Introduced protections against deserialization attacks (#2)

alibaba · Dec 1, 2024 · 3ece3fb · 3ece3fb
1 parent fb68b7e
commit 3ece3fb
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/core/pom.xml b/core/pom.xml
@@ -162,5 +162,9 @@
             <groupId>org.springframework</groupId>
             <artifactId>spring-webmvc</artifactId>
         </dependency>
-    </dependencies>
+  <dependency>
+   <groupId>io.github.pixee</groupId>
+   <artifactId>java-security-toolkit</artifactId>
+  </dependency>
+ </dependencies>
 </project>
diff --git a/core/src/main/java/com/alibaba/nacos/core/cluster/Member.java b/core/src/main/java/com/alibaba/nacos/core/cluster/Member.java
@@ -20,6 +20,7 @@
 import com.alibaba.nacos.core.utils.Loggers;
 import com.alibaba.nacos.sys.env.EnvUtil;
 import com.alibaba.nacos.common.utils.StringUtils;
+import io.github.pixee.security.ObjectInputFilters;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -204,6 +205,7 @@ public Member copy() {
             // convert the input stream to member object
             ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
             ObjectInputStream ois = new ObjectInputStream(bais);
+            ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
             copy = (Member) ois.readObject();
         } catch (IOException | ClassNotFoundException e) {
             Loggers.CORE.warn("[Member copy] copy failed", e);

diff --git a/pom.xml b/pom.xml
@@ -155,6 +155,7 @@
         <spring.version>5.3.39</spring.version>
         <spring-security.version>5.8.15</spring-security.version>
         <tomcat.version>9.0.93</tomcat.version>
+        <versions.java-security-toolkit>1.2.0</versions.java-security-toolkit>
     </properties>
     <!-- == -->
     <!-- =========================================================Build plugins================================================ -->
@@ -1066,6 +1067,11 @@
                 <artifactId>snakeyaml</artifactId>
                 <version>${SnakeYaml.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>