[nop] Updates for latest Encore

2024-02-06 09:31:42 +01:00 · 2024-02-06 09:31:42 +01:00 · 7d2800d106
commit 7d2800d106
parent 3c27f03bc4
2 changed files with 49 additions and 50 deletions
--- a/src/taoensso/nippy.clj
+++ b/src/taoensso/nippy.clj
@ -479,7 +479,7 @@
    - Does NOT implement Nippy's `Freezable`    protocol.
    - DOES     implement Java's  `Serializable` interface.

-  In this case, the allowlist will be checked to see if Java's
+  In this case, an allowlist will be checked to see if Java's
  `Serializable` interface may be used.

  This is a security measure to prevent possible Remote Code Execution
@ -513,19 +513,19 @@

  Allowlist values may be overridden with `binding`, `alter-var-root`, or:

-    - `taoensso.nippy.<freeze/thaw>-serializable-allowlist-base` JVM property
-    - `taoensso.nippy.<freeze/thaw>-serializable-allowlist-add`  JVM property
+    - `taoensso.nippy.<freeze/thaw>-serializable-allowlist-base` JVM property value
+    - `taoensso.nippy.<freeze/thaw>-serializable-allowlist-add`  JVM property value

-    - `TAOENSSO_NIPPY_<FREEZE/THAW>_SERIALIZABLE_ALLOWLIST_BASE` env var
-    - `TAOENSSO_NIPPY_<FREEZE/THAW>_SERIALIZABLE_ALLOWLIST_ADD`  env var
+    - `TAOENSSO_NIPPY_<FREEZE/THAW>_SERIALIZABLE_ALLOWLIST_BASE` Environment variable value
+    - `TAOENSSO_NIPPY_<FREEZE/THAW>_SERIALIZABLE_ALLOWLIST_ADD`  Environment variable value

  If present, these will be read as comma-separated lists of class names
  and formed into sets. Each initial allowlist value will then be:
  (into (or <?base> <default>) <?additions>).

    I.e. you can use:
-      - The \"base\" property/var to replace Nippy's default allowlists.
-      - The \"add\"  property/var to add to  Nippy's default allowlists.
+      - The \"base\" property/var to REPLACE Nippy's default allowlists.
+      - The \"add\"  property/var to ADD TO  Nippy's default allowlists.

  The special `\"allow-and-record\"` value is also possible, see [2].

@ -541,8 +541,21 @@
  [1] https://github.com/ptaoussanis/nippy/issues/130
  [2] See `allow-and-record-any-serializable-class-unsafe`."]

-  (enc/defonce ^{:dynamic true :doc doc} *freeze-serializable-allowlist* (impl/init-serializable-allowlist :freeze default-freeze-serializable-allowlist false))
-  (enc/defonce ^{:dynamic true :doc doc}   *thaw-serializable-allowlist* (impl/init-serializable-allowlist :thaw     default-thaw-serializable-allowlist true)))
+  (enc/defonce ^{:dynamic true :doc doc} *freeze-serializable-allowlist*
+    (impl/parse-allowlist default-freeze-serializable-allowlist
+      (enc/get-env :taoensso.nippy.freeze-serializable-allowlist-base)
+      (enc/get-env :taoensso.nippy.freeze-serializable-allowlist-add)))
+
+  (enc/defonce ^{:dynamic true :doc doc} *thaw-serializable-allowlist*
+    (impl/parse-allowlist default-thaw-serializable-allowlist
+      (enc/get-env
+        [:taoensso.nippy.thaw-serializable-allowlist-base
+         :taoensso.nippy.serializable-whitelist-base ; Back compatibility
+         ])
+      (enc/get-env
+        [:taoensso.nippy.thaw-serializable-allowlist-add
+         :taoensso.nippy.serializable-whitelist-add ; Back compatibility
+         ]))))

 (enc/defonce ^:dynamic ^:no-doc ^:deprecated *serializable-whitelist*
  ;; Back compatibility for Crux, Ref. <https://github.com/juxt/crux/releases/tag/20.09-1.11.0>
@ -1321,8 +1334,8 @@
          rf2        (if transient? rf2! rf2*)]

      (if-let [xf *thaw-xform*]
-        (let [rf ((xform* xf) rf1)] (rf (enc/reduce-n (fn [acc _] (rf acc (clojure.lang.MapEntry/create (thaw-from-in! in) (thaw-from-in! in)))) init n)))
-        (let [rf              rf2 ] (rf (enc/reduce-n (fn [acc _] (rf acc                               (thaw-from-in! in) (thaw-from-in! in)))  init n)))))))
+        (let [rf ((xform* xf) rf1)] (rf (enc/reduce-n (fn [acc _] (rf acc (enc/map-entry (thaw-from-in! in) (thaw-from-in! in)))) init n)))
+        (let [rf              rf2 ] (rf (enc/reduce-n (fn [acc _] (rf acc                (thaw-from-in! in) (thaw-from-in! in)))  init n)))))))

 (defn- read-kvs-depr [to ^DataInput in] (read-kvs-into to in (quot (.readInt in) 2)))
 (defn- read-objects [^objects ary ^DataInput in]
@ -1604,7 +1617,7 @@
        id-bigdec      (BigDecimal. ^BigInteger (read-biginteger in) (.readInt        in))
        id-ratio       (clojure.lang.Ratio.     (read-biginteger in) (read-biginteger in))

-        id-map-entry   (clojure.lang.MapEntry/create (thaw-from-in! in) (thaw-from-in! in))
+        id-map-entry   (enc/map-entry (thaw-from-in! in) (thaw-from-in! in))

        id-util-date   (java.util.Date. (.readLong in))
        id-sql-date    (java.sql.Date.  (.readLong in))
--- a/src/taoensso/nippy/impl.clj
+++ b/src/taoensso/nippy/impl.clj
@ -54,47 +54,33 @@

 ;;;; Java Serializable

-(defn- allow-and-record?     [s] (= s "allow-and-record"))
-(defn- split-class-names>set [s] (when (string? s) (if (= s "") #{} (set (mapv str/trim (str/split s #"[,:]"))))))
+(def ^:const ^:private allow-and-record          "allow-and-record")
+(defn-                 allow-and-record? [x] (= x allow-and-record))
+
+(defn- classname-set
+  "Returns ?#{<classname>}."
+  [x]
+  (when x
+    (if (string? x)
+      (if (= x "") #{} (set (mapv str/trim (str/split x #"[,:]"))))
+      (enc/have set? x))))
+
 (comment
-  (split-class-names>set "")
-  (split-class-names>set "foo, bar:baz"))
+  (mapv classname-set [nil #{"foo"} "" "foo, bar:baz"])
+  (.getName (.getSuperclass (.getClass (java.util.concurrent.TimeoutException.)))))

-(comment (.getName (.getSuperclass (.getClass (java.util.concurrent.TimeoutException.)))))
+(defn parse-allowlist
+  "Returns #{<classname>}, or `allow-and-record`."
+  [default base add]
+  (if (or
+        (allow-and-record? base)
+        (allow-and-record? add))
+    allow-and-record
+    (into
+      (or (classname-set base) default)
+      (do (classname-set add)))))

-(let [ids
-      {:freeze {:base :taoensso.nippy.freeze-serializable-allowlist-base
-                :add  :taoensso.nippy.freeze-serializable-allowlist-add}
-       :thaw   {:base :taoensso.nippy.thaw-serializable-allowlist-base
-                :add  :taoensso.nippy.thaw-serializable-allowlist-add}
-       :legacy {:base :taoensso.nippy.serializable-whitelist-base
-                :add  :taoensso.nippy.serializable-whitelist-add}}]
-
-  (defn init-serializable-allowlist
-    [action default incl-legacy?]
-    (let [allowlist-base
-          (or
-            (when-let [s
-                       (or
-                         (do                (enc/get-sys-val* (get-in ids [action  :base])))
-                         (when incl-legacy? (enc/get-sys-val* (get-in ids [:legacy :base]))))]
-
-              (if (allow-and-record? s) s (split-class-names>set s)))
-            default)
-
-          allowlist-add
-          (when-let [s
-                     (or
-                       (do                (enc/get-sys-val* (get-in ids [action  :add])))
-                       (when incl-legacy? (enc/get-sys-val* (get-in ids [:legacy :add]))))]
-
-            (if (allow-and-record? s) s (split-class-names>set s)))]
-
-      (if (and allowlist-base allowlist-add)
-        (into (enc/have set? allowlist-base) allowlist-add)
-        (do                  allowlist-base)))))
-
-;;;
+(comment (parse-allowlist #{"default"} "base1,base2" "add1"))

 (let [nmax    1000
      ngc     16000