naruto-lgtm opened a new pull request, #8557:
URL: https://github.com/apache/hadoop/pull/8557

   ### Description of PR
   
   `LeveldbConfigurationStore.deserLogMutations` reads the scheduler 
configuration mutation log back from the LevelDB store with a raw 
`ObjectInputStream.readObject()`. Anyone who can write the store directory 
(`yarn.scheduler.configuration.leveldb-store.path`) can replace the serialized 
`LinkedList<LogMutation>` with a gadget payload, and the RM will instantiate 
arbitrary Serializable classes off the classpath on the next load/recovery.
   
   The sibling `ZKConfigurationStore` already decodes the same 
`LinkedList<LogMutation>` through commons-io `ValidatingObjectInputStream` with 
an explicit class allowlist; the LevelDB store was left on the unrestricted 
path. This change applies the same allowlist (`LinkedList`, `LogMutation`, 
`HashMap`, `String`) inside the decode helper so the restriction lives next to 
the read rather than relying on the store being trusted.
   
   ### How was this patch tested?
   
   Round-tripped a real `LinkedList<LogMutation>` (a `HashMap` of updates plus 
a user string) through the patched helper - it deserializes unchanged. A 
serialized object of a class outside the allowlist is now rejected with 
`InvalidClassException ("Class name not accepted")` instead of being 
constructed. Built `hadoop-yarn-server-resourcemanager` with the change.
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   ### AI Tooling
   
   If an AI tool was used:
   
   - [ ] The PR includes the phrase "Contains content generated by <tool>"
         where <tool> is the name of the AI tool used.
   - [ ] My use of AI contributions follows the ASF legal policy
         https://www.apache.org/legal/generative-tooling.html
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to