OpenJDK / jdk / hs
changeset 43211:f264afd5082c
8156802: Better constraint checking
Reviewed-by: dfuchs
| author | rriggs |
|---|---|
| date | Wed, 12 Oct 2016 12:56:35 -0400 |
| parents | 570fbef3a53b |
| children | 5aa719c66677 |
| files | jdk/src/java.base/share/conf/security/java.security jdk/src/java.rmi/share/classes/java/rmi/MarshalledObject.java jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java jdk/src/java.rmi/share/classes/sun/rmi/runtime/Log.java jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl.java jdk/test/java/rmi/MarshalledObject/MOFilterTest.java jdk/test/java/rmi/registry/serialFilter/RegistryFilterTest.java jdk/test/java/rmi/registry/serialFilter/java.security-extra1 jdk/test/java/rmi/registry/serialFilter/security.policy |
| diffstat | 9 files changed, 610 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/jdk/src/java.base/share/conf/security/java.security Sun Oct 09 14:38:30 2016 +0300 +++ b/jdk/src/java.base/share/conf/security/java.security Wed Oct 12 12:56:35 2016 -0400 @@ -658,6 +658,36 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \ RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 +# +# RMI Registry Serial Filter +# +# The filter pattern uses the same format as jdk.serialFilter. +# This filter can override the builtin filter if additional types need to be +# allowed or rejected from the RMI Registry. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +#sun.rmi.registry.registryFilter=pattern;pattern +# +# RMI Distributed Garbage Collector (DGC) Serial Filter +# +# The filter pattern uses the same format as jdk.serialFilter. +# This filter can override the builtin filter if additional types need to be +# allowed or rejected from the RMI DGC. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# The builtin DGC filter can approximately be represented as the filter pattern: +# +#sun.rmi.transport.dgcFilter=\ +# java.rmi.server.ObjID;\ +# java.rmi.server.UID;\ +# java.rmi.dgc.VMID;\ +# java.rmi.dgc.Lease;\ +# maxdepth=5;maxarray=10000 + # Algorithm restrictions for signed JAR files # # In some environments, certain algorithms or key lengths may be undesirable
--- a/jdk/src/java.rmi/share/classes/java/rmi/MarshalledObject.java Sun Oct 09 14:38:30 2016 +0300 +++ b/jdk/src/java.rmi/share/classes/java/rmi/MarshalledObject.java Wed Oct 12 12:56:35 2016 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,11 +29,15 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.io.ObjectInputFilter; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.ObjectStreamConstants; import java.io.OutputStream; import java.io.Serializable; +import java.security.AccessController; +import java.security.PrivilegedAction; + import sun.rmi.server.MarshalInputStream; import sun.rmi.server.MarshalOutputStream; @@ -90,6 +94,9 @@ */ private int hash; + /** Filter used when creating the instance from a stream; may be null. */ + private transient ObjectInputFilter objectInputFilter = null; + /** Indicate compatibility with 1.2 version of class. */ private static final long serialVersionUID = 8988374069173025854L; @@ -133,9 +140,25 @@ } /** + * Reads in the state of the object and saves the stream's + * serialization filter to be used when the object is deserialized. + * + * @param stream the stream + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a class cannot be found + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); // read in all fields + objectInputFilter = stream.getObjectInputFilter(); + } + + /** * Returns a new copy of the contained marshalledobject. The internal * representation is deserialized with the semantics used for * unmarshaling parameters for RMI calls. + * If the MarshalledObject was read from an ObjectInputStream, + * the filter from that stream is used to deserialize the object. * * @return a copy of the contained object * @exception IOException if an <code>IOException</code> occurs while @@ -155,7 +178,7 @@ ByteArrayInputStream lin = (locBytes == null ? null : new ByteArrayInputStream(locBytes)); MarshalledObjectInputStream in = - new MarshalledObjectInputStream(bin, lin); + new MarshalledObjectInputStream(bin, lin, objectInputFilter); @SuppressWarnings("unchecked") T obj = (T) in.readObject(); in.close(); @@ -295,11 +318,21 @@ * <code>null</code>, then all annotations will be * <code>null</code>. */ - MarshalledObjectInputStream(InputStream objIn, InputStream locIn) + MarshalledObjectInputStream(InputStream objIn, InputStream locIn, + ObjectInputFilter filter) throws IOException { super(objIn); this.locIn = (locIn == null ? null : new ObjectInputStream(locIn)); + if (filter != null) { + AccessController.doPrivileged((PrivilegedAction<Void>) () -> { + MarshalledObjectInputStream.this.setObjectInputFilter(filter); + if (MarshalledObjectInputStream.this.locIn != null) { + MarshalledObjectInputStream.this.locIn.setObjectInputFilter(filter); + } + return null; + }); + } } /**
--- a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java Sun Oct 09 14:38:30 2016 +0300 +++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java Wed Oct 12 12:56:35 2016 -0400 @@ -25,8 +25,12 @@ package sun.rmi.registry; +import java.io.ObjectInputFilter; import java.nio.file.Path; import java.nio.file.Paths; +import java.rmi.server.LogStream; +import java.security.PrivilegedAction; +import java.security.Security; import java.util.ArrayList; import java.util.Enumeration; import java.util.Hashtable; @@ -39,7 +43,6 @@ import java.net.*; import java.rmi.*; import java.rmi.server.ObjID; -import java.rmi.server.RemoteServer; import java.rmi.server.ServerNotActiveException; import java.rmi.registry.Registry; import java.rmi.server.RMIClientSocketFactory; @@ -54,12 +57,12 @@ import java.security.Permissions; import java.security.ProtectionDomain; import java.text.MessageFormat; -import sun.rmi.server.LoaderHandler; + +import sun.rmi.runtime.Log; +import sun.rmi.server.UnicastRef; import sun.rmi.server.UnicastServerRef; import sun.rmi.server.UnicastServerRef2; import sun.rmi.transport.LiveRef; -import sun.rmi.transport.ObjectTable; -import sun.rmi.transport.Target; /** * A "registry" exists on every node that allows RMI connections to @@ -91,6 +94,48 @@ private static ResourceBundle resources = null; /** + * Property name of the RMI Registry serial filter to augment + * the built-in list of allowed types. + * Setting the property in the {@code conf/security/java.security} file + * will enable the augmented filter. + */ + private static final String REGISTRY_FILTER_PROPNAME = "sun.rmi.registry.registryFilter"; + + /** Registry max depth of remote invocations. **/ + private static int REGISTRY_MAX_DEPTH = 5; + + /** Registry maximum array size in remote invocations. **/ + private static int REGISTRY_MAX_ARRAY_SIZE = 10000; + + /** + * The registryFilter created from the value of the {@code "sun.rmi.registry.registryFilter"} + * property. + */ + private static final ObjectInputFilter registryFilter = + AccessController.doPrivileged((PrivilegedAction<ObjectInputFilter>)RegistryImpl::initRegistryFilter); + + /** + * Initialize the registryFilter from the security properties or system property; if any + * @return an ObjectInputFilter, or null + */ + @SuppressWarnings("deprecation") + private static ObjectInputFilter initRegistryFilter() { + ObjectInputFilter filter = null; + String props = System.getProperty(REGISTRY_FILTER_PROPNAME); + if (props == null) { + props = Security.getProperty(REGISTRY_FILTER_PROPNAME); + } + if (props != null) { + filter = ObjectInputFilter.Config.createFilter(props); + Log regLog = Log.getLog("sun.rmi.registry", "registry", -1); + if (regLog.isLoggable(Log.BRIEF)) { + regLog.log(Log.BRIEF, "registryFilter = " + filter); + } + } + return filter; + } + + /** * Construct a new RegistryImpl on the specified port with the * given custom socket factory pair. */ @@ -105,7 +150,7 @@ AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { public Void run() throws RemoteException { LiveRef lref = new LiveRef(id, port, csf, ssf); - setup(new UnicastServerRef2(lref)); + setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter)); return null; } }, null, new SocketPermission("localhost:"+port, "listen,accept")); @@ -114,7 +159,7 @@ } } else { LiveRef lref = new LiveRef(id, port, csf, ssf); - setup(new UnicastServerRef2(lref)); + setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter)); } } @@ -130,7 +175,7 @@ AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { public Void run() throws RemoteException { LiveRef lref = new LiveRef(id, port); - setup(new UnicastServerRef(lref)); + setup(new UnicastServerRef(lref, RegistryImpl::registryFilter)); return null; } }, null, new SocketPermission("localhost:"+port, "listen,accept")); @@ -139,7 +184,7 @@ } } else { LiveRef lref = new LiveRef(id, port); - setup(new UnicastServerRef(lref)); + setup(new UnicastServerRef(lref, RegistryImpl::registryFilter)); } } @@ -362,6 +407,60 @@ } /** + * ObjectInputFilter to filter Registry input objects. + * The list of acceptable classes is limited to classes normally + * stored in a registry. + * + * @param filterInfo access to the class, array length, etc. + * @return {@link ObjectInputFilter.Status#ALLOWED} if allowed, + * {@link ObjectInputFilter.Status#REJECTED} if rejected, + * otherwise {@link ObjectInputFilter.Status#UNDECIDED} + */ + private static ObjectInputFilter.Status registryFilter(ObjectInputFilter.FilterInfo filterInfo) { + if (registryFilter != null) { + ObjectInputFilter.Status status = registryFilter.checkInput(filterInfo); + if (status != ObjectInputFilter.Status.UNDECIDED) { + // The Registry filter can override the built-in white-list + return status; + } + } + + if (filterInfo.depth() > REGISTRY_MAX_DEPTH) { + return ObjectInputFilter.Status.REJECTED; + } + Class<?> clazz = filterInfo.serialClass(); + if (clazz != null) { + if (clazz.isArray()) { + if (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > REGISTRY_MAX_ARRAY_SIZE) { + return ObjectInputFilter.Status.REJECTED; + } + do { + // Arrays are allowed depending on the component type + clazz = clazz.getComponentType(); + } while (clazz.isArray()); + } + if (clazz.isPrimitive()) { + // Arrays of primitives are allowed + return ObjectInputFilter.Status.ALLOWED; + } + if (String.class == clazz + || java.lang.Number.class.isAssignableFrom(clazz) + || Remote.class.isAssignableFrom(clazz) + || java.lang.reflect.Proxy.class.isAssignableFrom(clazz) + || UnicastRef.class.isAssignableFrom(clazz) + || RMIClientSocketFactory.class.isAssignableFrom(clazz) + || RMIServerSocketFactory.class.isAssignableFrom(clazz) + || java.rmi.activation.ActivationID.class.isAssignableFrom(clazz) + || java.rmi.server.UID.class.isAssignableFrom(clazz)) { + return ObjectInputFilter.Status.ALLOWED; + } else { + return ObjectInputFilter.Status.REJECTED; + } + } + return ObjectInputFilter.Status.UNDECIDED; + } + + /** * Return a new RegistryImpl on the requested port and export it to serve * registry requests. A classloader is initialized from the system property * "env.class.path" and a security manager is set unless one is already set.
--- a/jdk/src/java.rmi/share/classes/sun/rmi/runtime/Log.java Sun Oct 09 14:38:30 2016 +0300 +++ b/jdk/src/java.rmi/share/classes/sun/rmi/runtime/Log.java Wed Oct 12 12:56:35 2016 -0400 @@ -232,6 +232,11 @@ } } + public String toString() { + return logger.toString() + ", level: " + logger.getLevel() + + ", name: " + logger.getName(); + } + /** * Set the output stream associated with the RMI server call * logger.
--- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl.java Sun Oct 09 14:38:30 2016 +0300 +++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl.java Wed Oct 12 12:56:35 2016 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -24,6 +24,7 @@ */ package sun.rmi.transport; +import java.io.ObjectInputFilter; import java.net.SocketPermission; import java.rmi.Remote; import java.rmi.RemoteException; @@ -34,11 +35,13 @@ import java.rmi.server.ObjID; import java.rmi.server.RemoteServer; import java.rmi.server.ServerNotActiveException; +import java.rmi.server.UID; import java.security.AccessControlContext; import java.security.AccessController; import java.security.Permissions; import java.security.PrivilegedAction; import java.security.ProtectionDomain; +import java.security.Security; import java.util.ArrayList; import java.util.HashSet; import java.util.HashMap; @@ -100,6 +103,46 @@ } /** + * Property name of the DGC serial filter to augment + * the built-in list of allowed types. + * Setting the property in the {@code conf/security/java.security} file + * or system property will enable the augmented filter. + */ + private static final String DGC_FILTER_PROPNAME = "sun.rmi.transport.dgcFilter"; + + /** Registry max depth of remote invocations. **/ + private static int DGC_MAX_DEPTH = 5; + + /** Registry maximum array size in remote invocations. **/ + private static int DGC_MAX_ARRAY_SIZE = 10000; + + /** + * The dgcFilter created from the value of the {@code "sun.rmi.transport.dgcFilter"} + * property. + */ + private static final ObjectInputFilter dgcFilter = + AccessController.doPrivileged((PrivilegedAction<ObjectInputFilter>)DGCImpl::initDgcFilter); + + /** + * Initialize the dgcFilter from the security properties or system property; if any + * @return an ObjectInputFilter, or null + */ + private static ObjectInputFilter initDgcFilter() { + ObjectInputFilter filter = null; + String props = System.getProperty(DGC_FILTER_PROPNAME); + if (props == null) { + props = Security.getProperty(DGC_FILTER_PROPNAME); + } + if (props != null) { + filter = ObjectInputFilter.Config.createFilter(props); + if (dgcLog.isLoggable(Log.BRIEF)) { + dgcLog.log(Log.BRIEF, "dgcFilter = " + filter); + } + } + return filter; + } + + /** * Construct a new server-side remote object collector at * a particular port. Disallow construction from outside. */ @@ -293,7 +336,8 @@ dgc = new DGCImpl(); ObjID dgcID = new ObjID(ObjID.DGC_ID); LiveRef ref = new LiveRef(dgcID, 0); - UnicastServerRef disp = new UnicastServerRef(ref); + UnicastServerRef disp = new UnicastServerRef(ref, + DGCImpl::checkInput); Remote stub = Util.createProxy(DGCImpl.class, new UnicastRef(ref), true); @@ -324,6 +368,53 @@ }); } + /** + * ObjectInputFilter to filter DGC input objects. + * The list of acceptable classes is very short and explicit. + * The depth and array sizes are limited. + * + * @param filterInfo access to class, arrayLength, etc. + * @return {@link ObjectInputFilter.Status#ALLOWED} if allowed, + * {@link ObjectInputFilter.Status#REJECTED} if rejected, + * otherwise {@link ObjectInputFilter.Status#UNDECIDED} + */ + private static ObjectInputFilter.Status checkInput(ObjectInputFilter.FilterInfo filterInfo) { + if (dgcFilter != null) { + ObjectInputFilter.Status status = dgcFilter.checkInput(filterInfo); + if (status != ObjectInputFilter.Status.UNDECIDED) { + // The DGC filter can override the built-in white-list + return status; + } + } + + if (filterInfo.depth() > DGC_MAX_DEPTH) { + return ObjectInputFilter.Status.REJECTED; + } + Class<?> clazz = filterInfo.serialClass(); + if (clazz != null) { + while (clazz.isArray()) { + if (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > DGC_MAX_ARRAY_SIZE) { + return ObjectInputFilter.Status.REJECTED; + } + // Arrays are allowed depending on the component type + clazz = clazz.getComponentType(); + } + if (clazz.isPrimitive()) { + // Arrays of primitives are allowed + return ObjectInputFilter.Status.ALLOWED; + } + return (clazz == ObjID.class || + clazz == UID.class || + clazz == VMID.class || + clazz == Lease.class) + ? ObjectInputFilter.Status.ALLOWED + : ObjectInputFilter.Status.REJECTED; + } + // Not a class, not size limited + return ObjectInputFilter.Status.UNDECIDED; + } + + private static class LeaseInfo { VMID vmid; long expiration;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/java/rmi/MarshalledObject/MOFilterTest.java Wed Oct 12 12:56:35 2016 -0400 @@ -0,0 +1,140 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InvalidClassException; +import java.io.ObjectInput; +import java.io.ObjectInputStream; +import java.io.ObjectInputFilter; +import java.io.ObjectOutputStream; +import java.io.Serializable; +import java.rmi.MarshalledObject; +import java.util.Objects; + + +import org.testng.Assert; +import org.testng.annotations.Test; +import org.testng.annotations.DataProvider; + +/* @test + * @run testng/othervm MOFilterTest + * + * @summary Test MarshalledObject applies ObjectInputFilter + */ +@Test +public class MOFilterTest { + + /** + * Two cases are tested. + * The filter = null and a filter set to verify the calls to the filter. + * @return array objects with test parameters for each test case + */ + @DataProvider(name = "FilterCases") + public static Object[][] filterCases() { + return new Object[][] { + {true}, // run the test with the filter + {false}, // run the test without the filter + + }; + } + + /** + * Test that MarshalledObject inherits the ObjectInputFilter from + * the stream it was deserialized from. + */ + @Test(dataProvider="FilterCases") + static void delegatesToMO(boolean withFilter) { + try { + Serializable testobj = Integer.valueOf(5); + MarshalledObject<Serializable> mo = new MarshalledObject<>(testobj); + Assert.assertEquals(mo.get(), testobj, "MarshalledObject.get returned a non-equals test object"); + + byte[] bytes = writeObjects(mo); + + try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ObjectInputStream ois = new ObjectInputStream(bais)) { + + CountingFilter filter1 = new CountingFilter(); + ois.setObjectInputFilter(withFilter ? filter1 : null); + MarshalledObject<?> actualMO = (MarshalledObject<?>)ois.readObject(); + int count = filter1.getCount(); + + actualMO.get(); + int expectedCount = withFilter ? count + 2 : count; + int actualCount = filter1.getCount(); + Assert.assertEquals(actualCount, expectedCount, "filter called wrong number of times during get()"); + } + } catch (IOException ioe) { + Assert.fail("Unexpected IOException", ioe); + } catch (ClassNotFoundException cnf) { + Assert.fail("Deserializing", cnf); + } + } + + /** + * Write objects and return a byte array with the bytes. + * + * @param objects zero or more objects to serialize + * @return the byte array of the serialized objects + * @throws IOException if an exception occurs + */ + static byte[] writeObjects(Object... objects) throws IOException { + byte[] bytes; + try (ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos)) { + for (Object o : objects) { + oos.writeObject(o); + } + bytes = baos.toByteArray(); + } + return bytes; + } + + + static class CountingFilter implements ObjectInputFilter { + + private int count; // count of calls to the filter + + CountingFilter() { + count = 0; + } + + int getCount() { + return count; + } + + /** + * Filter that rejects class Integer and allows others + * + * @param filterInfo access to the class, arrayLength, etc. + * @return {@code STATUS.REJECTED} + */ + public ObjectInputFilter.Status checkInput(FilterInfo filterInfo) { + count++; + return ObjectInputFilter.Status.ALLOWED; + } + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/java/rmi/registry/serialFilter/RegistryFilterTest.java Wed Oct 12 12:56:35 2016 -0400 @@ -0,0 +1,186 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.ObjectOutputStream; +import java.io.Serializable; + +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.rmi.MarshalledObject; +import java.rmi.NotBoundException; +import java.rmi.Remote; +import java.rmi.RemoteException; +import java.rmi.AlreadyBoundException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.util.Objects; +import java.security.Security; + +import org.testng.Assert; +import org.testng.TestNG; +import org.testng.annotations.BeforeSuite; +import org.testng.annotations.DataProvider; +import org.testng.annotations.Test; + +/* + * @test + * @library /java/rmi/testlibrary + * @modules java.rmi/sun.rmi.registry + * java.rmi/sun.rmi.server + * java.rmi/sun.rmi.transport + * java.rmi/sun.rmi.transport.tcp + * @build TestLibrary + * @summary Test filters for the RMI Registry + * @run testng/othervm RegistryFilterTest + * @run testng/othervm + * -Dsun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass + * RegistryFilterTest + * @run testng/othervm/policy=security.policy + * -Djava.security.properties=${test.src}/java.security-extra1 + * RegistryFilterTest + */ +public class RegistryFilterTest { + private static Registry impl; + private static int port; + private static Registry registry; + + static final int REGISTRY_MAX_ARRAY = 10000; + + static final String registryFilter = + System.getProperty("sun.rmi.registry.registryFilter", + Security.getProperty("sun.rmi.registry.registryFilter")); + + @DataProvider(name = "bindAllowed") + static Object[][] bindAllowedObjects() { + Object[][] objects = { + }; + return objects; + } + + /** + * Data RMI Regiry bind test. + * - name + * - Object + * - true/false if object is blacklisted by a filter (implicit or explicit) + * @return array of test data + */ + @DataProvider(name = "bindData") + static Object[][] bindObjects() { + Object[][] data = { + { "byte[max]", new XX(new byte[REGISTRY_MAX_ARRAY]), false }, + { "String", new XX("now is the time"), false}, + { "String[]", new XX(new String[3]), false}, + { "Long[4]", new XX(new Long[4]), registryFilter != null }, + { "rej-byte[toobig]", new XX(new byte[REGISTRY_MAX_ARRAY + 1]), true }, + { "rej-MarshalledObject", createMarshalledObject(), true }, + { "rej-RejectableClass", new RejectableClass(), registryFilter != null}, + }; + return data; + } + + static XX createMarshalledObject() { + try { + return new XX(new MarshalledObject<>(null)); + } catch (IOException ioe) { + return new XX(ioe); + } + } + + @BeforeSuite + static void setupRegistry() { + try { + impl = TestLibrary.createRegistryOnEphemeralPort(); + port = TestLibrary.getRegistryPort(impl); + registry = LocateRegistry.getRegistry("localhost", port); + } catch (RemoteException ex) { + Assert.fail("initialization of registry", ex); + } + + System.out.printf("RMI Registry filter: %s%n", registryFilter); + } + + + /* + * Test registry rejects an object with the max array size + 1. + */ + @Test(dataProvider="bindData") + public void simpleBind(String name, Remote obj, boolean blacklisted) throws RemoteException, AlreadyBoundException, NotBoundException { + try { + registry.bind(name, obj); + Assert.assertFalse(blacklisted, "Registry filter did not reject (but should have) "); + registry.unbind(name); + } catch (Exception rex) { + Assert.assertTrue(blacklisted, "Registry filter should not have rejected"); + } + } + + /* + * Test registry rejects an object with a well known class + * if blacklisted in the security properties. + */ + @Test + public void simpleRejectableClass() throws RemoteException, AlreadyBoundException, NotBoundException { + RejectableClass r1 = null; + try { + String name = "reject1"; + r1 = new RejectableClass(); + registry.bind(name, r1); + registry.unbind(name); + Assert.assertNull(registryFilter, "Registry filter should not have rejected"); + } catch (Exception rex) { + Assert.assertNotNull(registryFilter, "Registry filter should have rejected"); + } + } + + /** + * A simple Serializable Remote object that is passed by value. + * It and its contents are checked by the Registry serial filter. + */ + static class XX implements Serializable, Remote { + private static final long serialVersionUID = 362498820763181265L; + + final Object obj; + + XX(Object obj) { + this.obj = obj; + } + + public String toString() { + return super.toString() + "//" + Objects.toString(obj); + } + } + /** + * A simple Serializable Remote object that is passed by value. + * It and its contents are checked by the Registry serial filter. + */ + static class RejectableClass implements Serializable, Remote { + private static final long serialVersionUID = 362498820763181264L; + + RejectableClass() {} + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/java/rmi/registry/serialFilter/java.security-extra1 Wed Oct 12 12:56:35 2016 -0400 @@ -0,0 +1,9 @@ +# RMI Registry Input Serial Filter +# +# The filter pattern uses the same format as java.io.ObjectInputStream.serialFilter. +# This filter can override the builtin filter if additional types need to be +# allowed or rejected from the RMI Registry. +# +#sun.rmi.registry.registryFilter=pattern,pattern +sun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass +