From a5615ca59dee7252e2a1177f52b979cb53eb0301 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 22:35:36 +0000 Subject: [PATCH 1/2] Fix insecure deserialization in ZookeeperDistributedQueue (CWE-502) Add ObjectInputFilter to restrict deserialization to known safe classes, preventing potential Remote Code Execution via untrusted data from Zookeeper. Only org.broadleafcommerce.**, java.lang.*, java.util.*, java.io.Serializable, java.math.*, and java.time.* classes are now permitted during deserialization. Co-Authored-By: Arjun Mishra --- .../core/util/queue/ZookeeperDistributedQueue.java | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/core/broadleaf-framework/src/main/java/org/broadleafcommerce/core/util/queue/ZookeeperDistributedQueue.java b/core/broadleaf-framework/src/main/java/org/broadleafcommerce/core/util/queue/ZookeeperDistributedQueue.java index 259089438f..3cce1c74b1 100644 --- a/core/broadleaf-framework/src/main/java/org/broadleafcommerce/core/util/queue/ZookeeperDistributedQueue.java +++ b/core/broadleaf-framework/src/main/java/org/broadleafcommerce/core/util/queue/ZookeeperDistributedQueue.java @@ -38,6 +38,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.ObjectInputFilter; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.Serializable; @@ -79,6 +80,13 @@ public class ZookeeperDistributedQueue implements Distri private static final Log LOG = LogFactory.getLog(ZookeeperDistributedQueue.class); private static final String QUEUE_ENTRY_NAME = "dz-queue-entry"; + /** + * Filter that restricts deserialization to known safe classes to prevent RCE via CWE-502. + */ + private static final ObjectInputFilter DESERIALIZATION_FILTER = ObjectInputFilter.Config.createFilter( + "org.broadleafcommerce.**;java.lang.*;java.util.*;java.io.Serializable;java.math.*;java.time.*;!*" + ); + protected final Object QUEUE_MONITOR = new Object(); private final String queueFolderPath; private final ZooKeeper zk; @@ -832,6 +840,7 @@ protected Object deserialize(byte[] bytes) { ObjectInputStream ois = null; try { ois = new ObjectInputStream(bais); + ois.setObjectInputFilter(DESERIALIZATION_FILTER); return ois.readObject(); } catch (IOException | ClassNotFoundException e) { throw new DistributedQueueException("Unable to deserialze an element from the Zookeeper queue.", e); From 55a63a5daa7aadb8e857d9177a60b6aca4c1594e Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 22:39:59 +0000 Subject: [PATCH 2/2] Add org.apache.solr.** to deserialization allowlist IncrementalUpdateCommand contains SolrInputDocument (org.apache.solr.common) which must be permitted during deserialization for distributed Solr index updates to function correctly. Co-Authored-By: Arjun Mishra --- .../core/util/queue/ZookeeperDistributedQueue.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/broadleaf-framework/src/main/java/org/broadleafcommerce/core/util/queue/ZookeeperDistributedQueue.java b/core/broadleaf-framework/src/main/java/org/broadleafcommerce/core/util/queue/ZookeeperDistributedQueue.java index 3cce1c74b1..2b8e545af2 100644 --- a/core/broadleaf-framework/src/main/java/org/broadleafcommerce/core/util/queue/ZookeeperDistributedQueue.java +++ b/core/broadleaf-framework/src/main/java/org/broadleafcommerce/core/util/queue/ZookeeperDistributedQueue.java @@ -84,7 +84,7 @@ public class ZookeeperDistributedQueue implements Distri * Filter that restricts deserialization to known safe classes to prevent RCE via CWE-502. */ private static final ObjectInputFilter DESERIALIZATION_FILTER = ObjectInputFilter.Config.createFilter( - "org.broadleafcommerce.**;java.lang.*;java.util.*;java.io.Serializable;java.math.*;java.time.*;!*" + "org.broadleafcommerce.**;org.apache.solr.**;java.lang.*;java.util.*;java.io.Serializable;java.math.*;java.time.*;!*" ); protected final Object QUEUE_MONITOR = new Object();