From f02f7aeab45a80b14740cdf34d2ca9cd22dc9674 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Wed, 27 Nov 2024 20:52:07 -0500
Subject: [PATCH] Introduced protections against deserialization attacks (#2)
---
core/pom.xml | 6 +++++-
.../main/java/com/alibaba/nacos/core/cluster/Member.java | 2 ++
pom.xml | 6 ++++++
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/core/pom.xml b/core/pom.xml
index 4ab09dda59..ed12a9d2ca 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -162,5 +162,9 @@
org.springframework
spring-webmvc
-
+
+ io.github.pixee
+ java-security-toolkit
+
+
diff --git a/core/src/main/java/com/alibaba/nacos/core/cluster/Member.java b/core/src/main/java/com/alibaba/nacos/core/cluster/Member.java
index 7f5377629e..6a708e8706 100644
--- a/core/src/main/java/com/alibaba/nacos/core/cluster/Member.java
+++ b/core/src/main/java/com/alibaba/nacos/core/cluster/Member.java
@@ -20,6 +20,7 @@
import com.alibaba.nacos.core.utils.Loggers;
import com.alibaba.nacos.sys.env.EnvUtil;
import com.alibaba.nacos.common.utils.StringUtils;
+import io.github.pixee.security.ObjectInputFilters;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
@@ -204,6 +205,7 @@ public Member copy() {
// convert the input stream to member object
ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
ObjectInputStream ois = new ObjectInputStream(bais);
+ ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
copy = (Member) ois.readObject();
} catch (IOException | ClassNotFoundException e) {
Loggers.CORE.warn("[Member copy] copy failed", e);
diff --git a/pom.xml b/pom.xml
index 1dd884543c..8c7ac9fa83 100644
--- a/pom.xml
+++ b/pom.xml
@@ -155,6 +155,7 @@
5.3.39
5.8.15
9.0.93
+ 1.2.0
@@ -1066,6 +1067,11 @@
snakeyaml
${SnakeYaml.version}
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+