Harden ObjectArrayMessage deserialization with SerializationUtil.assertFiltered#4098
Open
SunWeb3Sec wants to merge 1 commit intoapache:2.xfrom
Open
Harden ObjectArrayMessage deserialization with SerializationUtil.assertFiltered#4098SunWeb3Sec wants to merge 1 commit intoapache:2.xfrom
SunWeb3Sec wants to merge 1 commit intoapache:2.xfrom
Conversation
…rtFiltered Adds a SerializationUtil.assertFiltered(in) call at the top of ObjectArrayMessage#readObject, bringing it in line with the defensive pattern already used by ObjectMessage and ParameterizedMessage. This is a defense-in-depth / consistency fix; the serialized wire format is unchanged so instances produced by older versions continue to round-trip. Signed-off-by: SunWeb3Sec <infosecpt@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Harden
ObjectArrayMessage.readObject()withSerializationUtil.assertFiltered()Summary
Adds a single
SerializationUtil.assertFiltered(in)call at the top ofObjectArrayMessage.readObject(), bringing it in line with the defensive pattern already used byObjectMessageandParameterizedMessage.Change
log4j-api/.../message/ObjectArrayMessage.javaBefore
After
Plus the corresponding
import org.apache.logging.log4j.util.internal.SerializationUtil;.What this PR deliberately does not do
ObjectArrayMessageinstances produced by older versions still deserialize into a patched version, and vice versa.LocalizedMessageorFormattedMessage. They have similar gaps, but the Log4j security team scoped this request toObjectArrayMessageonly. Happy to submit follow-up PRs for those if desired.LocalizedMessageTest#testSerialization*,FormattedMessageTest#testSerialization) that use plainObjectInputStream, because those classes are untouched.Tests
Added a minimal round-trip test (
ObjectArrayMessageTest#testSerializableRoundTripThroughFilteredStream) that serializes and deserializes throughSerialUtil, which usesFilteredObjectInputStreamon Java 8 — verifying the newassertFiltered()call accepts filtered streams.Behavioral note
On Java 8, deserializing an
ObjectArrayMessagethrough a plainObjectInputStream(no JEP 290 filter) now throwsIllegalArgumentExceptioninstead of silently proceeding. This matches the existing behavior ofObjectMessageandParameterizedMessage. Callers that relied on unfiltered deserialization ofObjectArrayMessageshould wrap their streams inFilteredObjectInputStream, matching the project's guidance for the sibling message types.On Java 9+, the behavior is unchanged —
assertFiltered()is a no-op when a JVM-levelObjectInputFilteris active, and a warning otherwise.Checklist
ObjectArrayMessage)src/changelog/.2.x.x/harden_message_deserialization.xml(typechanged)References
ObjectMessage#readObjectParameterizedMessage#readObjectThanks to the Log4j security team for the clear triage.