From d542b745d1b8f7a2af86d5cea630900514fe1cbc Mon Sep 17 00:00:00 2001 From: khac Date: Thu, 16 May 2024 11:47:51 +0530 Subject: [PATCH] FIX: Introduced protections against deserialization attacks --- pulsar-functions/api-java/pom.xml | 4 ++++ .../apache/pulsar/functions/api/utils/JavaSerDe.java | 2 ++ pulsar-functions/pom.xml | 12 ++++++++++++ 3 files changed, 18 insertions(+) diff --git a/pulsar-functions/api-java/pom.xml b/pulsar-functions/api-java/pom.xml index c28159bed2421..6f22762ed6c44 100644 --- a/pulsar-functions/api-java/pom.xml +++ b/pulsar-functions/api-java/pom.xml @@ -55,6 +55,10 @@ ${project.version} compile + + io.github.pixee + java-security-toolkit + diff --git a/pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/utils/JavaSerDe.java b/pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/utils/JavaSerDe.java index c145179abb42b..fe99c4b14f9e0 100644 --- a/pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/utils/JavaSerDe.java +++ b/pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/utils/JavaSerDe.java @@ -18,6 +18,7 @@ */ package org.apache.pulsar.functions.api.utils; +import io.github.pixee.security.ObjectInputFilters; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.ObjectInputStream; @@ -60,6 +61,7 @@ public Object deserialize(byte[] data) { Object obj = null; try (ByteArrayInputStream bis = new ByteArrayInputStream(data); ObjectInputStream ois = new ObjectInputStream(bis)) { + ObjectInputFilters.enableObjectFilterIfUnprotected(ois); obj = ois.readObject(); } catch (Exception ex) { log.info("Exception during deserialization", ex); diff --git a/pulsar-functions/pom.xml b/pulsar-functions/pom.xml index cddeec3be7dbb..3a8e6a5187c6f 100644 --- a/pulsar-functions/pom.xml +++ b/pulsar-functions/pom.xml @@ -76,4 +76,16 @@ + + + + io.github.pixee + java-security-toolkit + ${versions.java-security-toolkit} + + + + + 1.1.3 +