Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IOException will be thrown if the data type is java.time.LocalTime #1449

Open
xiaowang-edu opened this issue Sep 25, 2024 · 4 comments
Open

Comments

@xiaowang-edu
Copy link

xiaowang-edu commented Sep 25, 2024

Your question

When the data type is 'java.time.LocalTime', 'com.caucho.hessian.io.java8.LocalTimeHandle' will be blacklisted and then throw an IOException. Do I need to customize the parsing for Java 8 time types?

image

image

Your scenes

Because there are many entity types in my project that use java.time.LocalTime, but looking at the source code for com.alipay.sofa:hession, there is also serialization and parsing of Java 8. I don't understand why it has to be added to the blacklist again.
I really hope I can get your help, thank you.

Your advice

I hope to be able to use the serialization parser of Java 8 type that comes with com.alipay.sofa:hession.

Environment

  • SOFARPC version:5.12.0
  • JVM version:1.8
  • OS version:Windows10
  • Maven version:3.8.8
  • IDE version:2020.1.4
  • protocols:bolt + hessian2
@xiaowang-edu xiaowang-edu changed the title java.time.LocalTime IOException will be thrown if the data type is java.time.LocalTime Sep 25, 2024
@Jiiiiiin
Copy link

Jiiiiiin commented Oct 9, 2024

com.alipay.sofa.rpc.core.exception.SofaRpcException: com.alipay.remoting.exception.SerializationException: java.io.IOException: Class com.caucho.hessian.io.java8.LocalDateHandle is in blacklist. 
	at com.alipay.sofa.rpc.transport.bolt.BoltClientTransport.convertToRpcException(BoltClientTransport.java:344)
	at com.alipay.sofa.rpc.transport.bolt.BoltClientTransport.syncSend(BoltClientTransport.java:259)
	at com.alipay.sofa.rpc.client.AbstractCluster.doSendMsg(AbstractCluster.java:613)
	at com.alipay.sofa.rpc.client.AbstractCluster.sendMsg(AbstractCluster.java:584)
	at com.alipay.sofa.rpc.filter.ConsumerInvoker.invoke(ConsumerInvoker.java:63)
	at com.alipay.sofa.rpc.filter.ConsumerCustomHeaderFilter.invoke(ConsumerCustomHeaderFilter.java:47)
	at com.alipay.sofa.rpc.filter.FilterInvoker.invoke(FilterInvoker.java:100)
	at com.alipay.sofa.rpc.filter.PressureMarkTransformFilter.invoke(PressureMarkTransformFilter.java:63)
	at com.alipay.sofa.rpc.filter.FilterInvoker.invoke(FilterInvoker.java:100)
	at io.opentelemetry.javaagent.instrumentation.sofarpc.SofaRpcServerFilter.invoke(SofaRpcServerFilter.java:44)
	at io.opentelemetry.javaagent.instrumentation.sofarpc.OpenTelemetryFilter.invoke(OpenTelemetryFilter.java:28)
	at com.alipay.sofa.rpc.filter.FilterInvoker.invoke(FilterInvoker.java:100)
...

Caused by: java.io.IOException: Class com.caucho.hessian.io.java8.LocalDateHandle is in blacklist. 
	at com.alipay.hessian.NameBlackListFilter.resolve(NameBlackListFilter.java:158)
	at com.alipay.hessian.ClassNameResolver.resolve(ClassNameResolver.java:99)
	at com.caucho.hessian.io.SerializerFactory.getSerializer(SerializerFactory.java:190)
	... 130 common frames omitted

相同问题:

SOFARPC version:5.13.1
JVM version:1.8

能否指导一下如何“本地配置自定义blacklist” 给予上游同步一些准备时间;

@nobodyiam
Copy link
Member

It appears that there is overridden logic you may use.

public static List<String> loadBlackListFile(String path) {
List<String> blackPrefixList = new ArrayList<>();
InputStream input = null;
try {
input = BlackAndWhiteListFileLoader.class.getResourceAsStream(path);
if (input != null) {
readToList(input, "UTF-8", blackPrefixList);
}
String overStr = SofaConfigs.getOrCustomDefault(SERIALIZE_BLACKLIST_OVERRIDE, "");
if (StringUtils.isNotBlank(overStr)) {
if (LOGGER.isInfoEnabled()) {
LOGGER.info("Serialize blacklist will override with configuration: {}", overStr);
}
overrideBlackList(blackPrefixList, overStr);
}
} catch (Exception e) {
if (LOGGER.isErrorEnabled()) {
LOGGER.error(e.getMessage(), e);
}
} finally {
closeQuietly(input);
}
return blackPrefixList;
}

@Jiiiiiin
Copy link

@nobodyiam 谢谢老师
原来作者已经给出方法:

    @Test
    public void overrideBlackList() {
        List<String> origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-*");
        Assert.assertTrue(origin.size() == 0);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "!*");
        Assert.assertTrue(origin.size() == 0);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-default");
        Assert.assertTrue(origin.size() == 0);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "!default");
        Assert.assertTrue(origin.size() == 0);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-*,-com.xxx");
        Assert.assertTrue(origin.size() == 0);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "aaa,-*,-com.xxx");
        Assert.assertTrue(origin.size() == 1);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-*,aaa");
        Assert.assertTrue(origin.size() == 1);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-com.xxx");
        Assert.assertTrue(origin.size() == 2);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-com.xxx,-com.yyy");
        Assert.assertTrue(origin.size() == 1);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "com.xxx,-com.yyy");
        Assert.assertTrue(origin.size() == 2);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "com.aaa,-com.yyy");
        // ...
}

@Jiiiiiin
Copy link

Jiiiiiin commented Oct 13, 2024

@nobodyiam 老师看到关联项目一直有在做安全相关处理,支持只定义也在其中,Fix hessian sec issue for 4 #33 ,但又一下几个问题请教:

  • 关联项目 sofa-hessian 本来就是对 hessian的一种扩展,为何黑名单直接包含了其 gourp-id?我看上面这个 fix 最开始仅仅把 com.caucho.hessian.test.TestCons 列入其内,背后的逻辑描述是:增加序列化黑名单(来自蚂蚁金服安全团队)
    不知道哪里能查询到具体的安全风险点?然后下游应用才好针对性的进行自评,否则一个漏洞风险,或者一个隐势(非编译器报错)的生产环境报错,可能整个应用技术栈就被质疑。
image 也就是风险相关虽然可以检索收集,但是如果官方(不单单是 rpc 而是整个 sofa-boot)有一个明细就更好了

不好意思看到了:https://github.com/sofastack/sofa-rpc/security

另外补充几个:

  1. CVE-2023-3635
  2. CVE-2024-9622

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants