Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-8097

Harden deserialization block xstream ack processing

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.16.0, 5.15.13
    • Fix Version/s: 5.17.0, 5.16.1, 5.15.15
    • Component/s: Broker
    • Labels:
      None

      Description

      Since we improve serialization security (see AMQ-7438), when a message has to be loaded from store and the message is xstream serialized, it fails with:

      2020-12-04 16:42:26,107 | WARN  | / | org.eclipse.jetty.server.HttpChannel | qtp1987354705-137568
      com.thoughtworks.xstream.converters.ConversionException: 
      ---- Debugging information ----
      cause-exception     : com.thoughtworks.xstream.security.ForbiddenClassException
      cause-message       : java.lang.StackTraceElement
      class               : [Ljava.lang.StackTraceElement;
      required-type       : [Ljava.lang.StackTraceElement;
      converter-type      : com.thoughtworks.xstream.converters.collections.ArrayConverter
      path                : /org.apache.activemq.command.MessageAck/poisonCause/stackTrace/trace
      line number         : 28
      class[1]            : java.lang.Throwable
      required-type[1]    : java.lang.Throwable
      converter-type[1]   : com.thoughtworks.xstream.converters.extended.ThrowableConverter
      class[2]            : org.apache.activemq.command.MessageAck
      required-type[2]    : org.apache.activemq.command.MessageAck
      converter-type[2]   : com.thoughtworks.xstream.converters.reflection.ReflectionConverter
      version             : 1.4.11.1
      -------------------------------
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:77)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.converters.extended.ThrowableConverter.unmarshal(ThrowableConverter.java:70)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1487)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1467)[xstream-1.4.11.1.jar:1.4.11.1]
      	at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1338)[xstream-1.4.11.1.jar:1.4.11.1]
      	at org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:71)[activemq-http-5.15.13.jar:5.15.13]
      	at org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137)[activemq-http-5.15.13.jar:5.15.13]
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:551)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1363)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:489)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1278)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.Server.handle(Server.java:500)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
      	at java.lang.Thread.run(Unknown Source)[:1.8.0_181] 

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              jbonofre Jean-Baptiste Onofré
              Reporter:
              jbonofre Jean-Baptiste Onofré

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 40m
                1h 40m

                  Issue deployment