Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support custom black list. #29

Merged
merged 4 commits into from
Jan 3, 2019
Merged

Support custom black list. #29

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
510ff3e
optimize sec black list
leizhiyuan Jan 2, 2019
14cc94f
include resource file
leizhiyuan Jan 2, 2019
901bb2c
optimize for multi classloader
leizhiyuan Jan 2, 2019
7f5c1aa
add test and cr
leizhiyuan Jan 2, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,9 @@
<include>LICENSE</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
</resource>
</resources>

<plugins>
Expand Down
108 changes: 39 additions & 69 deletions src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@

import com.alipay.hessian.NameBlackListFilter;

import java.util.Arrays;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import java.util.Scanner;

/**
* 内置黑名单列表过滤器
Expand All @@ -28,74 +32,12 @@
*/
public class InternalNameBlackListFilter extends NameBlackListFilter {

static final List<String> INTERNAL_BLACK_LIST = Arrays
.asList(
"org.codehaus.groovy.runtime.MethodClosure",
"clojure.core$constantly",
"clojure.main$eval_opt",
"com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactory",
"com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactoryImpl",
"com.alibaba.citrus.springext.util.SpringExtUtil.AbstractProxy",
"com.alipay.custrelation.service.model.redress.Pair",
"com.caucho.hessian.test.TestCons",
"com.mchange.v2.c3p0.JndiRefForwardingDataSource",
"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
"com.rometools.rome.feed.impl.EqualsBean",
"com.rometools.rome.feed.impl.ToStringBean",
"com.sun.jndi.rmi.registry.BindingEnumeration",
"com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl",
"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
"com.sun.rowset.JdbcRowSetImpl",
"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data",
"java.rmi.server.UnicastRemoteObject",
"java.security.SignedObject",
"java.util.ServiceLoader$LazyIterator",
"javax.imageio.ImageIO$ContainsFilter",
"javax.imageio.spi.ServiceRegistry",
"javax.management.BadAttributeValueExpException",
"javax.naming.InitialContext",
"javax.naming.spi.ObjectFactory",
"javax.script.ScriptEngineManager",
"javax.sound.sampled.AudioFormat$Encoding",
"org.apache.carbondata.core.scan.expression.ExpressionResult",
"org.apache.commons.dbcp.datasources.SharedPoolDataSource",
"org.apache.ibatis.executor.loader.AbstractSerialStateHolder",
"org.apache.ibatis.executor.loader.CglibSerialStateHolder",
"org.apache.ibatis.executor.loader.JavassistSerialStateHolder",
"org.apache.ibatis.executor.loader.cglib.CglibProxyFactory",
"org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder",
"org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource",
"org.apache.wicket.util.upload.DiskFileItem",
"org.apache.xalan.xsltc.trax.TemplatesImpl",
"org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding",
"org.apache.xpath.XPathContext",
"org.eclipse.jetty.util.log.LoggerLog",
"org.geotools.filter.ConstantExpression",
"org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder",
"org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",
"org.springframework.beans.factory.BeanFactory",
"org.springframework.beans.factory.config.PropertyPathFactoryBean",
"org.springframework.beans.factory.support.DefaultListableBeanFactory",
"org.springframework.jndi.support.SimpleJndiBeanFactory",
"org.springframework.orm.jpa.AbstractEntityManagerFactoryBean",
"org.springframework.transaction.jta.JtaTransactionManager",
"org.yaml.snakeyaml.tokens.DirectiveToken",
"sun.rmi.server.UnicastRef",
"javax.management.ImmutableDescriptor",
"org.springframework.jndi.JndiObjectTargetSource",
"ch.qos.logback.core.db.JNDIConnectionSource",
"java.beans.Expression",
"javassist.bytecode",
"org.apache.ibatis.javassist.bytecode",
"org.springframework.beans.factory.config.MethodInvokingFactoryBean",
"com.alibaba.druid.pool.DruidDataSource",
"com.sun.org.apache.bcel.internal.util.ClassLoader",
"com.alibaba.druid.stat.JdbcDataSourceStat",
"org.apache.tomcat.dbcp.dbcp.BasicDataSource",
"com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput",
"javassist.tools.web.Viewer",
"net.bytebuddy.dynamic.loading.ByteArrayClassLoader",
"org.apache.commons.beanutils.BeanMap");
private static final String DEFAULT_BLACK_LIST = "security/serialize.blacklist";

private static final String blackListFile = System
.getProperty("serialize.blacklist.file", DEFAULT_BLACK_LIST);

static final List<String> INTERNAL_BLACK_LIST = readBlackList(blackListFile);

/**
* 构造函数
Expand All @@ -112,4 +54,32 @@ public InternalNameBlackListFilter() {
public InternalNameBlackListFilter(int maxCacheSize) {
super(INTERNAL_BLACK_LIST, maxCacheSize);
}

private static List<String> readBlackList(String relativePath) {

List<String> result = new ArrayList<String>();
//Get file from resources folder
ClassLoader classLoader;

if (blackListFile.equals(DEFAULT_BLACK_LIST)) {
classLoader = InternalNameBlackListFilter.class.getClassLoader();
} else {
classLoader = Thread.currentThread().getContextClassLoader();
}
final URL resource = classLoader.getResource(relativePath);
if (resource != null) {
File file = new File(resource.getFile());
try {
Scanner scanner = new Scanner(file);
while (scanner.hasNextLine()) {
String line = scanner.nextLine();
result.add(line);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add to list if not blank.

}
scanner.close();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move to finally.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

} catch (IOException e) {
//ignore
}
}
return result;
}
}
66 changes: 66 additions & 0 deletions src/main/resources/security/serialize.blacklist
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
org.codehaus.groovy.runtime.MethodClosure
clojure.core$constantly
clojure.main$eval_opt
com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactory
com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactoryImpl
com.alibaba.citrus.springext.util.SpringExtUtil.AbstractProxy
com.alipay.custrelation.service.model.redress.Pair
com.caucho.hessian.test.TestCons
com.mchange.v2.c3p0.JndiRefForwardingDataSource
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
com.rometools.rome.feed.impl.EqualsBean
com.rometools.rome.feed.impl.ToStringBean
com.sun.jndi.rmi.registry.BindingEnumeration
com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
com.sun.rowset.JdbcRowSetImpl
com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data
java.rmi.server.UnicastRemoteObject
java.security.SignedObject
java.util.ServiceLoader$LazyIterator
javax.imageio.ImageIO$ContainsFilter
javax.imageio.spi.ServiceRegistry
javax.management.BadAttributeValueExpException
javax.naming.InitialContext
javax.naming.spi.ObjectFactory
javax.script.ScriptEngineManager
javax.sound.sampled.AudioFormat$Encoding
org.apache.carbondata.core.scan.expression.ExpressionResult
org.apache.commons.dbcp.datasources.SharedPoolDataSource
org.apache.ibatis.executor.loader.AbstractSerialStateHolder
org.apache.ibatis.executor.loader.CglibSerialStateHolder
org.apache.ibatis.executor.loader.JavassistSerialStateHolder
org.apache.ibatis.executor.loader.cglib.CglibProxyFactory
org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
org.apache.wicket.util.upload.DiskFileItem
org.apache.xalan.xsltc.trax.TemplatesImpl
org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding
org.apache.xpath.XPathContext
org.eclipse.jetty.util.log.LoggerLog
org.geotools.filter.ConstantExpression
org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder
org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor
org.springframework.beans.factory.BeanFactory
org.springframework.beans.factory.config.PropertyPathFactoryBean
org.springframework.beans.factory.support.DefaultListableBeanFactory
org.springframework.jndi.support.SimpleJndiBeanFactory
org.springframework.orm.jpa.AbstractEntityManagerFactoryBean
org.springframework.transaction.jta.JtaTransactionManager
org.yaml.snakeyaml.tokens.DirectiveToken
sun.rmi.server.UnicastRef
javax.management.ImmutableDescriptor
org.springframework.jndi.JndiObjectTargetSource
ch.qos.logback.core.db.JNDIConnectionSource
java.beans.Expression
javassist.bytecode
org.apache.ibatis.javassist.bytecode
org.springframework.beans.factory.config.MethodInvokingFactoryBean
com.alibaba.druid.pool.DruidDataSource
com.sun.org.apache.bcel.internal.util.ClassLoader
com.alibaba.druid.stat.JdbcDataSourceStat
org.apache.tomcat.dbcp.dbcp.BasicDataSource
com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput
javassist.tools.web.Viewer
net.bytebuddy.dynamic.loading.ByteArrayClassLoader
org.apache.commons.beanutils.BeanMap