Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-8097

Harden deserialization block xstream ack processing

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.16.0, 5.15.13
    • 5.16.1, 5.15.15, 5.17.0
    • Broker
    • None

    Description

      Since we improve serialization security (see AMQ-7438), when a message has to be loaded from store and the message is xstream serialized, it fails with:

      2020-12-04 16:42:26,107 | WARN  | / | org.eclipse.jetty.server.HttpChannel | qtp1987354705-137568
com.thoughtworks.xstream.converters.ConversionException: 
---- Debugging information ----
cause-exception     : com.thoughtworks.xstream.security.ForbiddenClassException
cause-message       : java.lang.StackTraceElement
class               : [Ljava.lang.StackTraceElement;
required-type       : [Ljava.lang.StackTraceElement;
converter-type      : com.thoughtworks.xstream.converters.collections.ArrayConverter
path                : /org.apache.activemq.command.MessageAck/poisonCause/stackTrace/trace
line number         : 28
class[1]            : java.lang.Throwable
required-type[1]    : java.lang.Throwable
converter-type[1]   : com.thoughtworks.xstream.converters.extended.ThrowableConverter
class[2]            : org.apache.activemq.command.MessageAck
required-type[2]    : org.apache.activemq.command.MessageAck
converter-type[2]   : com.thoughtworks.xstream.converters.reflection.ReflectionConverter
version             : 1.4.11.1
-------------------------------
	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:77)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.converters.extended.ThrowableConverter.unmarshal(ThrowableConverter.java:70)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1487)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1467)[xstream-1.4.11.1.jar:1.4.11.1]
	at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1338)[xstream-1.4.11.1.jar:1.4.11.1]
	at org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:71)[activemq-http-5.15.13.jar:5.15.13]
	at org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137)[activemq-http-5.15.13.jar:5.15.13]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:551)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1363)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:489)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1278)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.Server.handle(Server.java:500)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
	at java.lang.Thread.run(Unknown Source)[:1.8.0_181]

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. AMQ-7399 SERIALIZABLE_PACKAGES should exclude java* by default

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. AMQ-7438 Harden deserialization

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              jbonofre Jean-Baptiste Onofré
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 40m
                  1h 40m