-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support dependency isolation and/or conflicting versions #10
Comments
@frohoff Are you actively working on the option 2? |
I haven't been actively working on either but have been weighing the options. @mbechler was giving his thoughts on this over on #20 but perhaps we can move the discussion here. There's already some limited classloader isolation implemented as part of the unit test harness here that uses JBoss Shrinkwrap to resolve dependencies at runtime: I don't have much experience with Gradle. Presuming we went with Option 2, would Gradle provide advantages over Maven's multi-module and aggregator support? In addition to the already discussed concerns/trade-offs, conflicting dependency versions also present a packaging issue since two versions of the same jars/classes can't be simply shaded into the same "all" jar. It seems like this can be addressed by either:
|
@frohoff Quick response to the Gradle interrogation. The use of Gradle of would be analog to a Maven project for submodule. I would push Gradle because it would make build configuration smaller and simpler to understand. The "scripting" capabilities will help greatly handling the custom packaging (lib isolation, etc). |
Not sure, how the maven/gradle option would work, but ideally users should not specify special goals to generate the payloads. The reflection way seems better to me if we can define which jars should be loaded in runtime for a particular gadget, although that may involve heavy use of Reflection to operate the loaded classes |
It looks to me that we are facing three kinds of incompatibilities:
So in conclusion,
|
Would another alternative be to create the serialization data manually instead of using
The main disadvantage is that manually creating the serialization data could be more error-prone and verbose. One approach could be to obtain the current serialization data produced by ysoserial, pass it to a tool such as SerializationDumper and then based on its output manually use a library for creating the serialization data1. It looks also like 1 A bit of self advertisement, but I recently created a library called 'serial-builder' for creating serialization data. Though it is not unlikely that there are better or less verbose libraries out there. Edit: I added code generation support to my 'serial-builder' library so it should hopefully be a lot easier to use and to get started with, in case there is interest in using it here. Any feedback is appreciated! |
@Marcono1234 I also implemented a custom serializer a while ago https://github.com/mb-syss/ruby-serialize, unfortunately in ruby (as the original intention was to contribute this to metasploit, which did not work out) that also already contains property based defintions for most of the ysoserial payloads. Maybe that is of some help in case you want to go further. |
For testing Gradle supports Test Suites which can have different dependencies. So this would allow to have multiple test suites with different versions of the same dependency. But I am not sure if that would provide a big advantage compared to the Maven multi-module approach described in the comments above, since the test classes might also differ between the modules. |
Project should be refactored to allow gadgets/chains to be generated (and unit tested) with only exactly the exact required dependencies and versions, even in cases where two different gadgets/chains require a different version of the same library (See #16). This should also reduce the likelihood of unintended classes or dependencies accidentally leaking into the payloads.
The already included jboss shrinkwrap should suffice for runtime dependency management. Make sure dependencies for gadget chains can still be bundled in the jar somehow.
It is also a goal to keep the project build and code as simple as possible for people to contribute gadgets/chains.
Option 1: Reflection
Write or use a reflection DSL that can be used by payload generation code that can use gadget classes dynamically instead of using statically linked code.
Something like jOOR might be useful for reflection.
Pros: Simple build process
Cons: Convoluted reflection-based payload generation code
Option 2: Maven/Build Voodoo
Split up project into multi-module with aggregator project to generate all-in-one jar. Gadgets/chains can go into an arbitrary number of separate sub-projects according to any dependency version conflicts.
Pros: Simple, statically linked payload generation code
Cons: Convoluted, splintered build process
The text was updated successfully, but these errors were encountered: