Fix insecure deserialization in ZookeeperDistributedQueue (CWE-502)#20
Open
devin-ai-integration[bot] wants to merge 2 commits intodevelop-7.0.xfrom
Open
Fix insecure deserialization in ZookeeperDistributedQueue (CWE-502)#20devin-ai-integration[bot] wants to merge 2 commits intodevelop-7.0.xfrom
devin-ai-integration[bot] wants to merge 2 commits intodevelop-7.0.xfrom
Conversation
Add ObjectInputFilter to deserialize() to prevent Remote Code Execution via untrusted data from Zookeeper. The filter uses an allowlist approach, permitting only standard Java types and org.broadleafcommerce.* classes by default. Additional packages can be allowed via a new constructor parameter. Co-Authored-By: Arjun Mishra <arjunsaxmishra@gmail.com>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Unwrap array component types and validate them against the allowlist to prevent bypass via arrays of disallowed types (e.g. Evil[]). Co-Authored-By: Arjun Mishra <arjunsaxmishra@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix insecure deserialization in ZookeeperDistributedQueue (CWE-502)
Addresses a critical Remote Code Execution vulnerability via insecure deserialization.
A Brief Overview
ZookeeperDistributedQueue.deserialize()usesObjectInputStream.readObject()on data from Zookeeper without any class filtering or validation. This is a well-known deserialization vulnerability (CWE-502) that can lead to Remote Code Execution (RCE) if an attacker can influence the data stored in Zookeeper.Changes
ObjectInputFilter(Java 9+ API) to thedeserialize()method that restricts deserialization to an allowlist of safe package prefixes:java.lang.*,java.util.*,java.io.*,java.math.*,java.time.*,java.net.*org.broadleafcommerce.*additionalAllowedPackages) so callers can extend the allowlist for custom types if needed, without modifying the default security posture.nulladditional packages, preserving backward compatibility.Labels: Security, critical
Additional context
The fix uses Java's built-in
ObjectInputFiltermechanism (available since Java 9; this project targets Java 17), which is the recommended approach per Oracle's secure coding guidelines. The allowlist approach is preferred over a denylist because it prevents exploitation via novel gadget chains not yet on any known blocklist.Link to Devin session: https://app.devin.ai/sessions/c0a8f4c8d62048afb7731807f1bf6dbe
Requested by: @Colhodm