Re: [PR] HDFS-17874. Check NodePlan JSON [hadoop]

Mon, 26 Jan 2026 09:55:06 -0800 


pjfanning commented on code in PR #8196:
URL: https://github.com/apache/hadoop/pull/8196#discussion_r2728557036


##########
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/diskbalancer/planner/NodePlan.java:
##########
@@ -151,20 +154,56 @@ public void setPort(int port) {
   }
 
   /**
-   * Parses a Json string and converts to NodePlan.
+   * Parses a JSON string and converts to NodePlan.
    *
-   * @param json - Json String
+   * @param json - JSON String
    * @return NodePlan
    * @throws IOException
    */
   public static NodePlan parseJson(String json) throws IOException {
-    return READER.readValue(json);
+    JsonNode tree = READER.readTree(json);
+    checkNodes(tree);
+    return READER.readValue(tree);
   }
 
   /**
-   * Returns a Json representation of NodePlan.
+   * Iterate through the tree structure beginning at the input `node`. This 
includes
+   * checking arrays and within JSON object structures (allowing for nested 
structures)
    *
-   * @return - json String
+   * @param node a node representing the root of tree structure
+   * @throws IOException if any unexpected `@class` values are found - this is 
the
+   * pre-existing exception type exposed by the calling code
+   */
+  private static void checkNodes(JsonNode node) throws IOException {
+    if (node == null) {
+      return;
+    }
+
+    // Check Node and Recurse into child nodes
+    if (node.isObject()) {
+      Iterator<Map.Entry<String, JsonNode>> fieldsIterator = node.fields();
+      while (fieldsIterator.hasNext()) {
+        Map.Entry<String, JsonNode> entry = fieldsIterator.next();
+        if ("@class".equals(entry.getKey())) {
+          String textValue = entry.getValue().asText();
+          if (textValue != null && !textValue.isBlank() &&
+                  !textValue.startsWith("org.apache.hadoop.hdfs.server")) {

Review Comment:
   Jackson will try to deserialize to the named class. There is a disallow list 
for well known attack classes but it can never be complete. It was a really bad 
decision to use class names here. Jackson supports other approaches. But 
changing now is a breaking change.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to