♻️ Move createSafeObjectInputStream to java 8 compatible class

ryandens · ryandens · commit ee74adbf4665 · 2023-09-28T15:02:39.000-07:00
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -64,6 +64,7 @@ dependencies {
     java11SourceSet.apiConfigurationName("commons-io:commons-io:2.11.0")
     testImplementation("org.junit.jupiter:junit-jupiter:5.8.1")
     testImplementation("org.junit.jupiter:junit-jupiter-params")
+    testImplementation("commons-fileupload:commons-fileupload:1.3.3")
     testRuntimeOnly("org.junit.platform:junit-platform-launcher")
     testImplementation("org.hamcrest:hamcrest-all:1.3")
     testImplementation("org.mockito:mockito-core:4.0.0")
diff --git a/src/java11/main/io/github/pixee/security/ObjectInputFilters.java b/src/java11/main/io/github/pixee/security/ObjectInputFilters.java
@@ -1,14 +1,12 @@
 package io.github.pixee.security;
 
-import java.io.IOException;
-import java.io.InputStream;
 import java.io.ObjectInputFilter;
 import java.io.ObjectInputStream;
 import java.util.Objects;
-import org.apache.commons.io.serialization.ValidatingObjectInputStream;
 
 /**
- * This type exposes helper methods that will help defend against Java deserialization attacks.
+ * This type exposes helper methods that will help defend against Java deserialization attacks
+ * leveraging the Java 9+ API {@link ObjectInputFilter}.
  *
  * <p>For more information on deserialization checkout the <a
  * href="https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html">OWASP
@@ -94,30 +92,6 @@ public Status checkInput(final FilterInfo filterInfo) {
     }
   }
 
-  /**
-   * This method returns a wrapped {@link ObjectInputStream} that protects against deserialization
-   * code execution attacks. This method can be used in Java 8 and previous.
-   *
-   * @param ois the stream to wrap and harden
-   * @return an {@link ObjectInputStream} which is safe against all publicly known gadgets
-   * @throws IOException if the underlying creation of {@link ObjectInputStream} fails
-   */
-  public static ObjectInputStream createSafeObjectInputStream(final InputStream ois)
-      throws IOException {
-    try {
-      final ValidatingObjectInputStream is = new ValidatingObjectInputStream(ois);
-      for (String gadget : UnwantedTypes.dangerousClassNameTokens()) {
-        is.reject("*" + gadget + "*");
-      }
-      return is;
-    } catch (IOException e) {
-      // ignored
-    }
-
-    // if for some reason we can't replace it, we'll pass it back as it was given
-    return new ObjectInputStream(ois);
-  }
-
   private static final ObjectInputFilter basicGadgetDenylistFilter =
       ObjectInputFilter.Config.createFilter(
           "!" + String.join("*;!", UnwantedTypes.dangerousClassNameTokens()));
diff --git a/src/java11Test/java/io/github/pixee/security/ObjectInputFiltersTest.java b/src/java11Test/java/io/github/pixee/security/ObjectInputFiltersTest.java
@@ -41,17 +41,6 @@ void default_is_unprotected() throws Exception {
     assertThat(o, instanceOf(DiskFileItem.class));
   }
 
-  @Test
-  void validating_ois_works() throws Exception {
-    ObjectInputStream ois =
-        ObjectInputFilters.createSafeObjectInputStream(new ByteArrayInputStream(serializedGadget));
-    assertThrows(
-        InvalidClassException.class,
-        () -> {
-          ois.readObject();
-          fail("this should have been blocked");
-        });
-  }
 
   @Test
   void ois_harden_works() throws Exception {
diff --git a/src/main/java/io/github/pixee/security/SafeObjectInputStream.java b/src/main/java/io/github/pixee/security/SafeObjectInputStream.java
@@ -0,0 +1,47 @@
+package io.github.pixee.security;
+
+import org.apache.commons.io.serialization.ValidatingObjectInputStream;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+
+/**
+ * This type exposes helper methods that will help defend against Java deserialization attacks
+ * leveraging {@link ObjectInputStream} APIs.
+ *
+ * <p>For more information on deserialization checkout the <a
+ * href="https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html">OWASP
+ * Cheat Sheet</a>.
+ */
+public final class SafeObjectInputStream {
+
+    /**
+     * Private no-op constructor to prevent accidental initialization of this class
+     */
+    private SafeObjectInputStream() {}
+
+    /**
+     * This method returns a wrapped {@link ObjectInputStream} that protects against deserialization
+     * code execution attacks. This method can be used in Java 8 and previous.
+     *
+     * @param ois the stream to wrap and harden
+     * @return an {@link ObjectInputStream} which is safe against all publicly known gadgets
+     * @throws IOException if the underlying creation of {@link ObjectInputStream} fails
+     */
+    public static ObjectInputStream createSafeObjectInputStream(final InputStream ois)
+            throws IOException {
+        try {
+            final ValidatingObjectInputStream is = new ValidatingObjectInputStream(ois);
+            for (String gadget : UnwantedTypes.dangerousClassNameTokens()) {
+                is.reject("*" + gadget + "*");
+            }
+            return is;
+        } catch (IOException e) {
+            // ignored
+        }
+
+        // if for some reason we can't replace it, we'll pass it back as it was given
+        return new ObjectInputStream(ois);
+    }
+}
diff --git a/src/test/java/io/github/pixee/security/SafeObjectInputStreamTest.java b/src/test/java/io/github/pixee/security/SafeObjectInputStreamTest.java
@@ -0,0 +1,54 @@
+package io.github.pixee.security;
+
+import org.apache.commons.fileupload.disk.DiskFileItem;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.nio.file.Files;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.fail;
+
+final class SafeObjectInputStreamTest {
+
+    private static DiskFileItem gadget; // this is an evil gadget type
+    private static byte[] serializedGadget; // this the serialized bytes of that gadget
+
+    @BeforeAll
+    static void setup() throws IOException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        gadget =
+                new DiskFileItem(
+                        "fieldName",
+                        "text/html",
+                        false,
+                        "foo.html",
+                        100,
+                        Files.createTempDirectory("adi").toFile());
+        gadget.getOutputStream(); // needed to make the object serializable
+        ObjectOutputStream oos = new ObjectOutputStream(baos);
+        oos.writeObject(gadget);
+        serializedGadget = baos.toByteArray();
+    }
+
+
+    @Test
+    void validating_ois_works() throws Exception {
+        ObjectInputStream ois =
+                SafeObjectInputStream.createSafeObjectInputStream(new ByteArrayInputStream(serializedGadget));
+        assertThrows(
+                InvalidClassException.class,
+                () -> {
+                    ois.readObject();
+                    fail("this should have been blocked");
+                });
+    }
+
+
+}
