Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a Java 11 compatible version for notsoserial? #34

Open
Shanky2304 opened this issue Mar 14, 2019 · 3 comments
Open

Is there a Java 11 compatible version for notsoserial? #34

Shanky2304 opened this issue Mar 14, 2019 · 3 comments

Comments

@Shanky2304
Copy link

I see that notsoserial is dependent on tools.jar for javac. I believe since Java 9 this has been removed, is there a Java 11 compatible version on the way?
@computerlove
Copy link

Nothing on the way, but if you make a PR we'll try to release it

@Shanky2304
Copy link
Author

Hi apologies for such a late reply. I was able to compile the notsoserial code with Java 11, I just had to remove jdk internal api references to xalan packages and replace them with standalone implementations and add below line to maven-failsafe-plugin config to allow agent self attach since it's disabled by default in Java 11 .

<argLine>-Djdk.attach.allowAttachSelf=true</argLine>

However, I can't get the test cases to run. Could someone with a little more insight into the code provide a few pointers to help me out?

In particular I the below issues:

  • org.apache.commons : commons-collections4 (v4.0) suffers from CVE-2015-7450. v4.1 fixes it by making InvokerTransformer not implement the Serializable interface anymore but that breaks the test cases since I can't use InvokerTransformer to insert values into the priority queue and then serialize it.

  • Not sure if this is a side affect of something but seeing multiple test failures, pasting test results below:

[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.kantega.notsoserial.CustomNotSoSerialIT
21352@shankarvive-w02
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.089 s <<< FAILURE! - in org.kantega.notsoserial.CustomNotSoSerialIT
[ERROR] shouldCollectUsingCustomNotSoSerial(org.kantega.notsoserial.CustomNotSoSerialIT)  Time elapsed: 0.109 s  <<< FAILURE!
java.lang.AssertionError:

Expected: a collection containing "java.util.PriorityQueue"
     but:
        at org.kantega.notsoserial.CustomNotSoSerialIT.shouldCollectUsingCustomNotSoSerial(CustomNotSoSerialIT.java:69)

[INFO] Running org.kantega.notsoserial.WithAgentIT
15056@shankarvive-w02
HMM..
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.854 s <<< FAILURE! - in org.kantega.notsoserial.WithAgentIT
[ERROR] attackShouldBePreventedWithAgent(org.kantega.notsoserial.WithAgentIT)  Time elapsed: 0.671 s  <<< FAILURE!
java.lang.AssertionError:

Expected: is "false"
     but: was "true"
        at org.kantega.notsoserial.WithAgentIT.attackShouldBePreventedWithAgent(WithAgentIT.java:63)

[INFO] Running org.kantega.notsoserial.WithCustomBlackListFileIT
17308@shankarvive-w02
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.546 s <<< FAILURE! - in org.kantega.notsoserial.WithCustomBlackListFileIT
[ERROR] javaBlackListShouldRejectDeserialization(org.kantega.notsoserial.WithCustomBlackListFileIT)  Time elapsed: 0.421 s  <<< FAILURE!
java.lang.AssertionError: Expected exception: java.lang.UnsupportedOperationException

[INFO] Running org.kantega.notsoserial.WithDryRunWhitelistAndTraceIT
21772@shankarvive-w02
HMM..
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.078 s <<< FAILURE! - in org.kantega.notsoserial.WithDryRunWhitelistAndTraceIT
[ERROR] shouldRecordClassesAsDeserialized(org.kantega.notsoserial.WithDryRunWhitelistAndTraceIT)  Time elapsed: 0.223 s  <<< FAILURE!
java.lang.AssertionError:

Expected: a collection containing "org.apache.commons.collections4.functors.InvokerTransformer"
     but:
        at org.kantega.notsoserial.WithDryRunWhitelistAndTraceIT.shouldRecordClassesAsDeserialized(WithDryRunWhitelistAndTraceIT.java:68)

[INFO] Running org.kantega.notsoserial.WithDryRunWhitelistIT
21480@shankarvive-w02
HMM..
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.016 s <<< FAILURE! - in org.kantega.notsoserial.WithDryRunWhitelistIT
[ERROR] shouldRecordClassesAsDeserialized(org.kantega.notsoserial.WithDryRunWhitelistIT)  Time elapsed: 0.157 s  <<< FAILURE!
java.lang.AssertionError:

Expected: a collection containing "org.apache.commons.collections4.functors.InvokerTransformer"
     but:
        at org.kantega.notsoserial.WithDryRunWhitelistIT.shouldRecordClassesAsDeserialized(WithDryRunWhitelistIT.java:67)

[INFO] Running org.kantega.notsoserial.WithNonEmptyWhitelistIT
16992@shankarvive-w02
HMM..
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.883 s <<< FAILURE! - in org.kantega.notsoserial.WithNonEmptyWhitelistIT
[ERROR] javaWhiteListShouldPreventAttachYetAllowArrayList(org.kantega.notsoserial.WithNonEmptyWhitelistIT)  Time elapsed: 0.108 s  <<< FAILURE!
java.lang.AssertionError:

Expected: is "false"
     but: was "true"
        at org.kantega.notsoserial.WithNonEmptyWhitelistIT.javaWhiteListShouldPreventAttachYetAllowArrayList(WithNonEmptyWhitelistIT.java:63)

[INFO] Running org.kantega.notsoserial.WithoutAgentIT
HMM..
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.608 s - in org.kantega.notsoserial.WithoutAgentIT
[INFO] Running org.kantega.notsoserial.WithWhitelistIT
2756@shankarvive-w02
HMM..
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.747 s <<< FAILURE! - in org.kantega.notsoserial.WithWhitelistIT
[ERROR] emptyWhitelistShouldPreventAttack(org.kantega.notsoserial.WithWhitelistIT)  Time elapsed: 0.109 s  <<< FAILURE!
java.lang.AssertionError:

Expected: is "false"
     but: was "true"
        at org.kantega.notsoserial.WithWhitelistIT.emptyWhitelistShouldPreventAttack(WithWhitelistIT.java:61)

[INFO]
[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR]   CustomNotSoSerialIT.shouldCollectUsingCustomNotSoSerial:69
Expected: a collection containing "java.util.PriorityQueue"
     but:
[ERROR]   WithAgentIT.attackShouldBePreventedWithAgent:63
Expected: is "false"
     but: was "true"
[ERROR]   WithCustomBlackListFileIT.javaBlackListShouldRejectDeserialization Expected exception: java.lang.UnsupportedOperationException
[ERROR]   WithDryRunWhitelistAndTraceIT.shouldRecordClassesAsDeserialized:68
Expected: a collection containing "org.apache.commons.collections4.functors.InvokerTransformer"
     but:
[ERROR]   WithDryRunWhitelistIT.shouldRecordClassesAsDeserialized:67
Expected: a collection containing "org.apache.commons.collections4.functors.InvokerTransformer"
     but:
[ERROR]   WithNonEmptyWhitelistIT.javaWhiteListShouldPreventAttachYetAllowArrayList:63
Expected: is "false"
     but: was "true"
[ERROR]   WithWhitelistIT.emptyWhitelistShouldPreventAttack:61
Expected: is "false"
     but: was "true"
[INFO]
[ERROR] Tests run: 8, Failures: 7, Errors: 0, Skipped: 0

@Shanky2304
Copy link
Author

@oven @eirbjo @wsargent @computerlove I'd very much appreciate any help here.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@computerlove @Shanky2304