luciano/nippy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[nop] Updates for latest Encore

Browse source
This commit is contained in:
Peter Taoussanis 2024-02-06 09:31:42 +01:00
parent 3c27f03bc4
commit 7d2800d106
2 changed files with 49 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
src/taoensso/nippy.clj
View file

@ -479,7 +479,7 @@
- Does NOT implement Nippy's `Freezable` protocol. - Does NOT implement Nippy's `Freezable` protocol.
- DOES implement Java's `Serializable` interface. - DOES implement Java's `Serializable` interface.
In this case, the allowlist will be checked to see if Java's In this case, an allowlist will be checked to see if Java's
`Serializable` interface may be used. `Serializable` interface may be used.
This is a security measure to prevent possible Remote Code Execution This is a security measure to prevent possible Remote Code Execution
@ -513,19 +513,19 @@
Allowlist values may be overridden with `binding`, `alter-var-root`, or: Allowlist values may be overridden with `binding`, `alter-var-root`, or:
- `taoensso.nippy.<freeze/thaw>-serializable-allowlist-base` JVM property - `taoensso.nippy.<freeze/thaw>-serializable-allowlist-base` JVM property value
- `taoensso.nippy.<freeze/thaw>-serializable-allowlist-add` JVM property - `taoensso.nippy.<freeze/thaw>-serializable-allowlist-add` JVM property value
- `TAOENSSO_NIPPY_<FREEZE/THAW>_SERIALIZABLE_ALLOWLIST_BASE` env var - `TAOENSSO_NIPPY_<FREEZE/THAW>_SERIALIZABLE_ALLOWLIST_BASE` Environment variable value
- `TAOENSSO_NIPPY_<FREEZE/THAW>_SERIALIZABLE_ALLOWLIST_ADD` env var - `TAOENSSO_NIPPY_<FREEZE/THAW>_SERIALIZABLE_ALLOWLIST_ADD` Environment variable value
If present, these will be read as comma-separated lists of class names If present, these will be read as comma-separated lists of class names
and formed into sets. Each initial allowlist value will then be: and formed into sets. Each initial allowlist value will then be:
(into (or <?base> <default>) <?additions>). (into (or <?base> <default>) <?additions>).
I.e. you can use: I.e. you can use:
- The \"base\" property/var to replace Nippy's default allowlists. - The \"base\" property/var to REPLACE Nippy's default allowlists.
- The \"add\" property/var to add to Nippy's default allowlists. - The \"add\" property/var to ADD TO Nippy's default allowlists.
The special `\"allow-and-record\"` value is also possible, see [2]. The special `\"allow-and-record\"` value is also possible, see [2].
@ -541,8 +541,21 @@
[1] https://github.com/ptaoussanis/nippy/issues/130 [1] https://github.com/ptaoussanis/nippy/issues/130
[2] See `allow-and-record-any-serializable-class-unsafe`."] [2] See `allow-and-record-any-serializable-class-unsafe`."]
(enc/defonce ^{:dynamic true :doc doc} *freeze-serializable-allowlist* (impl/init-serializable-allowlist :freeze default-freeze-serializable-allowlist false)) (enc/defonce ^{:dynamic true :doc doc} *freeze-serializable-allowlist*
(enc/defonce ^{:dynamic true :doc doc} *thaw-serializable-allowlist* (impl/init-serializable-allowlist :thaw default-thaw-serializable-allowlist true))) (impl/parse-allowlist default-freeze-serializable-allowlist
(enc/get-env :taoensso.nippy.freeze-serializable-allowlist-base)
(enc/get-env :taoensso.nippy.freeze-serializable-allowlist-add)))
(enc/defonce ^{:dynamic true :doc doc} *thaw-serializable-allowlist*
(impl/parse-allowlist default-thaw-serializable-allowlist
(enc/get-env
[:taoensso.nippy.thaw-serializable-allowlist-base
:taoensso.nippy.serializable-whitelist-base ; Back compatibility
])
(enc/get-env
[:taoensso.nippy.thaw-serializable-allowlist-add
:taoensso.nippy.serializable-whitelist-add ; Back compatibility
]))))
(enc/defonce ^:dynamic ^:no-doc ^:deprecated *serializable-whitelist* (enc/defonce ^:dynamic ^:no-doc ^:deprecated *serializable-whitelist*
;; Back compatibility for Crux, Ref. <https://github.com/juxt/crux/releases/tag/20.09-1.11.0> ;; Back compatibility for Crux, Ref. <https://github.com/juxt/crux/releases/tag/20.09-1.11.0>
@ -1321,7 +1334,7 @@
rf2 (if transient? rf2! rf2*)] rf2 (if transient? rf2! rf2*)]
(if-let [xf *thaw-xform*] (if-let [xf *thaw-xform*]
(let [rf ((xform* xf) rf1)] (rf (enc/reduce-n (fn [acc _] (rf acc (clojure.lang.MapEntry/create (thaw-from-in! in) (thaw-from-in! in)))) init n))) (let [rf ((xform* xf) rf1)] (rf (enc/reduce-n (fn [acc _] (rf acc (enc/map-entry (thaw-from-in! in) (thaw-from-in! in)))) init n)))
(let [rf rf2 ] (rf (enc/reduce-n (fn [acc _] (rf acc (thaw-from-in! in) (thaw-from-in! in))) init n))))))) (let [rf rf2 ] (rf (enc/reduce-n (fn [acc _] (rf acc (thaw-from-in! in) (thaw-from-in! in))) init n)))))))
(defn- read-kvs-depr [to ^DataInput in] (read-kvs-into to in (quot (.readInt in) 2))) (defn- read-kvs-depr [to ^DataInput in] (read-kvs-into to in (quot (.readInt in) 2)))
@ -1604,7 +1617,7 @@
id-bigdec (BigDecimal. ^BigInteger (read-biginteger in) (.readInt in)) id-bigdec (BigDecimal. ^BigInteger (read-biginteger in) (.readInt in))
id-ratio (clojure.lang.Ratio. (read-biginteger in) (read-biginteger in)) id-ratio (clojure.lang.Ratio. (read-biginteger in) (read-biginteger in))
id-map-entry (clojure.lang.MapEntry/create (thaw-from-in! in) (thaw-from-in! in)) id-map-entry (enc/map-entry (thaw-from-in! in) (thaw-from-in! in))
id-util-date (java.util.Date. (.readLong in)) id-util-date (java.util.Date. (.readLong in))
id-sql-date (java.sql.Date. (.readLong in)) id-sql-date (java.sql.Date. (.readLong in))

62
src/taoensso/nippy/impl.clj
View file

@ -54,47 +54,33 @@
;;;; Java Serializable ;;;; Java Serializable
(defn- allow-and-record? [s] (= s "allow-and-record")) (def ^:const ^:private allow-and-record "allow-and-record")
(defn- split-class-names>set [s] (when (string? s) (if (= s "") #{} (set (mapv str/trim (str/split s #"[,:]")))))) (defn- allow-and-record? [x] (= x allow-and-record))
(defn- classname-set
"Returns ?#{<classname>}."
[x]
(when x
(if (string? x)
(if (= x "") #{} (set (mapv str/trim (str/split x #"[,:]"))))
(enc/have set? x))))
(comment (comment
(split-class-names>set "") (mapv classname-set [nil #{"foo"} "" "foo, bar:baz"])
(split-class-names>set "foo, bar:baz")) (.getName (.getSuperclass (.getClass (java.util.concurrent.TimeoutException.)))))
(comment (.getName (.getSuperclass (.getClass (java.util.concurrent.TimeoutException.))))) (defn parse-allowlist
"Returns #{<classname>}, or `allow-and-record`."
[default base add]
(if (or
(allow-and-record? base)
(allow-and-record? add))
allow-and-record
(into
(or (classname-set base) default)
(do (classname-set add)))))
(let [ids (comment (parse-allowlist #{"default"} "base1,base2" "add1"))
{:freeze {:base :taoensso.nippy.freeze-serializable-allowlist-base
:add :taoensso.nippy.freeze-serializable-allowlist-add}
:thaw {:base :taoensso.nippy.thaw-serializable-allowlist-base
:add :taoensso.nippy.thaw-serializable-allowlist-add}
:legacy {:base :taoensso.nippy.serializable-whitelist-base
:add :taoensso.nippy.serializable-whitelist-add}}]
(defn init-serializable-allowlist
[action default incl-legacy?]
(let [allowlist-base
(or
(when-let [s
(or
(do (enc/get-sys-val* (get-in ids [action :base])))
(when incl-legacy? (enc/get-sys-val* (get-in ids [:legacy :base]))))]
(if (allow-and-record? s) s (split-class-names>set s)))
default)
allowlist-add
(when-let [s
(or
(do (enc/get-sys-val* (get-in ids [action :add])))
(when incl-legacy? (enc/get-sys-val* (get-in ids [:legacy :add]))))]
(if (allow-and-record? s) s (split-class-names>set s)))]
(if (and allowlist-base allowlist-add)
(into (enc/have set? allowlist-base) allowlist-add)
(do allowlist-base)))))
;;;
(let [nmax 1000 (let [nmax 1000
ngc 16000 ngc 16000