Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict classes allowed for cluster config and event types (#18165) #18179

Merged
merged 3 commits into from
Feb 6, 2024
Merged

Restrict classes allowed for cluster config and event types (#18165) #18179

merged 3 commits into from
Feb 6, 2024
+429 −30

Conversation

bernd
Copy link
Member

@bernd bernd commented Feb 6, 2024

Add a new safe_classes configuration option to restrict the classes allowed to be used as cluster config and event types.
The configuration option allows to specify a comma-separated set of prefixes matched against the fully qualified class name.

For now, the default value for the configuration is org.graylog.,org.graylog2., which will allow all classes that Graylog maintains.

This should work out of the box for almost all setups. Changing the default value might only be necessary if external plugins require cluster config or event types outside the "org.graylog." or "org.graylog2." namespaces. If that is the case, the configuration setting can be adjusted to cover this use case, e.b. by setting it to

safe_classes = org.graylog.,org.graylog2.,custom.plugin.namespace.

if said classes are located within the custom.plugin.namespace package.

Refs: GHSA-p6gg-5hf4-4rgj

(cherry picked from commit 8132032)

@thll @bernd
Restrict classes allowed for cluster config and event types (#18165)

Verified

This commit was signed with the committer’s verified signature.
bernd Bernd Ahlers
SSH Key Fingerprint: qzOWSilG3YWsnJufq7ExPuI/0kBbigTCriec5QOtrkE
Verified
Learn about vigilant mode
05800a1 
Add a new safe_classes configuration option to restrict the classes allowed to be used
as cluster config and event types.
The configuration option allows to specify a comma-separated set of prefixes matched
against the fully qualified class name.

For now, the default value for the configuration is org.graylog.,org.graylog2., which will
allow all classes that Graylog maintains.

This should work out of the box for almost all setups. Changing the default value might
only be necessary if external plugins require cluster config or event types outside the
"org.graylog." or "org.graylog2." namespaces. If that is the case, the configuration setting
can be adjusted to cover this use case, e.b. by setting it to

    safe_classes = org.graylog.,org.graylog2.,custom.plugin.namespace.

if said classes are located within the custom.plugin.namespace package.

Refs: GHSA-p6gg-5hf4-4rgj

(cherry picked from commit 8132032)
@bernd bernd requested a review from kroepke February 6, 2024 14:54
bernd added 2 commits February 6, 2024 15:57
@bernd
Use javax.inject.Inject instead of jakarta.inject.Inject

Verified

This commit was signed with the committer’s verified signature.
bernd Bernd Ahlers
SSH Key Fingerprint: qzOWSilG3YWsnJufq7ExPuI/0kBbigTCriec5QOtrkE
Verified
Learn about vigilant mode
52f3541
@bernd
Use javax.ws.rs instead of jakarta.ws.rs

Verified

This commit was signed with the committer’s verified signature.
bernd Bernd Ahlers
SSH Key Fingerprint: qzOWSilG3YWsnJufq7ExPuI/0kBbigTCriec5QOtrkE
Verified
Learn about vigilant mode
d3f2bd6
@bernd bernd merged commit 75ef2b8 into 5.1 Feb 6, 2024
@bernd bernd deleted the add/restricted-classloader-5.1 branch February 6, 2024 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kroepke kroepke

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bernd @kroepke @thll