANDSHAKE_FLAG;
@@ -48,6 +50,7 @@
 /**
  * Tests for whitelist and blacklist ot avoiding deserialization vulnerability.
  */
+@WithSystemProperty(key = IGNITE_ENABLE_OBJECT_INPUT_FILTER_AUTOCONFIGURATION, value = "false")
 public class TcpRestUnmarshalVulnerabilityTest extends GridCommonAbstractTest {
     /** Marshaller. */
     private static final GridClientJdkMarshaller MARSH = new GridClientJdkMarshaller();

Diff for: modules/core/src/main/java/org/apache/ignite/IgniteSystemProperties.java

@@ -916,6 +916,21 @@ public final class IgniteSystemProperties {
         type = String.class)
     public static final String IGNITE_MARSHALLER_BLACKLIST = "IGNITE_MARSHALLER_BLACKLIST";
 
+    /**
+     * If this parameter is set to true, Ignite will automatically configure an ObjectInputFilter instance for the
+     * current JVM it is running in.
+     * Default value is {@code true}.
+     */
+    @SystemProperty(
+        value = "If this parameter is set to true, Ignite will automatically configure an ObjectInputFilter" +
+            " instance for the current JVM it is running in. Filtering is based on class lists defined by the" +
+            " `IGNITE_MARSHALLER_WHITELIST` and `IGNITE_MARSHALLER_BLACKLIST` system properties or their default values." +
+            " Disabling it is not recommended because the Ignite host may be vulnerable to RCE attacks based on Java" +
+            " serialization mechanisms",
+        defaults = "true"
+    )
+    public static final String IGNITE_ENABLE_OBJECT_INPUT_FILTER_AUTOCONFIGURATION = "IGNITE_ENABLE_OBJECT_INPUT_FILTER_AUTOCONFIGURATION";
+
     /**
      * If set to {@code true}, then default selected keys set is used inside
      * {@code GridNioServer} which lead to some extra garbage generation when

Diff for: modules/core/src/main/java/org/apache/ignite/internal/ClassSet.java

@@ -20,6 +20,7 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;
 
 /**
  * Set of classes represented as prefix tree.
@@ -99,9 +100,45 @@ public boolean contains(String clsName) {
         return false;
     }
 
+    /** {@inheritDoc} */
+    @Override public boolean equals(Object o) {
+        if (this == o)
+            return true;
+
+        if (!(o instanceof ClassSet))
+            return false;
+
+        ClassSet other = (ClassSet)o;
+
+        return Objects.equals(root, other.root);
+    }
+
+    /** {@inheritDoc} */
+    @Override public int hashCode() {
+        return Objects.hashCode(root);
+    }
+
     /** */
     private static class Node {
         /** Children. */
         private Map<String, Node> children;
+
+        /** {@inheritDoc} */
+        @Override public boolean equals(Object o) {
+            if (this == o)
+                return true;
+
+            if (!(o instanceof Node))
+                return false;
+
+            Node other = (Node)o;
+
+            return Objects.equals(children, other.children);
+        }
+
+        /** {@inheritDoc} */
+        @Override public int hashCode() {
+            return Objects.hashCode(children);
+        }
     }
 }

Diff for: modules/core/src/main/java/org/apache/ignite/internal/IgniteKernal.java

@@ -201,9 +201,10 @@
 import org.apache.ignite.lifecycle.LifecycleAware;
 import org.apache.ignite.lifecycle.LifecycleBean;
 import org.apache.ignite.lifecycle.LifecycleEventType;
+import org.apache.ignite.marshaller.IgniteMarshallerClassFilter;
+import org.apache.ignite.marshaller.Marshaller;
 import org.apache.ignite.marshaller.MarshallerExclusions;
 import org.apache.ignite.marshaller.MarshallerUtils;
-import org.apache.ignite.marshaller.jdk.JdkMarshaller;
 import org.apache.ignite.metric.IgniteMetrics;
 import org.apache.ignite.metric.MetricRegistry;
 import org.apache.ignite.plugin.IgnitePlugin;
@@ -926,14 +927,18 @@ public void start(
 
         List<PluginProvider> plugins = U.allPluginProviders(cfg, true);
 
+        IgniteMarshallerClassFilter clsFilter = MarshallerUtils.classNameFilter(getClass().getClassLoader());
+
+        MarshallerUtils.autoconfigureObjectInputFilter(clsFilter);
+
         // Spin out SPIs & managers.
         try {
             ctx = new GridKernalContextImpl(log,
                 this,
                 cfg,
                 gw,
                 plugins,
-                MarshallerUtils.classNameFilter(this.getClass().getClassLoader()),
+                clsFilter,
                 workerRegistry,
                 hnd,
                 longJVMPauseDetector
@@ -943,7 +948,7 @@ public void start(
 
             mBeansMgr = new IgniteMBeansManager(this);
 
-            cfg.getMarshaller().setContext(ctx.marshallerContext());
+            initializeMarshaller();
 
             startProcessor(new GridInternalSubscriptionProcessor(ctx));
 
@@ -1444,7 +1449,6 @@ private void validateCommon(IgniteConfiguration cfg) {
             A.notNull(cfg.getMBeanServer(), "cfg.getMBeanServer()");
 
         A.notNull(cfg.getGridLogger(), "cfg.getGridLogger()");
-        A.notNull(cfg.getMarshaller(), "cfg.getMarshaller()");
         A.notNull(cfg.getUserAttributes(), "cfg.getUserAttributes()");
 
         // All SPIs should be non-null.
@@ -1520,6 +1524,28 @@ private void checkPhysicalRam() {
         }
     }
 
+    /** */
+    private void initializeMarshaller() {
+        Marshaller marsh = ctx.config().getMarshaller();
+
+        if (marsh == null) {
+            if (!BinaryMarshaller.available()) {
+                U.warn(log, "Standard BinaryMarshaller can't be used on this JVM. " +
+                    "Switch to HotSpot JVM or reach out Apache Ignite community for recommendations.");
+
+                marsh = ctx.marshallerContext().jdkMarshaller();
+            }
+            else
+                marsh = new BinaryMarshaller();
+
+            ctx.config().setMarshaller(marsh);
+        }
+
+        marsh.setContext(ctx.marshallerContext());
+
+        MarshallerUtils.setNodeName(marsh, ctx.igniteInstanceName());
+    }
+
     /**
      * @param cfg Ignite configuration to check for possible performance issues.
      */
@@ -1750,7 +1776,7 @@ private void addDataStorageConfigurationAttributes() throws IgniteCheckedExcepti
         }
 
         // Save data storage configuration.
-        add(ATTR_DATA_STORAGE_CONFIG, new JdkMarshaller().marshal(cfg.getDataStorageConfiguration()));
+        add(ATTR_DATA_STORAGE_CONFIG, ctx.marshallerContext().jdkMarshaller().marshal(cfg.getDataStorageConfiguration()));
     }
 
     /**

Diff for: modules/core/src/main/java/org/apache/ignite/internal/IgnitionEx.java

@@ -74,7 +74,6 @@
 import org.apache.ignite.failure.FailureContext;
 import org.apache.ignite.failure.FailureType;
 import org.apache.ignite.internal.binary.BinaryArray;
-import org.apache.ignite.internal.binary.BinaryMarshaller;
 import org.apache.ignite.internal.managers.discovery.GridDiscoveryManager;
 import org.apache.ignite.internal.processors.cache.CacheGroupContext;
 import org.apache.ignite.internal.processors.cache.distributed.dht.preloader.GridDhtPartitionFullMap;
@@ -104,9 +103,6 @@
 import org.apache.ignite.internal.worker.WorkersRegistry;
 import org.apache.ignite.lang.IgniteBiInClosure;
 import org.apache.ignite.lang.IgniteBiTuple;
-import org.apache.ignite.marshaller.Marshaller;
-import org.apache.ignite.marshaller.MarshallerUtils;
-import org.apache.ignite.marshaller.jdk.JdkMarshaller;
 import org.apache.ignite.mxbean.IgnitionMXBean;
 import org.apache.ignite.plugin.segmentation.SegmentationPolicy;
 import org.apache.ignite.resources.SpringApplicationContextResource;
@@ -1914,27 +1910,10 @@ private IgniteConfiguration initializeConfiguration(IgniteConfiguration cfg)
             }
 
             if (myCfg.getUserAttributes() == null)
-                myCfg.setUserAttributes(Collections.<String, Object>emptyMap());
+                myCfg.setUserAttributes(Collections.emptyMap());
 
             initializeDefaultMBeanServer(myCfg);
 
-            Marshaller marsh = myCfg.getMarshaller();
-
-            if (marsh == null) {
-                if (!BinaryMarshaller.available()) {
-                    U.warn(log, "Standard BinaryMarshaller can't be used on this JVM. " +
-                        "Switch to HotSpot JVM or reach out Apache Ignite community for recommendations.");
-
-                    marsh = new JdkMarshaller();
-                }
-                else
-                    marsh = new BinaryMarshaller();
-            }
-
-            MarshallerUtils.setNodeName(marsh, cfg.getIgniteInstanceName());
-
-            myCfg.setMarshaller(marsh);
-
             if (myCfg.getPeerClassLoadingLocalClassPathExclude() == null)
                 myCfg.setPeerClassLoadingLocalClassPathExclude(EMPTY_STRS);
 

Diff for: modules/core/src/main/java/org/apache/ignite/internal/MarshallerContextImpl.java

@@ -600,6 +600,8 @@ public void onMarshallerProcessorStarted(
 
         if (CU.isPersistenceEnabled(ctx.config()))
             fileStore.restoreMappings(this);
+
+        MarshallerUtils.setNodeName(jdkMarsh, ctx.igniteInstanceName());
     }
 
     /**

Diff for: modules/core/src/main/java/org/apache/ignite/internal/cdc/CdcMain.java

@@ -73,7 +73,6 @@
 import org.apache.ignite.internal.util.typedef.internal.U;
 import org.apache.ignite.lang.IgniteBiPredicate;
 import org.apache.ignite.lang.IgniteBiTuple;
-import org.apache.ignite.marshaller.MarshallerUtils;
 import org.apache.ignite.platform.PlatformType;
 import org.apache.ignite.spi.IgniteSpi;
 import org.apache.ignite.spi.metric.jmx.JmxMetricExporterSpi;
@@ -762,7 +761,7 @@ private void updateCaches() {
             Iterator<CdcCacheEvent> cacheEvts = GridLocalConfigManager
                 .readCachesData(
                     dbDir,
-                    MarshallerUtils.jdkMarshaller(kctx.igniteInstanceName()),
+                    kctx.marshallerContext().jdkMarshaller(),
                     igniteCfg)
                 .entrySet().stream()
                 .map(data -> {

Diff for: modules/core/src/main/java/org/apache/ignite/internal/managers/discovery/GridDiscoveryManager.java

@@ -120,7 +120,6 @@
 import org.apache.ignite.lang.IgniteProductVersion;
 import org.apache.ignite.lang.IgniteUuid;
 import org.apache.ignite.marshaller.Marshaller;
-import org.apache.ignite.marshaller.MarshallerUtils;
 import org.apache.ignite.plugin.security.SecurityCredentials;
 import org.apache.ignite.plugin.segmentation.SegmentationPolicy;
 import org.apache.ignite.spi.IgniteSpiException;
@@ -548,7 +547,7 @@ private void updateClientNodes(UUID leftNodeId) {
         spi.setListener(new DiscoverySpiListener() {
             private long gridStartTime;
 
-            private final Marshaller marshaller = MarshallerUtils.jdkMarshaller(ctx.igniteInstanceName());
+            private final Marshaller marshaller = ctx.marshallerContext().jdkMarshaller();
 
             /** {@inheritDoc} */
             @Override public void onLocalNodeInitialized(ClusterNode locNode) {

Diff for: modules/core/src/main/java/org/apache/ignite/internal/marshaller/optimized/OptimizedObjectInputStream.java

@@ -533,6 +533,15 @@ void readFields(Object obj, OptimizedClassDescriptor.ClassFields fieldOffs) thro
         }
     }
 
+    /** {@inheritDoc} */
+    @Override protected Class<?> resolveClass(ObjectStreamClass desc) throws ClassNotFoundException {
+        // NOTE: DO NOT CHANGE TO 'clsLoader.loadClass()'
+        // Must have 'Class.forName()' instead of clsLoader.loadClass()
+        // due to weird ClassNotFoundExceptions for arrays of classes
+        // in certain cases.
+        return U.forName(desc.getName(), clsLdr, ctx.classNameFilter());
+    }
+
     /**
      * Reads {@link Externalizable} object.
      *

Diff for: modules/core/src/main/java/org/apache/ignite/internal/processors/cache/ClusterCachesInfo.java

@@ -82,7 +82,6 @@
 import org.apache.ignite.lang.IgniteInClosure;
 import org.apache.ignite.lang.IgniteProductVersion;
 import org.apache.ignite.lang.IgniteUuid;
-import org.apache.ignite.marshaller.jdk.JdkMarshaller;
 import org.apache.ignite.plugin.CachePluginContext;
 import org.apache.ignite.plugin.CachePluginProvider;
 import org.apache.ignite.plugin.PluginProvider;
@@ -2540,7 +2539,7 @@ else if (exchActions == null) {
 
                     if (dsCfgBytes instanceof byte[]) {
                         try {
-                            DataStorageConfiguration crdDsCfg = new JdkMarshaller().unmarshal(
+                            DataStorageConfiguration crdDsCfg = ctx.marshallerContext().jdkMarshaller().unmarshal(
                                 (byte[])dsCfgBytes, U.resolveClassLoader(ctx.config()));
 
                             return CU.isPersistentCache(startedCacheCfg, crdDsCfg);

Diff for: modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheProcessor.java

@@ -181,7 +181,6 @@
 import org.apache.ignite.lang.IgniteUuid;
 import org.apache.ignite.lifecycle.LifecycleAware;
 import org.apache.ignite.marshaller.Marshaller;
-import org.apache.ignite.marshaller.MarshallerUtils;
 import org.apache.ignite.metric.MetricRegistry;
 import org.apache.ignite.mxbean.IgniteMBeanAware;
 import org.apache.ignite.plugin.security.SecurityException;
@@ -346,7 +345,7 @@ public GridCacheProcessor(GridKernalContext ctx) {
         jCacheProxies = new ConcurrentHashMap<>();
         internalCaches = new HashSet<>();
 
-        marsh = MarshallerUtils.jdkMarshaller(ctx.igniteInstanceName());
+        marsh = ctx.marshallerContext().jdkMarshaller();
         splitter = new CacheConfigurationSplitterImpl(ctx, marsh);
         enricher = new CacheConfigurationEnricher(ctx, marsh, U.resolveClassLoader(ctx.config()));
     }

Diff for: modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridLocalConfigManager.java

@@ -65,7 +65,6 @@
 import org.apache.ignite.internal.util.typedef.internal.U;
 import org.apache.ignite.lang.IgniteUuid;
 import org.apache.ignite.marshaller.Marshaller;
-import org.apache.ignite.marshaller.MarshallerUtils;
 import org.jetbrains.annotations.Nullable;
 
 import static java.nio.file.Files.newDirectoryStream;
@@ -124,7 +123,7 @@ public GridLocalConfigManager(
         this.cacheProcessor = cacheProcessor;
         ctx = kernalCtx;
         log = ctx.log(getClass());
-        marshaller = MarshallerUtils.jdkMarshaller(ctx.igniteInstanceName());
+        marshaller = ctx.marshallerContext().jdkMarshaller();
 
         PdsFolderSettings<?> folderSettings = ctx.pdsFolderResolver().resolveFolders();
 

Diff for: modules/core/src/main/java/org/apache/ignite/internal/processors/cache/ValidationOnNodeJoinUtils.java

@@ -57,7 +57,6 @@
 import org.apache.ignite.internal.util.typedef.internal.U;
 import org.apache.ignite.lang.IgniteProductVersion;
 import org.apache.ignite.marshaller.Marshaller;
-import org.apache.ignite.marshaller.jdk.JdkMarshaller;
 import org.apache.ignite.plugin.security.SecurityException;
 import org.apache.ignite.spi.IgniteNodeValidationResult;
 import org.apache.ignite.spi.discovery.DiscoveryDataBag;
@@ -604,7 +603,7 @@ private static void checkMemoryConfiguration(ClusterNode rmt, GridKernalContext
         Object dsCfgBytes = rmt.attribute(IgniteNodeAttributes.ATTR_DATA_STORAGE_CONFIG);
 
         if (dsCfgBytes instanceof byte[])
-            dsCfg = new JdkMarshaller().unmarshal((byte[])dsCfgBytes, U.resolveClassLoader(ctx.config()));
+            dsCfg = ctx.marshallerContext().jdkMarshaller().unmarshal((byte[])dsCfgBytes, U.resolveClassLoader(ctx.config()));
 
         if (dsCfg == null) {
             // Try to use legacy memory configuration.

Diff for: modules/core/src/main/java/org/apache/ignite/internal/processors/cache/persistence/GridCacheDatabaseSharedManager.java

@@ -565,7 +565,8 @@ private DataRegionConfiguration createDefragmentationMappingRegionConfig(long re
                 kernalCtx.failure(),
                 kernalCtx.cache(),
                 () -> cpFreqDeviation.getOrDefault(DEFAULT_CHECKPOINT_DEVIATION),
-                kernalCtx.pools().getSystemExecutorService()
+                kernalCtx.pools().getSystemExecutorService(),
+                kernalCtx.marshallerContext().jdkMarshaller()
             );
 
             final NodeFileLockHolder preLocked = kernalCtx.pdsFolderResolver()