Restrict classes allowed for cluster config and event types #18165
+426
−29
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bernd
requested changes
Feb 6, 2024
graylog2-server/src/main/java/org/graylog2/cluster/ClusterConfigServiceImpl.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Bernd Ahlers <bernd@users.noreply.github.com>
Co-authored-by: Bernd Ahlers <bernd@users.noreply.github.com>
bernd
pushed a commit
that referenced
this pull request
Feb 6, 2024
Add a new safe_classes configuration option to restrict the classes allowed to be used
as cluster config and event types.
The configuration option allows to specify a comma-separated set of prefixes matched
against the fully qualified class name.
For now, the default value for the configuration is org.graylog.,org.graylog2., which will
allow all classes that Graylog maintains.
This should work out of the box for almost all setups. Changing the default value might
only be necessary if external plugins require cluster config or event types outside the
"org.graylog." or "org.graylog2." namespaces. If that is the case, the configuration setting
can be adjusted to cover this use case, e.b. by setting it to
safe_classes = org.graylog.,org.graylog2.,custom.plugin.namespace.
if said classes are located within the custom.plugin.namespace package.
Refs: GHSA-p6gg-5hf4-4rgj
(cherry picked from commit 8132032)
bernd
pushed a commit
that referenced
this pull request
Feb 6, 2024
Add a new safe_classes configuration option to restrict the classes allowed to be used
as cluster config and event types.
The configuration option allows to specify a comma-separated set of prefixes matched
against the fully qualified class name.
For now, the default value for the configuration is org.graylog.,org.graylog2., which will
allow all classes that Graylog maintains.
This should work out of the box for almost all setups. Changing the default value might
only be necessary if external plugins require cluster config or event types outside the
"org.graylog." or "org.graylog2." namespaces. If that is the case, the configuration setting
can be adjusted to cover this use case, e.b. by setting it to
safe_classes = org.graylog.,org.graylog2.,custom.plugin.namespace.
if said classes are located within the custom.plugin.namespace package.
Refs: GHSA-p6gg-5hf4-4rgj
(cherry picked from commit 8132032)
bernd
added a commit
that referenced
this pull request
Feb 6, 2024
…18179) * Restrict classes allowed for cluster config and event types (#18165) Add a new safe_classes configuration option to restrict the classes allowed to be used as cluster config and event types. The configuration option allows to specify a comma-separated set of prefixes matched against the fully qualified class name. For now, the default value for the configuration is org.graylog.,org.graylog2., which will allow all classes that Graylog maintains. This should work out of the box for almost all setups. Changing the default value might only be necessary if external plugins require cluster config or event types outside the "org.graylog." or "org.graylog2." namespaces. If that is the case, the configuration setting can be adjusted to cover this use case, e.b. by setting it to safe_classes = org.graylog.,org.graylog2.,custom.plugin.namespace. if said classes are located within the custom.plugin.namespace package. Refs: GHSA-p6gg-5hf4-4rgj (cherry picked from commit 8132032) * Use javax.inject.Inject instead of jakarta.inject.Inject * Use javax.ws.rs instead of jakarta.ws.rs --------- Co-authored-by: Othello Maurer <othello@graylog.com>
bernd
added a commit
that referenced
this pull request
Feb 6, 2024
…18180) * Restrict classes allowed for cluster config and event types (#18165) Add a new safe_classes configuration option to restrict the classes allowed to be used as cluster config and event types. The configuration option allows to specify a comma-separated set of prefixes matched against the fully qualified class name. For now, the default value for the configuration is org.graylog.,org.graylog2., which will allow all classes that Graylog maintains. This should work out of the box for almost all setups. Changing the default value might only be necessary if external plugins require cluster config or event types outside the "org.graylog." or "org.graylog2." namespaces. If that is the case, the configuration setting can be adjusted to cover this use case, e.b. by setting it to safe_classes = org.graylog.,org.graylog2.,custom.plugin.namespace. if said classes are located within the custom.plugin.namespace package. Refs: GHSA-p6gg-5hf4-4rgj (cherry picked from commit 8132032) * Use javax.inject.Inject instead of jakarta.inject.Inject * Add "jakarta.inject.**" to forbidden APIs This will help us with issue for backported code that's already using jakarta.inject. * Use javax.ws.rs instead of jakarta.ws.rs --------- Co-authored-by: Othello Maurer <othello@graylog.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a new
safe_classesconfiguration option to restrict the classes allowed to be used as cluster config and event types.The configuration option allows to specify a comma-separated set of prefixes matched against the fully qualified class name.
For now, the default value for the configuration is
org.graylog.,org.graylog2., which will allow all classes that are maintained by Graylog.This should work out of the box for almost all setups. Changing the default value might only be necessary if external plugins require cluster config or event types outside the
org.graylog.ororg.graylog2.namespace. If that is the case, the configuration setting can be adjusted to cover this use case, e.b. by setting it toif said classes are located within the
custom.plugin.namespacepackage.