Skip to content

Commit

Permalink
Support custom black list. (#33)
Browse files Browse the repository at this point in the history
  • Loading branch information
@leizhiyuan @ujjboy
leizhiyuan authored and ujjboy committed Jan 22, 2019
1 parent 2ca7730 commit eede7e0
Show file tree
Hide file tree
Showing 6 changed files with 143 additions and 95 deletions.
2 changes: 1 addition & 1 deletion pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

<groupId>com.alipay.sofa</groupId>
<artifactId>hessian</artifactId>
<version>4.0.1</version>
<version>4.0.2</version>
<packaging>jar</packaging>

<name>${project.groupId}:${project.artifactId}</name>
Expand Down
25 changes: 0 additions & 25 deletions src/main/java/com/alipay/hessian/Version401.java
View file

This file was deleted.

129 changes: 60 additions & 69 deletions src/main/java/com/alipay/hessian/internal/InternalNameBlackListFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,10 @@

import com.alipay.hessian.NameBlackListFilter;

import java.util.Arrays;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
import java.util.Scanner;

/**
* 内置黑名单列表过滤器
Expand All @@ -28,74 +30,12 @@
*/
public class InternalNameBlackListFilter extends NameBlackListFilter {

static final List<String> INTERNAL_BLACK_LIST = Arrays
.asList(
"org.codehaus.groovy.runtime.MethodClosure",
"clojure.core$constantly",
"clojure.main$eval_opt",
"com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactory",
"com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactoryImpl",
"com.alibaba.citrus.springext.util.SpringExtUtil.AbstractProxy",
"com.alipay.custrelation.service.model.redress.Pair",
"com.caucho.hessian.test.TestCons",
"com.mchange.v2.c3p0.JndiRefForwardingDataSource",
"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
"com.rometools.rome.feed.impl.EqualsBean",
"com.rometools.rome.feed.impl.ToStringBean",
"com.sun.jndi.rmi.registry.BindingEnumeration",
"com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl",
"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
"com.sun.rowset.JdbcRowSetImpl",
"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data",
"java.rmi.server.UnicastRemoteObject",
"java.security.SignedObject",
"java.util.ServiceLoader$LazyIterator",
"javax.imageio.ImageIO$ContainsFilter",
"javax.imageio.spi.ServiceRegistry",
"javax.management.BadAttributeValueExpException",
"javax.naming.InitialContext",
"javax.naming.spi.ObjectFactory",
"javax.script.ScriptEngineManager",
"javax.sound.sampled.AudioFormat$Encoding",
"org.apache.carbondata.core.scan.expression.ExpressionResult",
"org.apache.commons.dbcp.datasources.SharedPoolDataSource",
"org.apache.ibatis.executor.loader.AbstractSerialStateHolder",
"org.apache.ibatis.executor.loader.CglibSerialStateHolder",
"org.apache.ibatis.executor.loader.JavassistSerialStateHolder",
"org.apache.ibatis.executor.loader.cglib.CglibProxyFactory",
"org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder",
"org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource",
"org.apache.wicket.util.upload.DiskFileItem",
"org.apache.xalan.xsltc.trax.TemplatesImpl",
"org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding",
"org.apache.xpath.XPathContext",
"org.eclipse.jetty.util.log.LoggerLog",
"org.geotools.filter.ConstantExpression",
"org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder",
"org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",
"org.springframework.beans.factory.BeanFactory",
"org.springframework.beans.factory.config.PropertyPathFactoryBean",
"org.springframework.beans.factory.support.DefaultListableBeanFactory",
"org.springframework.jndi.support.SimpleJndiBeanFactory",
"org.springframework.orm.jpa.AbstractEntityManagerFactoryBean",
"org.springframework.transaction.jta.JtaTransactionManager",
"org.yaml.snakeyaml.tokens.DirectiveToken",
"sun.rmi.server.UnicastRef",
"javax.management.ImmutableDescriptor",
"org.springframework.jndi.JndiObjectTargetSource",
"ch.qos.logback.core.db.JNDIConnectionSource",
"java.beans.Expression",
"javassist.bytecode",
"org.apache.ibatis.javassist.bytecode",
"org.springframework.beans.factory.config.MethodInvokingFactoryBean",
"com.alibaba.druid.pool.DruidDataSource",
"com.sun.org.apache.bcel.internal.util.ClassLoader",
"com.alibaba.druid.stat.JdbcDataSourceStat",
"org.apache.tomcat.dbcp.dbcp.BasicDataSource",
"com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput",
"javassist.tools.web.Viewer",
"net.bytebuddy.dynamic.loading.ByteArrayClassLoader",
"org.apache.commons.beanutils.BeanMap");
private static final String DEFAULT_BLACK_LIST = "security/serialize.blacklist";

private static final String blackListFile = System
.getProperty("serialize.blacklist.file", DEFAULT_BLACK_LIST);

static final List<String> INTERNAL_BLACK_LIST = readBlackList(blackListFile);

/**
* 构造函数
Expand All @@ -112,4 +52,55 @@ public InternalNameBlackListFilter() {
public InternalNameBlackListFilter(int maxCacheSize) {
super(INTERNAL_BLACK_LIST, maxCacheSize);
}

static List<String> readBlackList(String blackListFile) {

List<String> result = new ArrayList<String>();
//Get file from resources folder
ClassLoader classLoader;

if (blackListFile.equals(DEFAULT_BLACK_LIST)) {
classLoader = InternalNameBlackListFilter.class.getClassLoader();
} else {
classLoader = Thread.currentThread().getContextClassLoader();
}
final InputStream inputStream = classLoader.getResourceAsStream(blackListFile);
if (inputStream != null) {
Scanner scanner = null;
try {
scanner = new Scanner(inputStream);
while (scanner.hasNextLine()) {
final String nextLine = scanner.nextLine();
if (!isBlank(nextLine)) {
result.add(nextLine);
}
}
} catch (Exception e) {
//ignore
} finally {
if (scanner != null) {
scanner.close();
}
}
//不存在使用内置的
} else {
result = readBlackList(DEFAULT_BLACK_LIST);
}

return result;
}

//is blank
static boolean isBlank(String cs) {
int strLen;
if (cs == null || (strLen = cs.length()) == 0) {
return true;
}
for (int i = 0; i < strLen; i++) {
if (!Character.isWhitespace(cs.charAt(i))) {
return false;
}
}
return true;
}
}
66 changes: 66 additions & 0 deletions src/main/resources/security/serialize.blacklist
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
org.codehaus.groovy.runtime.MethodClosure
clojure.core$constantly
clojure.main$eval_opt
com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactory
com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactoryImpl
com.alibaba.citrus.springext.util.SpringExtUtil.AbstractProxy
com.alipay.custrelation.service.model.redress.Pair
com.caucho.hessian.test.TestCons
com.mchange.v2.c3p0.JndiRefForwardingDataSource
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
com.rometools.rome.feed.impl.EqualsBean
com.rometools.rome.feed.impl.ToStringBean
com.sun.jndi.rmi.registry.BindingEnumeration
com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
com.sun.rowset.JdbcRowSetImpl
com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data
java.rmi.server.UnicastRemoteObject
java.security.SignedObject
java.util.ServiceLoader$LazyIterator
javax.imageio.ImageIO$ContainsFilter
javax.imageio.spi.ServiceRegistry
javax.management.BadAttributeValueExpException
javax.naming.InitialContext
javax.naming.spi.ObjectFactory
javax.script.ScriptEngineManager
javax.sound.sampled.AudioFormat$Encoding
org.apache.carbondata.core.scan.expression.ExpressionResult
org.apache.commons.dbcp.datasources.SharedPoolDataSource
org.apache.ibatis.executor.loader.AbstractSerialStateHolder
org.apache.ibatis.executor.loader.CglibSerialStateHolder
org.apache.ibatis.executor.loader.JavassistSerialStateHolder
org.apache.ibatis.executor.loader.cglib.CglibProxyFactory
org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
org.apache.wicket.util.upload.DiskFileItem
org.apache.xalan.xsltc.trax.TemplatesImpl
org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding
org.apache.xpath.XPathContext
org.eclipse.jetty.util.log.LoggerLog
org.geotools.filter.ConstantExpression
org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder
org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor
org.springframework.beans.factory.BeanFactory
org.springframework.beans.factory.config.PropertyPathFactoryBean
org.springframework.beans.factory.support.DefaultListableBeanFactory
org.springframework.jndi.support.SimpleJndiBeanFactory
org.springframework.orm.jpa.AbstractEntityManagerFactoryBean
org.springframework.transaction.jta.JtaTransactionManager
org.yaml.snakeyaml.tokens.DirectiveToken
sun.rmi.server.UnicastRef
javax.management.ImmutableDescriptor
org.springframework.jndi.JndiObjectTargetSource
ch.qos.logback.core.db.JNDIConnectionSource
java.beans.Expression
javassist.bytecode
org.apache.ibatis.javassist.bytecode
org.springframework.beans.factory.config.MethodInvokingFactoryBean
com.alibaba.druid.pool.DruidDataSource
com.sun.org.apache.bcel.internal.util.ClassLoader
com.alibaba.druid.stat.JdbcDataSourceStat
org.apache.tomcat.dbcp.dbcp.BasicDataSource
com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput
javassist.tools.web.Viewer
net.bytebuddy.dynamic.loading.ByteArrayClassLoader
org.apache.commons.beanutils.BeanMap
13 changes: 13 additions & 0 deletions src/test/java/com/alipay/hessian/internal/InternalNameBlackListFilterTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@
import org.junit.Assert;
import org.junit.Test;

import java.util.List;

/**
* Created by zhanggeng on 2017/8/5.
*
Expand Down Expand Up @@ -47,4 +49,15 @@ public void testAll() {
Assert.assertTrue(pass);
Assert.assertEquals(className, "com.alipay.xx");
}

@Test
public void readBlackList() {

InternalNameBlackListFilter filter = new InternalNameBlackListFilter(3);
List<String> result = filter.readBlackList("test.blacklist");
Assert.assertEquals(2, result.size());
Assert.assertEquals("aa", result.get(0));
Assert.assertEquals("bb", result.get(1));

}
}
3 changes: 3 additions & 0 deletions src/test/resources/test.blacklist
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
aa

bb

0 comments on commit eede7e0

Please sign in to comment.