fix: Mitigate unsafe Java deserialization (CWE-502) (#2513)

---------

Co-authored-by: Brendan Walsh <37676373+BrendanWalsh@users.noreply.github.com>

Author: ranadeepsingh

.agents/skills/code-review/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: code-review
-description: Quick review checklist for python and scala code changes before callings it done. 
+description: Quick review checklist for python and scala code changes before callings it done.
 ---
 
 # Code Review
@@ -13,4 +13,67 @@ Use this skill when reviewing SynapseML changes.
 2. Run Scala style: `sbt scalastyle test:scalastyle`
 3. Run Python format check: `black --check --extend-exclude 'docs/' .`
 4. Run targeted tests for touched code.
-5. Report only concrete issues with file paths and fixes.
+5. Apply the checklists below to every changed file.
+6. Report only concrete issues with file paths and fixes.
+
+## Security Checklist
+
+Apply when changes touch serialization, I/O, network, or authentication code.
+
+### Deserialization (CWE-502)
+- [ ] No raw `ObjectInputStream.readObject()` — use `SafeObjectInputStream` with an allowlist
+- [ ] `resolveClass` allowlist validates array component types — never allowlist the `[` prefix
+      directly; array handling must extract and validate the component class name
+- [ ] `resolveProxyClass` is overridden to block or validate dynamic proxy interfaces
+- [ ] Allowlist uses package-prefix matching, not blocklisting
+- [ ] Allowlist presets contain no catch-all entries that bypass the filtering logic
+
+### Input Validation
+- [ ] File paths, URLs, and user-supplied strings are validated before use
+- [ ] No unsanitized string interpolation into SQL, shell commands, or config
+
+### Resource Management
+- [ ] Streams, connections, and closeable resources use `using()` or `try-finally`
+- [ ] Cleanup runs even when assertions or exceptions are thrown (especially in tests)
+
+### Secrets & Credentials
+- [ ] No hardcoded secrets, tokens, or passwords in source or test code
+- [ ] Credentials loaded from environment variables or secure config only
+
+## API Compatibility Checklist
+
+Apply when changes modify public classes, traits, or companion objects.
+
+### Binary Compatibility (JVM)
+- [ ] No method signature changes on existing public methods (default parameters
+      generate synthetic bridges — use explicit overloads instead)
+- [ ] No removed or renamed public classes, traits, or objects
+- [ ] Companion object `extends DefaultParamsReadable[T]` preserved if it existed
+
+### Source Compatibility
+- [ ] New parameters have defaults so existing callers compile unchanged
+- [ ] No narrowed return types or widened parameter types on public methods
+- [ ] Import changes don't break wildcard imports in downstream code
+
+## Scala Checklist
+
+- [ ] License header present (enforced by scalastyle)
+- [ ] `Wrappable` trait mixed in if the class needs a Python wrapper
+- [ ] `SynapseMLLogging` trait mixed in; `logClass()` called in constructor
+- [ ] No wildcard imports where explicit imports suffice (`java.io._` → named imports)
+- [ ] No RDD API usage — DataFrame/Dataset only
+- [ ] Lines ≤ 120 chars, files ≤ 800 lines
+
+## Python Checklist
+
+- [ ] License header present
+- [ ] Formatted with `black==22.3.0`
+- [ ] No edits to files under `target/` (auto-generated)
+- [ ] Hand-written overrides in `src/main/python/` extend the generated `_ClassName`
+
+## Test Checklist
+
+- [ ] New functionality has corresponding tests
+- [ ] Tests use `using()` for resource cleanup (no bare `.close()` after assertions)
+- [ ] Negative tests verify rejection/error cases, not just happy paths
+- [ ] No test-only dependencies leaked into main scope

core/src/main/scala/com/microsoft/azure/synapse/ml/core/utils/SafeObjectInputStream.scala

@@ -0,0 +1,95 @@
+// Copyright (C) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See LICENSE in project root for information.
+
+package com.microsoft.azure.synapse.ml.core.utils
+
+import java.io.{InputStream, InvalidClassException, ObjectStreamClass}
+
+/** An ObjectInputStream that restricts deserialization to an allowlist of class name prefixes.
+  *
+  * This mitigates Java deserialization attacks (CWE-502) by rejecting any class
+  * whose fully-qualified name does not start with one of the allowed prefixes.
+  * It also inherits the context-classloader resolution from [[ContextObjectInputStream]].
+  *
+  * @param input            the underlying input stream
+  * @param allowedPrefixes  set of class name prefixes that are permitted for deserialization
+  */
+class SafeObjectInputStream(
+    input: InputStream,
+    allowedPrefixes: Set[String]
+) extends ContextObjectInputStream(input) {
+
+  /** Extracts the component type name from a JVM array descriptor.
+    * Primitive arrays (e.g. `[I`, `[D`) return None since they are always safe.
+    * Object arrays (e.g. `[Lcom.example.Foo;`) return the fully-qualified class name.
+    * Multi-dimensional arrays are unwrapped recursively (e.g. `[[Ljava.lang.String;`).
+    */
+  private def extractArrayComponentName(className: String): Option[String] = {
+    val stripped = className.dropWhile(_ == '[')
+    if (stripped.startsWith("L") && stripped.endsWith(";")) {
+      Some(stripped.substring(1, stripped.length - 1))
+    } else {
+      None // primitive array (B, C, D, F, I, J, S, Z)
+    }
+  }
+
+  private def isAllowed(className: String): Boolean = {
+    allowedPrefixes.exists(prefix => className.startsWith(prefix))
+  }
+
+  protected override def resolveClass(desc: ObjectStreamClass): Class[_] = {
+    val className = desc.getName
+    val allowed = if (className.startsWith("[")) {
+      extractArrayComponentName(className) match {
+        case Some(componentName) => isAllowed(componentName)
+        case None => true // primitive arrays are always safe
+      }
+    } else {
+      isAllowed(className)
+    }
+
+    if (!allowed) {
+      throw new InvalidClassException(
+        className,
+        "Deserialization of this class is not allowed. " +
+          "Only classes with approved package prefixes may be deserialized."
+      )
+    }
+    super.resolveClass(desc)
+  }
+
+  /** Rejects dynamic proxy deserialization unless every interface is allowlisted.
+    *
+    * Dynamic proxies are a known deserialization attack vector (e.g. via
+    * `java.lang.reflect.Proxy` with malicious `InvocationHandler` chains).
+    * SynapseML model serialization does not use proxies, so this rejects
+    * them by default while still validating interface names for safety.
+    */
+  protected override def resolveProxyClass(interfaces: Array[String]): Class[_] = {
+    val disallowed = interfaces.filterNot(isAllowed)
+    if (disallowed.nonEmpty) {
+      throw new InvalidClassException(
+        disallowed.mkString(", "),
+        "Deserialization of dynamic proxy is not allowed. " +
+          "Proxy interface(s) not in the approved allowlist."
+      )
+    }
+    super.resolveProxyClass(interfaces)
+  }
+}
+
+object SafeObjectInputStream {
+
+  /** Default allowlist suitable for deserializing SynapseML nn package objects
+    * (BallTree, ConditionalBallTree, and their object graphs).
+    */
+  val DefaultNNAllowedPrefixes: Set[String] = Set(
+    "com.microsoft.azure.synapse.ml.nn.",
+    "breeze.",
+    "scala.",
+    "java.lang.",
+    "java.util.",
+    "java.io.",
+    "java.math."
+  )
+}

core/src/main/scala/com/microsoft/azure/synapse/ml/nn/BallTree.scala

@@ -6,7 +6,9 @@ package com.microsoft.azure.synapse.ml.nn
 import breeze.linalg.{DenseVector, norm, _}
 import com.microsoft.azure.synapse.ml.core.env.StreamUtilities.using
 
-import java.io._
+import com.microsoft.azure.synapse.ml.core.utils.SafeObjectInputStream
+
+import java.io.{FileInputStream, FileOutputStream, ObjectOutputStream, Serializable}
 import scala.collection.JavaConverters._
 
 private case class Query(point: DenseVector[Double],
@@ -170,8 +172,14 @@ object ConditionalBallTree {
   }
 
   def load[L, V](filename: String): ConditionalBallTree[L, V] = {
+    load(filename, SafeObjectInputStream.DefaultNNAllowedPrefixes)
+  }
+
+  def load[L, V](filename: String,
+                 allowedPrefixes: Set[String]
+                ): ConditionalBallTree[L, V] = {
     using(new FileInputStream(filename)) { fileIn =>
-      using(new ObjectInputStream(fileIn)) { in =>
+      using(new SafeObjectInputStream(fileIn, allowedPrefixes)) { in =>
         in.readObject().asInstanceOf[ConditionalBallTree[L, V]]
       }
     }.get.get

core/src/test/scala/com/microsoft/azure/synapse/ml/nn/VerifySchemas.scala

@@ -6,7 +6,10 @@ package com.microsoft.azure.synapse.ml.nn
 import breeze.linalg.DenseVector
 import com.microsoft.azure.synapse.ml.core.test.base.TestBase
 
-import java.io.{ByteArrayInputStream, ByteArrayOutputStream, ObjectInputStream, ObjectOutputStream}
+import com.microsoft.azure.synapse.ml.core.env.StreamUtilities.using
+import com.microsoft.azure.synapse.ml.core.utils.SafeObjectInputStream
+
+import java.io.{ByteArrayInputStream, ByteArrayOutputStream, ObjectOutputStream}
 
 class VerifySchemas extends TestBase {
 
@@ -52,17 +55,97 @@ class VerifySchemas extends TestBase {
   test("BestMatch is serializable") {
     val bm = BestMatch(7, 2.5)
     val baos = new ByteArrayOutputStream()
-    val oos = new ObjectOutputStream(baos)
-    oos.writeObject(bm)
-    oos.close()
+    using(new ObjectOutputStream(baos)) { oos =>
+      oos.writeObject(bm)
+    }
 
     val bais = new ByteArrayInputStream(baos.toByteArray)
-    val ois = new ObjectInputStream(bais)
-    val deserialized = ois.readObject().asInstanceOf[BestMatch]
-    ois.close()
+    val deserialized = using(new SafeObjectInputStream(bais, SafeObjectInputStream.DefaultNNAllowedPrefixes)) { ois =>
+      ois.readObject().asInstanceOf[BestMatch]
+    }.get
 
     assert(deserialized.index === 7)
     assert(deserialized.distance === 2.5)
   }
 
+  test("SafeObjectInputStream rejects unauthorized classes") {
+    val malicious = new java.util.concurrent.atomic.AtomicReference[String]("payload")
+    val baos = new ByteArrayOutputStream()
+    using(new ObjectOutputStream(baos)) { oos =>
+      oos.writeObject(malicious)
+    }
+
+    val bais = new ByteArrayInputStream(baos.toByteArray)
+    val restrictedPrefixes = Set("com.microsoft.azure.synapse.ml.nn.")
+    val result = using(new SafeObjectInputStream(bais, restrictedPrefixes)) { ois =>
+      ois.readObject()
+    }
+    assert(result.isFailure)
+    assert(result.failed.get.isInstanceOf[java.io.InvalidClassException])
+  }
+
+  test("SafeObjectInputStream allows primitive arrays") {
+    val data = Array(1.0, 2.0, 3.0)
+    val baos = new ByteArrayOutputStream()
+    using(new ObjectOutputStream(baos)) { oos =>
+      oos.writeObject(data)
+    }
+
+    val bais = new ByteArrayInputStream(baos.toByteArray)
+    val deserialized = using(new SafeObjectInputStream(bais, Set("java.lang."))) { ois =>
+      ois.readObject().asInstanceOf[Array[Double]]
+    }.get
+
+    assert(deserialized.sameElements(data))
+  }
+
+  test("SafeObjectInputStream allows object arrays with permitted component type") {
+    val data = Array("hello", "world")
+    val baos = new ByteArrayOutputStream()
+    using(new ObjectOutputStream(baos)) { oos =>
+      oos.writeObject(data)
+    }
+
+    val bais = new ByteArrayInputStream(baos.toByteArray)
+    val deserialized = using(new SafeObjectInputStream(bais, Set("java.lang."))) { ois =>
+      ois.readObject().asInstanceOf[Array[String]]
+    }.get
+
+    assert(deserialized.sameElements(data))
+  }
+
+  test("SafeObjectInputStream rejects object arrays with disallowed component type") {
+    val data = Array(new java.util.concurrent.atomic.AtomicInteger(1))
+    val baos = new ByteArrayOutputStream()
+    using(new ObjectOutputStream(baos)) { oos =>
+      oos.writeObject(data)
+    }
+
+    val bais = new ByteArrayInputStream(baos.toByteArray)
+    val result = using(new SafeObjectInputStream(bais, Set("java.lang."))) { ois =>
+      ois.readObject()
+    }
+    assert(result.isFailure)
+    assert(result.failed.get.isInstanceOf[java.io.InvalidClassException])
+  }
+
+  test("SafeObjectInputStream rejects dynamic proxies with disallowed interfaces") {
+    val proxy = java.lang.reflect.Proxy.newProxyInstance(
+      getClass.getClassLoader,
+      Array(classOf[Runnable]),
+      (_: Any, _: java.lang.reflect.Method, _: Array[AnyRef]) => None.orNull
+    )
+    val baos = new ByteArrayOutputStream()
+    using(new ObjectOutputStream(baos)) { oos =>
+      oos.writeObject(proxy)
+    }
+
+    val bais = new ByteArrayInputStream(baos.toByteArray)
+    val result = using(new SafeObjectInputStream(bais, Set("com.microsoft.azure.synapse.ml.nn."))) { ois =>
+      ois.readObject()
+    }
+    assert(result.isFailure)
+    assert(result.failed.get.isInstanceOf[java.io.InvalidClassException])
+  }
+
 }