[MGNLCACHE-165] CacheEndpoint is potentially vulnerable to RCE Created: 27/Feb/17  Updated: 09/Aug/23  Resolved: 28/Feb/17

Status: Closed
Project: Cache Modules
Component/s: cache browser
Affects Version/s: 5.5.2
Fix Version/s: 5.5.3

Type: Bug Priority: Critical
Reporter: Ilgun Ilgun Assignee: Ilgun Ilgun
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
dependency
documentation
to be documented by MGNLCACHE-314 DOCS: Describe how to configure white... Open
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: Basel 85
Story Points: 8

 Description   

As described in MAGNOLIA-6900, our CacheEndpoint is vulnerable to RCE due to JSON-to-object deserialization—specifically affecting the /delete and /download methods.
They expect a cacheKey query-param as a json string (containing type information), for use by the json-io lib.

This is highly mitigated by the fact that anonymous access is denied to /.rest* ootb, but may still be exploited CSRF-style.

This issue proposes to implement a custom java.lang.ClassLoader and pass it to com.cedarsoftware.util.io.JsonReader at the time of deserialization. Therefore we have the power to prevent an attack when an unwanted class is tried to be deserialized by the endpoint. We simply make it configurable in JCR and user only has to populate the whitelisted classes to be serialized by the endpoint via info.magnolia.cache.browser.CacheBrowserAppModule and the custom ClassLoader is responsible to handle the rest (to check whether it should be ignored or serialized).



 Comments   
Comment by Maxime Michel [ 28/Feb/17 ]

Reopened as this is what I got when I tried to download cached content in the browser:

2017-02-28 13:25:10,435 INFO  he.browser.rest.endpoint.WhitelistAwareClassLoader: Serialisation is blocked due to the given class: 'java.util.LinkedHashMap' is not whitelisted and currently whitelisted classes are: '[info.magnolia.module.cache.cachekey.DefaultCacheKey]'
Comment by Jan Haderka [ 28/Feb/17 ]

ha, in the original PR I was whitelisting everything from java. and javax. packages by default w/o making it configurable. you might want to do same

Comment by Ilgun Ilgun [ 28/Feb/17 ]

Indeed doing it now also com.sun ? WDYT?

Comment by Jan Haderka [ 28/Feb/17 ]

I would not. Let's stick to the official APIs.

Comment by Ilgun Ilgun [ 28/Feb/17 ]

We need the functionality to like comments here.

Generated at Sun Feb 11 23:52:50 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.