61fb009fdd
Fix a Remote Code Execution (RCE) vulnerability identified in an
excellent report by Timo Mihaljov (@solita-timo-mihaljov).
You are vulnerable iff both:
1. You are using Nippy to serialize and deserialize data from an
UNTRUSTED SOURCE.
2. You have a vulnerable ("gadget") class on your classpath.
Notably Clojure <= 1.8 includes such a class [1].
Many other libraries do too, some examples at [2].
To prevent this risk, a Serialization whitelist has been added.
Any classes not *explicitly* authorized by the whitelist to use
Serialization will NOT be permitted to.
The default whitelist is EMPTY, meaning this is a BREAKING
change iff you make use of Nippy's Serialization support. In
this case, you'll need to update the whitelist for your needs.
For more info see the `*serializable-whitelist*` docstring.
[1] https://clojure.atlassian.net/browse/CLJ-2204
[2] https://github.com/frohoff/ysoserial
Further info below provided by Timo:
------------------------------------
Deserialization vulnerabilities are exploited by constructing objects of classes
whose constructors perform some action that's useful to the attacker. A class like
this is called a gadget, and a collection of such classes that can be combined to
reach the attacker's goal is called a gadget chain.
There are three prerequisites for exploiting a deserialization vulnerability:
1) The attacker must be able to control the deserialized data, for example,
by gaining write access to the data store where trusted parties serialize
data or by exploiting some other vulnerability on the other end of a
communications channel.
2) The deserializer must construct objects of classes specified in the
serialized data. In other words, the attacker must have full control over
which classes get instantiated.
3) The classpath must contain gadgets that can be combined into a gadget chain.
The vulnerable code is in Nippy's function `read-serializable`, which calls the
`readObject` method of `ObjectInputStream`.
I have only tested the PoC with the latest stable version, 2.14.0, but looking at
Nippy's Git history, I believe all versions starting with the following commit
are vulnerable:
commit
|
||
|---|---|---|
| src/taoensso | ||
| test/taoensso/nippy/tests | ||
| .gitignore | ||
| benchmarks.png | ||
| CHANGELOG.md | ||
| LICENSE | ||
| project.clj | ||
| README.md | ||
CHANGELOG | API | current Break Version:
[com.taoensso/nippy "2.14.0"] ; Stable
[com.taoensso/nippy "2.15.0-RC1"] ; Dev, see CHANGELOG for details
Please consider helping to support my continued open-source Clojure/Script work?
Even small contributions can add up + make a big difference to help sustain my time writing, maintaining, and supporting Nippy and other Clojure/Script libraries. Thank you!
- Peter Taoussanis
Nippy
The fastest serialization library for Clojure
Clojure's rich data types are awesome. And its reader allows you to take your data just about anywhere. But the reader can be painfully slow when you've got a lot of data to crunch (like when you're serializing to a database).
Nippy is an attempt to provide a reliable, high-performance drop-in alternative to the reader. Used by the Carmine Redis client, the Faraday DynamoDB client, PigPen, Onyx and others.
Features
- Small, uncomplicated all-Clojure library
- Terrific performance (the fastest for Clojure that I'm aware of)
- Comprehesive support for all standard data types
- Easily extendable to custom data types (v2.1+)
- Java's Serializable fallback when available (v2.5+)
- Reader-fallback for all other types (including Clojure 1.4+ tagged literals)
- Full test coverage for every supported type
- Fully pluggable compression, including built-in high-performance LZ4 compressor
- Fully pluggable encryption, including built-in high-strength AES128 enabled with a single
:password [:salted "my-password"]option (v2+) - Utils for easy integration into 3rd-party tools/libraries (v2+)
Getting started
Add the necessary dependency to your project:
[com.taoensso/nippy "2.14.0"]
And setup your namespace imports:
(ns my-ns (:require [taoensso.nippy :as nippy]))
De/serializing
As an example of what it can do, let's take a look at Nippy's own reference stress data:
nippy/stress-data
=>
{:bytes (byte-array [(byte 1) (byte 2) (byte 3)])
:nil nil
:true true
:false false
:char \ಬ
:str-short "ಬಾ ಇಲ್ಲಿ ಸಂಭವಿಸ"
:str-long (apply str (range 1000))
:kw :keyword
:kw-ns ::keyword
:sym 'foo
:sym-ns 'foo/bar
:regex #"^(https?:)?//(www\?|\?)?"
:queue (-> (PersistentQueue/EMPTY) (conj :a :b :c :d :e :f :g))
:queue-empty (PersistentQueue/EMPTY)
:queue-empty (enc/queue)
:sorted-set (sorted-set 1 2 3 4 5)
:sorted-map (sorted-map :b 2 :a 1 :d 4 :c 3)
:list (list 1 2 3 4 5 (list 6 7 8 (list 9 10)))
:list-quoted '(1 2 3 4 5 (6 7 8 (9 10)))
:list-empty (list)
:vector [1 2 3 4 5 [6 7 8 [9 10]]]
:vector-empty []
:map {:a 1 :b 2 :c 3 :d {:e 4 :f {:g 5 :h 6 :i 7}}}
:map-empty {}
:set #{1 2 3 4 5 #{6 7 8 #{9 10}}}
:set-empty #{}
:meta (with-meta {:a :A} {:metakey :metaval})
:nested [#{{1 [:a :b] 2 [:c :d] 3 [:e :f]} [] #{:a :b}}
#{{1 [:a :b] 2 [:c :d] 3 [:e :f]} [] #{:a :b}}
[1 [1 2 [1 2 3 [1 2 3 4 [1 2 3 4 5]]]]]]
:lazy-seq (repeatedly 1000 rand)
:lazy-seq-empty (map identity '())
:byte (byte 16)
:short (short 42)
:integer (int 3)
:long (long 3)
:bigint (bigint 31415926535897932384626433832795)
:float (float 3.14)
:double (double 3.14)
:bigdec (bigdec 3.1415926535897932384626433832795)
:ratio 22/7
:uuid (java.util.UUID/randomUUID)
:date (java.util.Date.)
:stress-record (StressRecord. "data")
;; Serializable
:throwable (Throwable. "Yolo")
:exception (try (/ 1 0) (catch Exception e e))
:ex-info (ex-info "ExInfo" {:data "data"})}
Serialize it:
(def frozen-stress-data (nippy/freeze nippy/stress-data))
=> #<byte[] [B@3253bcf3>
Deserialize it:
(nippy/thaw frozen-stress-data)
=> {:bytes (byte-array [(byte 1) (byte 2) (byte 3)])
:nil nil
:boolean true
<...> }
Couldn't be simpler!
See also the lower-level freeze-to-out! and thaw-from-in! fns for operating on DataOutput and DataInput types directly.
Encryption (v2+)
Nippy also gives you dead simple data encryption. Add a single option to your usual freeze/thaw calls like so:
(nippy/freeze nippy/stress-data {:password [:salted "my-password"]}) ; Encrypt
(nippy/thaw <encrypted-data> {:password [:salted "my-password"]}) ; Decrypt
There's two default forms of encryption on offer: :salted and :cached. Each of these makes carefully-chosen trade-offs and is suited to one of two common use cases. See the aes128-encryptor API docs for a detailed explanation of why/when you'd want one or the other.
Custom types (v2.1+)
(defrecord MyType [data])
(nippy/extend-freeze MyType :my-type/foo ; A unique (namespaced) type identifier
[x data-output]
(.writeUTF data-output (:data x)))
(nippy/extend-thaw :my-type/foo ; Same type id
[data-input]
(MyType. (.readUTF data-input)))
(nippy/thaw (nippy/freeze (MyType. "Joe"))) => #taoensso.nippy.MyType{:data "Joe"}
Performance
Nippy is currently the fastest serialization library for Clojure that I'm aware of, and offers roundtrip times between ~10x and ~15x faster than Clojure's tools.reader.edn, with a ~40% smaller output size.
Detailed benchmark info is available on Google Docs.
Contacting me / contributions
Please use the project's GitHub issues page for all questions, ideas, etc. Pull requests welcome. See the project's GitHub contributors page for a list of contributors.
Otherwise, you can reach me at Taoensso.com. Happy hacking!
License
Distributed under the EPL v1.0 (same as Clojure).
Copyright © 2012-2016 Peter Taoussanis.