Monitoring JavaMelody on _ip-10-0-10-230.ec2.internal

1 package com.fasterxml.jackson.databind.jsontype.impl;

2 

3 import java.util.Collections;

4 import java.util.HashSet;

5 import java.util.Set;

6 

7 import com.fasterxml.jackson.databind.BeanDescription;

8 import com.fasterxml.jackson.databind.DeserializationContext;

9 import com.fasterxml.jackson.databind.JavaType;

10 import com.fasterxml.jackson.databind.JsonMappingException;

11 

12 /**

13  * Helper class used to encapsulate rules that determine subtypes that

14  * are invalid to use, even with default typing, mostly due to security

15  * concerns.

16  * Used by <code>BeanDeserializerFactory</code>

17  *

18  * @since 2.8.11

19  */

20 public class SubTypeValidator

21 {

22     protected final static String PREFIX_SPRING = "org.springframework.";

23 

24     protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";

25 

26     /**

27      * Set of well-known "nasty classes", deserialization of which is considered dangerous

28      * and should (and is) prevented by default.

29      */

30     protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;

31     static {

32         Set<String> s = new HashSet<String>();

33         // Courtesy of [https://github.com/kantega/notsoserial]:

34         // (and wrt [databind#1599])

35         s.add("org.apache.commons.collections.functors.InvokerTransformer");

36         s.add("org.apache.commons.collections.functors.InstantiateTransformer");

37         s.add("org.apache.commons.collections4.functors.InvokerTransformer");

38         s.add("org.apache.commons.collections4.functors.InstantiateTransformer");

39         s.add("org.codehaus.groovy.runtime.ConvertedClosure");

40         s.add("org.codehaus.groovy.runtime.MethodClosure");

41         s.add("org.springframework.beans.factory.ObjectFactory");

42         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");

43         s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");

44         // [databind#1680]: may or may not be problem, take no chance

45         s.add("com.sun.rowset.JdbcRowSetImpl");

46         // [databind#1737]; JDK provided

47         s.add("java.util.logging.FileHandler");

48         s.add("java.rmi.server.UnicastRemoteObject");

49         // [databind#1737]; 3rd party

50 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]

51         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");

52         // [databind#2680]

53         s.add("org.springframework.aop.config.MethodLocatingFactoryBean");

54         s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");

55 

56 // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]

57 // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -

58         // [databind#1855]: more 3rd party

59         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");

60         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");

61         // [databind#1899]: more 3rd party

62         s.add("org.hibernate.jmx.StatisticsService");

63         s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");

64         // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities

65         s.add("org.apache.ibatis.parsing.XPathParser");

66 

67         // [databind#2052]: Jodd-db, with jndi/ldap lookup

68         s.add("jodd.db.connection.DataSourceConnectionProvider");

69 

70         // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup

71         s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");

72         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");

73 

74         // [databind#2097]: some 3rd party, one JDK-bundled

75         s.add("org.slf4j.ext.EventData");

76         s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor");

77         s.add("com.sun.deploy.security.ruleset.DRSHelper");

78         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");

79 

80         // [databind#2186], [databind#2670]: yet more 3rd party gadgets

81         s.add("org.jboss.util.propertyeditor.DocumentEditor");

82         s.add("org.apache.openjpa.ee.RegistryManagedRuntime");

83         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");

84         s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition

85         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");

86 

87         // [databind#2326] (2.9.9)

88         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");

89 

90         // [databind#2334]: logback-core (2.9.9.1)

91         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");

92 

93         // [databind#2341]: jdom/jdom2 (2.9.9.1)

94         s.add("org.jdom.transform.XSLTransformer");

95         s.add("org.jdom2.transform.XSLTransformer");

96 

97         // [databind#2387], [databind#2460]: EHCache

98         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");

99         s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");

100 

101         // [databind#2389]: logback/jndi

102         s.add("ch.qos.logback.core.db.JNDIConnectionSource");

103 

104         // [databind#2410]: HikariCP/metricRegistry config

105         s.add("com.zaxxer.hikari.HikariConfig");

106         // [databind#2449]: and sub-class thereof

107         s.add("com.zaxxer.hikari.HikariDataSource");

108 

109         // [databind#2420]: CXF/JAX-RS provider/XSLT

110         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");

111 

112         // [databind#2462]: commons-configuration / -2

113         s.add("org.apache.commons.configuration.JNDIConfiguration");

114         s.add("org.apache.commons.configuration2.JNDIConfiguration");

115 

116         // [databind#2469]: xalan

117         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");

118         // [databind#2704]: xalan2

119         s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");

120 

121         // [databind#2478]: comons-dbcp, p6spy

122         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");

123         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");

124         s.add("com.p6spy.engine.spy.P6DataSource");

125 

126         // [databind#2498]: log4j-extras (1.2)

127         s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");

128         s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");

129 

130         // [databind#2526]: some more ehcache

131         s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");

132         s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");

133 

134         // [databind#2620]: xbean-reflect

135         s.add("org.apache.xbean.propertyeditor.JndiConverter");

136 

137         // [databind#2631]: shaded hikari-config

138         s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");

139 

140         // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp

141         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");

142         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");

143         // [databind#2814]: anteros-dbcp

144         s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");

145 

146         // [databind#2642][databind#2854]: javax.swing (jdk)

147         s.add("javax.swing.JEditorPane");

148         s.add("javax.swing.JTextPane");

149 

150         // [databind#2648], [databind#2653]: shire-core

151         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");

152         s.add("org.apache.shiro.jndi.JndiObjectFactory");

153 

154         // [databind#2658]: ignite-jta (, quartz-core)

155         s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");

156         s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");

157         s.add("org.quartz.utils.JNDIConnectionProvider");

158 

159         // [databind#2659]: aries.transaction.jms

160         s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");

161         s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");

162 

163         // [databind#2660]: caucho-quercus

164         s.add("com.caucho.config.types.ResourceRef");

165 

166         // [databind#2662]: aoju/bus-proxy

167         s.add("org.aoju.bus.proxy.provider.RmiProvider");

168         s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");

169 

170         // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms

171 

172         s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core

173         s.add("org.apache.activemq.ActiveMQXAConnectionFactory");

174         s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");

175         s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");

176         s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool

177         s.add("org.apache.activemq.pool.PooledConnectionFactory");

178         s.add("org.apache.activemq.pool.XaPooledConnectionFactory");

179         s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms

180         s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");

181         

182         // [databind#2666]: apache/commons-jms

183         s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");

184 

185         // [databind#2682]: commons-jelly

186         s.add("org.apache.commons.jelly.impl.Embedded");

187 

188         // [databind#2688]: apache/drill

189         s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");

190 

191         // [databind#2698]: weblogic w/ oracle/aq-jms

192         // (note: dependency not available via Maven Central, but as part of

193         // weblogic installation, possibly fairly old version(s))

194         s.add("oracle.jms.AQjmsQueueConnectionFactory");

195         s.add("oracle.jms.AQjmsXATopicConnectionFactory");

196         s.add("oracle.jms.AQjmsTopicConnectionFactory");

197         s.add("oracle.jms.AQjmsXAQueueConnectionFactory");

198         s.add("oracle.jms.AQjmsXAConnectionFactory");

199 

200         // [databind#2764]: org.jsecurity:

201         s.add("org.jsecurity.realm.jndi.JndiRealmFactory");

202 

203         // [databind#2798]: com.pastdev.httpcomponents:

204         s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");

205 

206         // [databind#2826], [databind#2827]

207         s.add("com.nqadmin.rowset.JdbcRowSetImpl");

208         s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");

209 

210         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);

211     }

212 

213     /**

214      * Set of class names of types that are never to be deserialized.

215      */

216     protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;

217 

218     private final static SubTypeValidator instance = new SubTypeValidator();

219 

220     protected SubTypeValidator() { }

221 

222     public static SubTypeValidator instance() { return instance; }

223 

224     public void validateSubType(DeserializationContext ctxt, JavaType type,

225             BeanDescription beanDesc) throws JsonMappingException

226     {

227         // There are certain nasty classes that could cause problems, mostly

228         // via default typing -- catch them here.

229         final Class<?> raw = type.getRawClass();

230         String full = raw.getName();

231 

232         main_check:

233         do {

234             if (_cfgIllegalClassNames.contains(full)) {

235                 break;

236             }

237 

238             // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling

239             //    for some Spring framework types

240             // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces

241             if (raw.isInterface()) {

242                 ;

243             } else if (full.startsWith(PREFIX_SPRING)) {

244                 for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){

245                     String name = cls.getSimpleName();

246                     // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?

247                     if ("AbstractPointcutAdvisor".equals(name)

248                             // ditto  for "FileSystemXmlApplicationContext": block all ApplicationContexts

249                             || "AbstractApplicationContext".equals(name)) {

250                         break main_check;

251                     }

252                 }

253             } else if (full.startsWith(PREFIX_C3P0)) {

254                 // [databind#1737]; more 3rd party

255                 // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");

256                 // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");

257                 // [databind#1931]; more 3rd party

258                 // com.mchange.v2.c3p0.ComboPooledDataSource

259                 // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource 

260                 if (full.endsWith("DataSource")) {

261                     break main_check;

262                 }

263             }

264             return;

265         } while (false);

266 

267         ctxt.reportBadTypeDefinition(beanDesc,

268                 "Illegal type (%s) to deserialize: prevented for security reasons", full);

269     }

270 }

271