feat:增加dubbo-hessian2安全加固demo & 优化jackson

Author: threedr3am

README.md

@@ -13,6 +13,9 @@ package：com.threedr3am.bug.jackson
 3. com.threedr3am.bug.dubbo.XBeanPoc 利用条件：存在org.apache.xbean:xbean-naming依赖
 4. com.threedr3am.bug.dubbo.SpringAbstractBeanFactoryPointcutAdvisorPoc 利用条件：存在org.springframework:spring-aop依赖
 
+### dubbo/dubbo-hessian2-safe-reinforcement
+dubbo hessian2安全加固demo，使用黑名单方式禁止部分gadget
+
 ### padding-oracle-cbc
 1. com.threedr3am.bug.paddingoraclecbc.PaddingOracle ```padding oracle java实现（多组密文实现）```
 2. com.threedr3am.bug.paddingoraclecbc.PaddingOracleCBC ```padding oracle cbc java实现（单组 <= 16bytes 密文实现）```

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/pom.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <artifactId>dubbo-hessian2-safe-reinforcement</artifactId>
+    <groupId>com.threedr3am</groupId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>learn-dubbo-client-boot</artifactId>
+  <version>0.0.1-SNAPSHOT</version>
+  <name>learn-dubbo-client-boot</name>
+  <description>Demo project for Spring Boot</description>
+
+  <properties>
+    <java.version>1.8</java.version>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.threedr3am</groupId>
+      <artifactId>learn-dubbo-server-boot</artifactId>
+      <version>0.0.1-SNAPSHOT</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-maven-plugin</artifactId>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/java/com/threedr3am/learn/client/boot/LearnDubboClientBootApplication.java

@@ -0,0 +1,13 @@
+package com.threedr3am.learn.client.boot;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class LearnDubboClientBootApplication {
+
+  public static void main(String[] args) {
+    SpringApplication.run(LearnDubboClientBootApplication.class, args);
+  }
+
+}

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/java/com/threedr3am/learn/client/boot/Test.java

@@ -0,0 +1,34 @@
+package com.threedr3am.learn.client.boot;
+
+import com.threedr3am.learn.server.boot.A;
+import com.threedr3am.learn.server.boot.DemoService;
+import java.sql.SQLException;
+import javax.annotation.PostConstruct;
+import org.apache.dubbo.config.annotation.Reference;
+import org.springframework.stereotype.Service;
+
+/**
+ * @author xuanyh
+ */
+@Service
+public class Test {
+
+  @Reference(version = "1.0")
+  private DemoService demoService;
+
+  @PostConstruct
+  private void init() throws SQLException {
+    A a = new A();
+    a.setName("xuanyh");
+    new Thread(() -> {
+      while (true) {
+        System.out.println(demoService.hello(a));
+        try {
+          Thread.currentThread().sleep(5000);
+        } catch (InterruptedException e) {
+          e.printStackTrace();
+        }
+      }
+    }).start();
+  }
+}

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/java/com/threedr3am/learn/serialize/MyHessian2Input.java

@@ -0,0 +1,51 @@
+package com.threedr3am.learn.serialize;
+
+import com.alibaba.com.caucho.hessian.io.Hessian2Input;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.util.List;
+
+/**
+ * @author xuanyh
+ */
+public class MyHessian2Input extends Hessian2Input {
+
+  /**
+   * Creates a new Hessian input stream, initialized with an underlying input stream.
+   *
+   * @param is the underlying input stream.
+   */
+  public MyHessian2Input(InputStream is) {
+    super(is);
+  }
+
+  @Override
+  public Object readObject(Class cl) throws IOException {
+    return super.readObject(cl);
+  }
+
+  @Override
+  public Object readObject(Class expectedClass, Class<?>... expectedTypes) throws IOException {
+    return super.readObject(expectedClass, expectedTypes);
+  }
+
+  @Override
+  public Object readObject() throws IOException {
+    return super.readObject();
+  }
+
+  @Override
+  public Object readObject(List<Class<?>> expectedTypes) throws IOException {
+    return super.readObject(expectedTypes);
+  }
+
+  void checkClassDef() {
+    if (_classDefs.isEmpty())
+      return;
+    for (Object c : _classDefs) {
+      Field[] fields = c.getClass().getDeclaredFields();
+      System.out.println();
+    }
+  }
+}

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/java/com/threedr3am/learn/serialize/MyHessian2ObjectInput.java

@@ -0,0 +1,98 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.threedr3am.learn.serialize;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Type;
+import org.apache.dubbo.common.serialize.ObjectInput;
+import org.apache.dubbo.common.serialize.hessian2.Hessian2SerializerFactory;
+
+/**
+ * Hessian2 object input implementation
+ */
+public class MyHessian2ObjectInput implements ObjectInput {
+    private final MyHessian2Input mH2i;
+
+    public MyHessian2ObjectInput(InputStream is) {
+        mH2i = new MyHessian2Input(is);
+        mH2i.setSerializerFactory(Hessian2SerializerFactory.SERIALIZER_FACTORY);
+    }
+
+    @Override
+    public boolean readBool() throws IOException {
+        return mH2i.readBoolean();
+    }
+
+    @Override
+    public byte readByte() throws IOException {
+        return (byte) mH2i.readInt();
+    }
+
+    @Override
+    public short readShort() throws IOException {
+        return (short) mH2i.readInt();
+    }
+
+    @Override
+    public int readInt() throws IOException {
+        return mH2i.readInt();
+    }
+
+    @Override
+    public long readLong() throws IOException {
+        return mH2i.readLong();
+    }
+
+    @Override
+    public float readFloat() throws IOException {
+        return (float) mH2i.readDouble();
+    }
+
+    @Override
+    public double readDouble() throws IOException {
+        return mH2i.readDouble();
+    }
+
+    @Override
+    public byte[] readBytes() throws IOException {
+        return mH2i.readBytes();
+    }
+
+    @Override
+    public String readUTF() throws IOException {
+        return mH2i.readString();
+    }
+
+    @Override
+    public Object readObject() throws IOException {
+        return mH2i.readObject();
+    }
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public <T> T readObject(Class<T> cls) throws IOException,
+            ClassNotFoundException {
+        return (T) mH2i.readObject(cls);
+    }
+
+    @Override
+    public <T> T readObject(Class<T> cls, Type type) throws IOException, ClassNotFoundException {
+        return readObject(cls);
+    }
+
+}

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/java/com/threedr3am/learn/serialize/MyHessian2Serialization.java

@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.threedr3am.learn.serialize;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.serialize.ObjectInput;
+import org.apache.dubbo.common.serialize.ObjectOutput;
+import org.apache.dubbo.common.serialize.Serialization;
+import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput;
+
+/**
+ * Hessian2 serialization implementation, hessian2 is the default serialization protocol for dubbo
+ *
+ * <pre>
+ *     e.g. &lt;dubbo:protocol serialization="hessian2" /&gt;
+ * </pre>
+ */
+public class MyHessian2Serialization implements Serialization {
+
+    @Override
+    public byte getContentTypeId() {
+        return 22;
+    }
+
+    @Override
+    public String getContentType() {
+        return "x-application/hessian2";
+    }
+
+    @Override
+    public ObjectOutput serialize(URL url, OutputStream out) throws IOException {
+        return new Hessian2ObjectOutput(out);
+    }
+
+    @Override
+    public ObjectInput deserialize(URL url, InputStream is) throws IOException {
+        return new MyHessian2ObjectInput(is);
+    }
+
+}

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/resources/META-INF/dubbo/org.apache.dubbo.common.serialize.Serialization

@@ -0,0 +1 @@
+MyHessian2=com.threedr3am.learn.serialize.MyHessian2Serialization

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/resources/application.properties

@@ -0,0 +1,20 @@
+spring.application.name=dubbo-consumer
+server.port=9990
+spring.main.allow-bean-definition-overriding=true
+
+# Dubbo Application
+# The default value of dubbo.application.name is ${spring.application.name}
+# dubbo.application.name=${spring.application.name}
+
+# 扫描dubbo服务(@Service.. @Reference..)
+dubbo.scan.basePackages=com.threedr3am.learn.client.boot
+
+# 注册中心
+dubbo.registry.id=dubboRegistry
+dubbo.registry.timeout=5000
+dubbo.registry.address=zookeeper://127.0.0.1:2181
+dubbo.registry.client=curator
+# 元数据地址
+dubbo.metadata-report.address=zookeeper://127.0.0.1:2181
+
+

dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/test/java/com/threedr3am/learn/client/boot/LearnDubboClientBootApplicationTests.java

@@ -0,0 +1,16 @@
+package com.threedr3am.learn.client.boot;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.junit4.SpringRunner;
+
+//@RunWith(SpringRunner.class)
+//@SpringBootTest
+public class LearnDubboClientBootApplicationTests {
+
+  @Test
+  public void contextLoads() {
+  }
+
+}