Merge pull request #136 from rabbitmq/rabbitmq-jms-client-135-white-list-stream-message

Use trusted packages in StreamMessage

Author: michaelklishin

src/main/java/com/rabbitmq/jms/client/RMQMessage.java

@@ -1146,6 +1146,8 @@ static RMQMessage fromMessage(byte[] b, List<String> trustedPackages) throws RMQ
     private static RMQMessage instantiateRmqMessage(String messageClass, List<String> trustedPackages) throws RMQJMSException {
         if(isRmqObjectMessageClass(messageClass)) {
             return instantiateRmqObjectMessageWithTrustedPackages(trustedPackages);
+        } else if (isRmqStreamMessageClass(messageClass)) {
+            return instantiateRmqStreamMessageWithTrustedPackages(trustedPackages);
         } else {
             try {
                 // instantiate the message object with the thread context classloader
@@ -1168,12 +1170,24 @@ private static boolean isRmqObjectMessageClass(String clazz) {
         return RMQObjectMessage.class.getName().equals(clazz);
     }
 
+    private static boolean isRmqStreamMessageClass(String clazz) {
+        return RMQStreamMessage.class.getName().equals(clazz);
+    }
+
     private static RMQObjectMessage instantiateRmqObjectMessageWithTrustedPackages(List<String> trustedPackages) throws RMQJMSException {
+        return (RMQObjectMessage) instantiateRmqMessageWithTrustedPackages(RMQObjectMessage.class.getName(), trustedPackages);
+    }
+
+    private static RMQStreamMessage instantiateRmqStreamMessageWithTrustedPackages(List<String> trustedPackages) throws RMQJMSException {
+        return (RMQStreamMessage) instantiateRmqMessageWithTrustedPackages(RMQStreamMessage.class.getName(), trustedPackages);
+    }
+
+    private static RMQMessage instantiateRmqMessageWithTrustedPackages(String messageClazz, List<String> trustedPackages) throws RMQJMSException {
         try {
             // instantiate the message object with the thread context classloader
-            Class<?> messageClass = Class.forName(RMQObjectMessage.class.getName(), true, Thread.currentThread().getContextClassLoader());
+            Class<?> messageClass = Class.forName(messageClazz, true, Thread.currentThread().getContextClassLoader());
             Constructor<?> constructor = messageClass.getConstructor(List.class);
-            return (RMQObjectMessage) constructor.newInstance(trustedPackages);
+            return (RMQMessage) constructor.newInstance(trustedPackages);
         } catch (NoSuchMethodException e) {
             throw new RMQJMSException(e);
         } catch (InvocationTargetException e) {

src/main/java/com/rabbitmq/jms/client/message/RMQStreamMessage.java

@@ -5,6 +5,7 @@
 // Copyright (c) 2013-2020 VMware, Inc. or its affiliates. All rights reserved.
 package com.rabbitmq.jms.client.message;
 
+import com.rabbitmq.jms.util.WhiteListObjectInputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.EOFException;
@@ -15,6 +16,7 @@
 import java.io.ObjectOutputStream;
 import java.io.UTFDataFormatException;
 
+import java.util.List;
 import javax.jms.JMSException;
 import javax.jms.MessageEOFException;
 import javax.jms.MessageFormatException;
@@ -47,12 +49,19 @@ public class RMQStreamMessage extends RMQMessage implements StreamMessage {
     private volatile transient byte[] buf;
     private volatile transient byte[] readbuf = null;
 
+    private final List<String> trustedPackages;
+
+    public RMQStreamMessage(List<String> trustedPackages) {
+        this(false, trustedPackages);
+    }
+
     public RMQStreamMessage() {
-        this(false);
+        this(false, WhiteListObjectInputStream.DEFAULT_TRUSTED_PACKAGES);
     }
 
-    private RMQStreamMessage(boolean reading) {
+    private RMQStreamMessage(boolean reading, List<String> trustedPackages) {
         this.reading = reading;
+        this.trustedPackages = trustedPackages;
         if (!reading) {
             this.bout = new ByteArrayOutputStream(RMQMessage.DEFAULT_MESSAGE_BODY_SIZE);
             try {
@@ -513,7 +522,7 @@ protected void readBody(ObjectInput inputStream, ByteArrayInputStream bin) throw
         inputStream.read(buf);
         this.reading = true;
         this.bin = new ByteArrayInputStream(buf);
-        this.in = new ObjectInputStream(this.bin);
+        this.in = new WhiteListObjectInputStream(this.bin, this.trustedPackages);
     }
 
     @Override

src/test/java/com/rabbitmq/integration/tests/ObjectMessageSerializationIT.java

@@ -26,7 +26,7 @@
 
 public class ObjectMessageSerializationIT extends AbstractITQueue {
 
-    private static final String QUEUE_NAME = "test.queue." + SimpleQueueMessageDefaultsIT.class.getCanonicalName();
+    private static final String QUEUE_NAME = "test.queue." + ObjectMessageSerializationIT.class.getCanonicalName();
     private static final long TEST_RECEIVE_TIMEOUT = 1000; // one second
     private static final java.util.List<String> TRUSTED_PACKAGES = Arrays.asList("java.lang", "com.rabbitmq.jms");
 

src/test/java/com/rabbitmq/integration/tests/StreamMessageSerializationIT.java

@@ -0,0 +1,117 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+//
+// Copyright (c) 2013-2020 VMware, Inc. or its affiliates. All rights reserved.
+package com.rabbitmq.integration.tests;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.fail;
+
+import com.rabbitmq.jms.admin.RMQConnectionFactory;
+import com.rabbitmq.jms.client.message.RMQStreamMessage;
+import com.rabbitmq.jms.client.message.TestMessages;
+import com.rabbitmq.jms.util.RMQJMSException;
+import java.awt.Color;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import javax.jms.Queue;
+import javax.jms.QueueReceiver;
+import javax.jms.QueueSender;
+import javax.jms.QueueSession;
+import javax.jms.Session;
+import javax.jms.StreamMessage;
+import org.junit.jupiter.api.Test;
+
+public class StreamMessageSerializationIT extends AbstractITQueue {
+
+    private static final String QUEUE_NAME = "test.queue." + StreamMessageSerializationIT.class.getCanonicalName();
+    private static final long TEST_RECEIVE_TIMEOUT = 1000; // one second
+    private static final java.util.List<String> TRUSTED_PACKAGES = Arrays.asList("java.lang", "com.rabbitmq.jms");
+
+    @Override
+    protected void customise(RMQConnectionFactory connectionFactory) {
+        super.customise(connectionFactory);
+        connectionFactory.setTrustedPackages(TRUSTED_PACKAGES);
+    }
+
+    protected void testReceiveStreamMessageWithValue(Object value) throws Exception {
+        try {
+            queueConn.start();
+            QueueSession queueSession = queueConn.createQueueSession(false, Session.DUPS_OK_ACKNOWLEDGE);
+            Queue queue = queueSession.createQueue(QUEUE_NAME);
+
+            drainQueue(queueSession, queue);
+
+            QueueSender queueSender = queueSession.createSender(queue);
+            StreamMessage message = (StreamMessage) MessageTestType.STREAM.gen(queueSession, null);
+
+            // we simulate an attack from the sender by calling writeObject with a non-primitive value
+            // (StreamMessage supports only primitive types)
+            // the value is then sent to the destination and the consumer will have to
+            // deserialize it and can potentially execute malicious code
+            Method writeObjectMethod = RMQStreamMessage.class
+                .getDeclaredMethod("writeObject", Object.class, boolean.class);
+            writeObjectMethod.setAccessible(true);
+            writeObjectMethod.invoke(message, value, true);
+
+            queueSender.send(message);
+        } finally {
+            reconnect(Arrays.asList("java.lang", "com.rabbitmq.jms"));
+        }
+
+        queueConn.start();
+        QueueSession queueSession = queueConn.createQueueSession(false, Session.DUPS_OK_ACKNOWLEDGE);
+        Queue queue = queueSession.createQueue(QUEUE_NAME);
+        QueueReceiver queueReceiver = queueSession.createReceiver(queue);
+        RMQStreamMessage m = (RMQStreamMessage) queueReceiver.receive(TEST_RECEIVE_TIMEOUT);
+        MessageTestType.STREAM.check(m, null);
+        assertEquals(m.readObject(), value);
+    }
+
+    @Test
+    public void testReceiveStreamMessageWithPrimitiveValue() throws Exception {
+        testReceiveStreamMessageWithValue(1024L);
+        testReceiveStreamMessageWithValue("a string");
+    }
+
+    @Test
+    public void testReceiveStreamMessageWithTrustedValue() throws Exception {
+        testReceiveStreamMessageWithValue(new TestMessages.TestSerializable(8, "An object"));
+    }
+
+    @Test
+    public void testReceiveStreamMessageWithUntrustedValue1() throws Exception {
+        // StreamMessage cannot be used with a Map, unless the sender uses a trick
+        // this is to simulate an attack from the sender
+        // Note: java.util is not on the trusted package list
+        assertThrows(RMQJMSException.class, () -> {
+            Map<String, String> m = new HashMap<String, String>();
+            m.put("key", "value");
+            testReceiveStreamMessageWithValue(m);
+        });
+    }
+    @Test
+    public void testReceiveStreamMessageWithUntrustedValue2() throws Exception {
+        // StreamMessage cannot be used with a Map, unless the sender uses a trick
+        // this is to simulate an attack from the sender
+        // java.awt is not on the trusted package list
+        assertThrows(RMQJMSException.class, () -> {
+            testReceiveStreamMessageWithValue(Color.WHITE);
+        });
+    }
+
+    protected void reconnect(java.util.List<String> trustedPackages) throws Exception {
+        if (queueConn != null) {
+            this.queueConn.close();
+            ((RMQConnectionFactory) connFactory).setTrustedPackages(trustedPackages);
+            this.queueConn = connFactory.createQueueConnection();
+        } else {
+            fail("Cannot reconnect");
+        }
+    }
+}
+