8244473: Contextualize registration for JNDI

Also reviewed by Chris Ries <chris.ries@oracle.com> Reviewed-by: dfuchs, rriggs, rhalade, skoivu, mullan
2020-10-14 14:35:00 +00:00 · 2020-10-14 14:35:00 +00:00 · 17a741d6bc
commit 17a741d6bc
parent f47faf283b
8 changed files with 251 additions and 13 deletions
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@ -1326,3 +1326,26 @@ jdk.io.permissionsUseCanonicalPath=false
 #
 # jdk.tls.alpnCharset=UTF-8
 jdk.tls.alpnCharset=ISO_8859_1
+
+#
+# JNDI Object Factories Filter
+#
+# This filter is used by the JNDI runtime to control the set of object factory classes
+# which will be allowed to instantiate objects from object references returned by
+# naming/directory systems. The factory class named by the reference instance will be
+# matched against this filter. The filter property supports pattern-based filter syntax
+# with the same format as jdk.serialFilter.
+#
+# Each pattern is matched against the factory class name to allow or disallow it's
+# instantiation. The access to a factory class is allowed unless the filter returns
+# REJECTED.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes
+# the security property value defined here. The default value of the property is "*".
+#
+# The default pattern value allows any object factory class specified by the reference
+# instance to recreate the referenced object.
+#jdk.jndi.object.factoriesFilter=*
--- a/src/java.naming/share/classes/com/sun/jndi/ldap/Obj.java
+++ b/src/java.naming/share/classes/com/sun/jndi/ldap/Obj.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -233,6 +233,9 @@ final class Obj {
        String[] codebases = getCodebases(attrs.get(JAVA_ATTRIBUTES[CODEBASE]));
        try {
            if ((attr = attrs.get(JAVA_ATTRIBUTES[SERIALIZED_DATA])) != null) {
+                if (!VersionHelper.isSerialDataAllowed()) {
+                    throw new NamingException("Object deserialization is not allowed");
+                }
                ClassLoader cl = helper.getURLClassLoader(codebases);
                return deserializeObject((byte[])attr.get(), cl);
            } else if ((attr = attrs.get(JAVA_ATTRIBUTES[REMOTE_LOC])) != null) {
--- a/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
+++ b/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -43,21 +43,52 @@ public final class VersionHelper {
     */
    private static final boolean trustURLCodebase;

+    /**
+     * Determines whether objects may be deserialized from the content of
+     * 'javaSerializedData' attribute.
+     */
+    private static final boolean trustSerialData;
+
    static {
        // System property to control whether classes may be loaded from an
        // arbitrary URL code base
-        PrivilegedAction<String> act =
-                () -> System.getProperty("com.sun.jndi.ldap.object.trustURLCodebase", "false");
-        String trust = AccessController.doPrivileged(act);
+        String trust = getPrivilegedProperty(
+                "com.sun.jndi.ldap.object.trustURLCodebase", "false");
        trustURLCodebase = "true".equalsIgnoreCase(trust);
+
+        // System property to control whether classes is allowed to be loaded from
+        // 'javaSerializedData' attribute
+        String trustSerialDataSp = getPrivilegedProperty(
+                "com.sun.jndi.ldap.object.trustSerialData", "true");
+        trustSerialData = "true".equalsIgnoreCase(trustSerialDataSp);
    }

-    private VersionHelper() { }
+    private static String getPrivilegedProperty(String propertyName, String defaultVal) {
+        PrivilegedAction<String> action = () -> System.getProperty(propertyName, defaultVal);
+        if (System.getSecurityManager() == null) {
+            return action.run();
+        } else {
+            return AccessController.doPrivileged(action);
+        }
+    }
+
+    private VersionHelper() {
+    }

    static VersionHelper getVersionHelper() {
        return helper;
    }

+    /**
+     * Returns true if deserialization of objects from 'javaSerializedData'
+     * LDAP attribute is allowed.
+     *
+     * @return true if deserialization is allowed; false - otherwise
+     */
+    public static boolean isSerialDataAllowed() {
+        return trustSerialData;
+    }
+
    ClassLoader getURLClassLoader(String[] url) throws MalformedURLException {
        ClassLoader parent = getContextClassLoader();
        /*
--- a/src/java.naming/share/classes/com/sun/naming/internal/ObjectFactoriesFilter.java
+++ b/src/java.naming/share/classes/com/sun/naming/internal/ObjectFactoriesFilter.java
@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.naming.internal;
+
+import sun.security.util.SecurityProperties;
+
+import javax.naming.Reference;
+import java.io.ObjectInputFilter;
+import java.io.ObjectInputFilter.FilterInfo;
+import java.io.ObjectInputFilter.Status;
+
+/**
+ * This class implements the filter that validates object factories classes instantiated
+ * during {@link Reference} lookups.
+ * There is one system-wide filter instance per VM that can be set via
+ * the {@code "jdk.jndi.object.factoriesFilter"} system property value, or via
+ * setting the property in the security properties file. The system property value supersedes
+ * the security property value. If none of the properties are specified the default
+ * "*" value is used.
+ * The filter is implemented as {@link ObjectInputFilter} with capabilities limited to the
+ * validation of a factory's class types only ({@linkplain FilterInfo#serialClass()}).
+ * Array length, number of object references, depth, and stream size filtering capabilities are
+ * not supported by the filter.
+ */
+public final class ObjectFactoriesFilter {
+
+    /**
+     * Checks if serial filter configured with {@code "jdk.jndi.object.factoriesFilter"}
+     * system property value allows instantiation of the specified objects factory class.
+     * If the filter result is not {@linkplain Status#REJECTED REJECTED}, the filter will
+     * allow the instantiation of objects factory class.
+     *
+     * @param factoryClass objects factory class
+     * @return true - if the factory is allowed to be instantiated; false - otherwise
+     */
+    public static boolean canInstantiateObjectsFactory(Class<?> factoryClass) {
+        return checkInput(() -> factoryClass);
+    }
+
+    private static boolean checkInput(FactoryInfo factoryInfo) {
+        Status result = GLOBAL.checkInput(factoryInfo);
+        return result != Status.REJECTED;
+    }
+
+    // FilterInfo to check if objects factory class is allowed by the system-wide
+    // filter. Array length, number of object references, depth, and stream size
+    // capabilities are ignored.
+    @FunctionalInterface
+    private interface FactoryInfo extends FilterInfo {
+        @Override
+        default long arrayLength() {
+            return -1;
+        }
+
+        @Override
+        default long depth() {
+            return 1;
+        }
+
+        @Override
+        default long references() {
+            return 0;
+        }
+
+        @Override
+        default long streamBytes() {
+            return 0;
+        }
+    }
+
+    // Prevent instantiation of the factories filter class
+     private ObjectFactoriesFilter() {
+         throw new InternalError("Not instantiable");
+     }
+
+    // System property name that contains the patterns to filter object factory names
+    private static final String FACTORIES_FILTER_PROPNAME = "jdk.jndi.object.factoriesFilter";
+
+    // Default system property value that allows the load of any object factory classes
+    private static final String DEFAULT_SP_VALUE = "*";
+
+    // System wide object factories filter constructed from the system property
+    private static final ObjectInputFilter GLOBAL =
+            ObjectInputFilter.Config.createFilter(getFilterPropertyValue());
+
+    // Get security or system property value
+    private static String getFilterPropertyValue() {
+        String propVal = SecurityProperties.privilegedGetOverridable(FACTORIES_FILTER_PROPNAME);
+        return propVal != null ? propVal : DEFAULT_SP_VALUE;
+    }
+}
--- a/src/java.naming/share/classes/com/sun/naming/internal/VersionHelper.java
+++ b/src/java.naming/share/classes/com/sun/naming/internal/VersionHelper.java
@ -96,6 +96,10 @@ public final class VersionHelper {
        return loadClass(className, getContextClassLoader());
    }

+    public Class<?> loadClassWithoutInit(String className) throws ClassNotFoundException {
+        return loadClass(className, false, getContextClassLoader());
+    }
+
    /**
     * @param className A non-null fully qualified class name.
     * @param codebase  A non-null, space-separated list of URL strings.
@ -118,10 +122,15 @@ public final class VersionHelper {
     * This internal method is used with Thread Context Class Loader (TCCL),
     * please don't expose this method as public.
     */
+    Class<?> loadClass(String className, boolean initialize, ClassLoader cl)
+            throws ClassNotFoundException {
+        Class<?> cls = Class.forName(className, initialize, cl);
+        return cls;
+    }
+
    Class<?> loadClass(String className, ClassLoader cl)
            throws ClassNotFoundException {
-        Class<?> cls = Class.forName(className, true, cl);
-        return cls;
+        return loadClass(className, true, cl);
    }

    /*
--- a/src/java.naming/share/classes/javax/naming/spi/NamingManager.java
+++ b/src/java.naming/share/classes/javax/naming/spi/NamingManager.java
@ -31,6 +31,8 @@ import java.security.PrivilegedAction;
 import java.util.*;

 import javax.naming.*;
+
+import com.sun.naming.internal.ObjectFactoriesFilter;
 import com.sun.naming.internal.VersionHelper;
 import com.sun.naming.internal.ResourceManager;
 import com.sun.naming.internal.FactoryEnumeration;
@ -147,7 +149,11 @@ public class NamingManager {

        // Try to use current class loader
        try {
-             clas = helper.loadClass(factoryName);
+            clas = helper.loadClassWithoutInit(factoryName);
+            // Validate factory's class with the objects factory serial filter
+            if (!ObjectFactoriesFilter.canInstantiateObjectsFactory(clas)) {
+                return null;
+            }
        } catch (ClassNotFoundException e) {
            // ignore and continue
            // e.printStackTrace();
@ -160,6 +166,11 @@ public class NamingManager {
                (codebase = ref.getFactoryClassLocation()) != null) {
            try {
                clas = helper.loadClass(factoryName, codebase);
+                // Validate factory's class with the objects factory serial filter
+                if (clas == null ||
+                    !ObjectFactoriesFilter.canInstantiateObjectsFactory(clas)) {
+                    return null;
+                }
            } catch (ClassNotFoundException e) {
            }
        }
--- a/src/java.naming/share/classes/module-info.java
+++ b/src/java.naming/share/classes/module-info.java
@ -29,11 +29,11 @@
 * Common standard JNDI environment properties that may be supported
 * by JNDI providers are defined and documented in
 * {@link javax.naming.Context}. Specific JNDI provider implementations
- * may also support other environment properties, which are specific
+ * may also support other environment or system properties, which are specific
 * to their implementation.
 *
 * @implNote
- * The following implementation specific properties are supported by the
+ * The following implementation specific environment properties are supported by the
 * default LDAP Naming Service Provider implementation in the JDK:
 * <ul>
 *     <li>{@code com.sun.jndi.ldap.connect.timeout}:
@ -74,7 +74,36 @@
 *         channel binding information to the server.
 *     </li>
 * </ul>
- *
+ * <p>The following implementation specific system properties are supported by the
+ * default LDAP Naming Service Provider implementation in the JDK:
+ * <ul>
+ *     <li>{@systemProperty com.sun.jndi.ldap.object.trustSerialData}:
+ *          <br>The value of this system property is the string representation of a boolean value
+ *          which allows to control the deserialization of java objects from the 'javaSerializedData'
+ *          LDAP attribute. To prevent the deserialization of java objects from the 'javaSerializedData'
+ *          attribute, the system property value can be set to 'false'.
+ *          <br>If the property is not specified then the deserialization of java objects
+ *          from the 'javaSerializedData' attribute is allowed.
+ *     </li>
+ *     <li>{@systemProperty jdk.jndi.object.factoriesFilter}:
+ *          <br>The value of this system property defines a filter used by
+ *          the JNDI runtime implementation to control the set of object factory classes which will
+ *          be allowed to instantiate objects from object references returned by naming/directory systems.
+ *          The factory class named by the reference instance will be matched against this filter.
+ *          The filter property supports pattern-based filter syntax with the same format as
+ *          {@link java.io.ObjectInputFilter.Config#createFilter(String) jdk.serialFilter}.
+ *          This property can also be specified as a {@linkplain java.security.Security security property}.
+ *          This property is also supported by the <a href="{@docRoot}/jdk.naming.rmi/module-summary.html">default JNDI
+ *          RMI Provider</a>.
+ *          <br>The default value allows any object factory class specified by the reference
+ *          instance to recreate the referenced object.
+ *     </li>
+ * </ul>
+ * <p>Other providers may define additional properties in their module description:
+ * <ul>
+ *  <li><a href="{@docRoot}/jdk.naming.dns/module-summary.html">DNS Naming Provider</a></li>
+ *  <li><a href="{@docRoot}/jdk.naming.rmi/module-summary.html">RMI Naming Provider</a></li>
+ * </ul>
 * @provides javax.naming.ldap.spi.LdapDnsProvider
 *
 * @uses javax.naming.ldap.spi.LdapDnsProvider
--- a/src/jdk.naming.rmi/share/classes/module-info.java
+++ b/src/jdk.naming.rmi/share/classes/module-info.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -26,6 +26,24 @@
 /**
 * Provides the implementation of the RMI Java Naming provider.
 *
+ * @implNote
+ * The following implementation specific system properties are supported by the
+ * default RMI Naming Service Provider implementation in the JDK:
+ * <ul>
+ *     <li>{@systemProperty jdk.jndi.object.factoriesFilter}:
+ *          <br>The value of this system property defines a filter used by
+ *          the JNDI runtime implementation to control the set of object factory classes which will
+ *          be allowed to instantiate objects from object references returned by naming/directory systems.
+ *          The factory class named by the reference instance will be matched against this filter.
+ *          The filter property supports pattern-based filter syntax with the same format as
+ *          {@link java.io.ObjectInputFilter.Config#createFilter(String) jdk.serialFilter}.
+ *          This property can also be specified as a {@linkplain java.security.Security security property}.
+ *          This property is also supported by the <a href="{@docRoot}/java.naming/module-summary.html">default
+ *          LDAP Naming Service Provider</a>.
+ *          <br>The default value allows any object factory class specified by the reference
+ *          instance to recreate the referenced object.
+ *     </li>
+ * </ul>
 * @provides javax.naming.spi.InitialContextFactory
 * @moduleGraph
 * @since 9