security: pac4j can cause deserialization of untrusted data

- Prevent setting encoded values outside pac4j internals
- Link to security advisory: GHSA-7c5v-895v-w4q5

Author: jknack

modules/jooby-bom/pom.xml

@@ -0,0 +1,126 @@
+/*
+ * Jooby https://jooby.io
+ * Apache License Version 2.0 https://jooby.io/LICENSE.txt
+ * Copyright 2014 Edgar Espina
+ */
+package io.jooby.internal.pac4j;
+
+import java.time.Instant;
+import java.util.Map;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
+import io.jooby.*;
+import io.jooby.pac4j.Pac4jUntrustedDataFound;
+
+class Pac4jSession implements Session {
+  public static final String PAC4J = "p4j~";
+
+  public static final String BIN = "b64~";
+
+  private final Session session;
+
+  public Pac4jSession(@NonNull Session session) {
+    this.session = session;
+  }
+
+  @Nullable public String getId() {
+    return session.getId();
+  }
+
+  @NonNull public Value get(@NonNull String name) {
+    return session.get(name);
+  }
+
+  @NonNull public Instant getLastAccessedTime() {
+    return session.getLastAccessedTime();
+  }
+
+  public void destroy() {
+    session.destroy();
+  }
+
+  @NonNull public Session setId(String id) {
+    session.setId(id);
+    return this;
+  }
+
+  @NonNull public Value remove(@NonNull String name) {
+    return session.remove(name);
+  }
+
+  public boolean isNew() {
+    return session.isNew();
+  }
+
+  @NonNull public Session setNew(boolean isNew) {
+    session.setNew(isNew);
+    return this;
+  }
+
+  @NonNull public Session setLastAccessedTime(@NonNull Instant lastAccessedTime) {
+    session.setLastAccessedTime(lastAccessedTime);
+    return this;
+  }
+
+  public boolean isModify() {
+    return session.isModify();
+  }
+
+  @NonNull public Session setCreationTime(@NonNull Instant creationTime) {
+    session.setCreationTime(creationTime);
+    return this;
+  }
+
+  @NonNull public Session setModify(boolean modify) {
+    session.setModify(modify);
+    return this;
+  }
+
+  public Session renewId() {
+    session.renewId();
+    return this;
+  }
+
+  @NonNull public Instant getCreationTime() {
+    return session.getCreationTime();
+  }
+
+  @NonNull public Map<String, String> toMap() {
+    return session.toMap();
+  }
+
+  public Session clear() {
+    session.clear();
+    return this;
+  }
+
+  public Session getSession() {
+    return session;
+  }
+
+  public static Context create(Context ctx) {
+    return new ForwardingContext(ctx) {
+      @NonNull @Override
+      public Session session() {
+        return new Pac4jSession(super.session());
+      }
+
+      @Override
+      public Session sessionOrNull() {
+        Session session = super.sessionOrNull();
+        return session == null ? null : new Pac4jSession(session);
+      }
+    };
+  }
+
+  @NonNull @Override
+  public Session put(@NonNull String name, @NonNull String value) {
+    if (value != null) {
+      if (value.startsWith(PAC4J) || value.startsWith(BIN)) {
+        throw new Pac4jUntrustedDataFound(name);
+      }
+    }
+    return session.put(name, value);
+  }
+}

modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/Pac4jSession.java

@@ -13,13 +13,10 @@
 import static io.jooby.StatusCode.SEE_OTHER_CODE;
 import static io.jooby.StatusCode.TEMPORARY_REDIRECT_CODE;
 import static io.jooby.StatusCode.UNAUTHORIZED_CODE;
+import static io.jooby.internal.pac4j.Pac4jSession.BIN;
+import static io.jooby.internal.pac4j.Pac4jSession.PAC4J;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-import java.util.Base64;
+import java.io.*;
 import java.util.Optional;
 
 import org.pac4j.core.context.WebContext;
@@ -35,19 +32,15 @@
 import org.pac4j.core.exception.http.UnauthorizedAction;
 import org.pac4j.core.exception.http.WithContentAction;
 import org.pac4j.core.exception.http.WithLocationAction;
+import org.pac4j.core.util.serializer.Serializer;
 
 import io.jooby.Context;
 import io.jooby.Session;
-import io.jooby.SneakyThrows;
 import io.jooby.Value;
 import io.jooby.pac4j.Pac4jContext;
 
 public class SessionStoreImpl implements org.pac4j.core.context.session.SessionStore {
 
-  private static final String PAC4J = "p4j~";
-
-  private static final String BIN = "b64~";
-
   private Session getSession(WebContext context) {
     return context(context).session();
   }
@@ -75,20 +68,17 @@ public Optional<String> getSessionId(WebContext context, boolean createSession)
 
   @Override
   public Optional<Object> get(WebContext context, String key) {
-    Optional sessionValue =
-        getSessionOrEmpty(context)
-            .map(session -> session.get(key))
-            .map(SessionStoreImpl::strToObject)
-            .orElseGet(Optional::empty);
-    return sessionValue;
+    return getSessionOrEmpty(context)
+        .map(session -> session.get(key))
+        .flatMap(value -> strToObject(context(context).require(Serializer.class), value));
   }
 
   @Override
   public void set(WebContext context, String key, Object value) {
-    if (value == null || value.toString().length() == 0) {
+    if (value == null || value.toString().isEmpty()) {
       getSessionOrEmpty(context).ifPresent(session -> session.remove(key));
     } else {
-      String encoded = objToStr(value);
+      String encoded = objToStr(context(context).require(Serializer.class), value);
       getSession(context).put(key, encoded);
     }
   }
@@ -116,42 +106,31 @@ public Optional<SessionStore> buildFromTrackableSession(
 
   @Override
   public boolean renewSession(WebContext context) {
-    getSessionOrEmpty(context).ifPresent(session -> session.renewId());
-    return true;
+    var session = getSessionOrEmpty(context);
+    session.ifPresent(Session::renewId);
+    return session.isPresent();
   }
 
-  static Optional<Object> strToObject(final Value node) {
+  static Optional<Object> strToObject(Serializer serializer, Value node) {
     if (node.isMissing()) {
       return Optional.empty();
     }
     String value = node.value();
     if (value.startsWith(BIN)) {
-      try {
-        byte[] bytes = Base64.getDecoder().decode(value.substring(BIN.length()));
-        return Optional.of(new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject());
-      } catch (Exception x) {
-        throw SneakyThrows.propagate(x);
-      }
+      return Optional.of(serializer.deserializeFromString(value.substring(BIN.length())));
     } else if (value.startsWith(PAC4J)) {
       return Optional.of(strToAction(value.substring(PAC4J.length())));
     }
     return Optional.of(value);
   }
 
-  static String objToStr(final Object value) {
+  static String objToStr(Serializer serializer, Object value) {
     if (value instanceof CharSequence || value instanceof Number || value instanceof Boolean) {
       return value.toString();
     } else if (value instanceof HttpAction) {
       return actionToStr((HttpAction) value);
-    }
-    try {
-      ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-      ObjectOutputStream stream = new ObjectOutputStream(bytes);
-      stream.writeObject(value);
-      stream.flush();
-      return BIN + Base64.getEncoder().encodeToString(bytes.toByteArray());
-    } catch (IOException x) {
-      throw SneakyThrows.propagate(x);
+    } else {
+      return BIN + serializer.serializeToString(value);
     }
   }
 

modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java

@@ -0,0 +1,23 @@
+/*
+ * Jooby https://jooby.io
+ * Apache License Version 2.0 https://jooby.io/LICENSE.txt
+ * Copyright 2014 Edgar Espina
+ */
+package io.jooby.internal.pac4j;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import io.jooby.Route;
+import io.jooby.Session;
+
+public class UntrustedSessionDataDetector implements Route.Filter {
+  @Override
+  @NonNull public Route.Handler apply(@NonNull Route.Handler next) {
+    return ctx -> {
+      Session session = ctx.sessionOrNull();
+      if (session instanceof Pac4jSession) {
+        return session;
+      }
+      return session == null ? next.apply(ctx) : next.apply(Pac4jSession.create(ctx));
+    };
+  }
+}

modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/UntrustedSessionDataDetector.java

@@ -31,6 +31,7 @@
 import org.pac4j.core.http.adapter.HttpActionAdapter;
 import org.pac4j.core.http.url.UrlResolver;
 import org.pac4j.core.profile.factory.ProfileManagerFactory;
+import org.pac4j.core.util.serializer.Serializer;
 import org.pac4j.http.client.indirect.FormClient;
 import org.pac4j.http.credentials.authenticator.test.SimpleTestUsernamePasswordAuthenticator;
 
@@ -345,7 +346,10 @@ public Pac4jModule client(
 
   @Override
   public void install(@NonNull Jooby app) throws Exception {
-    app.getServices().putIfAbsent(Pac4jOptions.class, options);
+    var services = app.getServices();
+    services.putIfAbsent(Pac4jOptions.class, options);
+    // Set defaults:
+    services.putIfAbsent(Serializer.class, options.getSerializer());
 
     var clients =
         ofNullable(options.getClients())
@@ -488,6 +492,7 @@ public void install(@NonNull Jooby app) throws Exception {
     if (securityLogic == null) {
       options.setSecurityLogic(newSecurityLogic(excludes));
     }
+    app.use(new UntrustedSessionDataDetector());
 
     /** For each client to a specific path, add a security handler. */
     for (var entry : allClients.entrySet()) {

modules/jooby-pac4j/src/main/java/io/jooby/pac4j/Pac4jModule.java

@@ -8,6 +8,8 @@
 import java.util.Optional;
 
 import org.pac4j.core.config.Config;
+import org.pac4j.core.util.serializer.JavaSerializer;
+import org.pac4j.core.util.serializer.Serializer;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
@@ -52,6 +54,8 @@ public class Pac4jOptions extends Config {
 
   private boolean forceLogoutRoutes = false;
 
+  private Serializer serializer = new JavaSerializer();
+
   private Pac4jOptions(Config config) {
     setClients(config.getClients());
     Optional.ofNullable(config.getAuthorizers()).ifPresent(this::setAuthorizers);
@@ -353,8 +357,30 @@ public boolean isForceLogoutRoutes() {
    *
    * @param logoutUrlPattern It’s the logout URL pattern that the url parameter must match. It is an
    *     optional parameter and only relative URLs are allowed by default.
+   * @return This instance.
    */
-  public void setLogoutUrlPattern(String logoutUrlPattern) {
+  public @NonNull Pac4jOptions setLogoutUrlPattern(String logoutUrlPattern) {
     this.logoutUrlPattern = logoutUrlPattern;
+    return this;
+  }
+
+  /**
+   * Used for save complex object into session while using indirect clients.
+   *
+   * @return Serializer, defaults to {@link JavaSerializer}.
+   */
+  public @NonNull Serializer getSerializer() {
+    return serializer;
+  }
+
+  /**
+   * Set serializer for saving complex object into session while using indirect clients.
+   *
+   * @param serializer Serializer.
+   * @return This instance.
+   */
+  public @NonNull Pac4jOptions setSerializer(@NonNull Serializer serializer) {
+    this.serializer = serializer;
+    return this;
   }
 }

modules/jooby-pac4j/src/main/java/io/jooby/pac4j/Pac4jOptions.java

@@ -0,0 +1,20 @@
+/*
+ * Jooby https://jooby.io
+ * Apache License Version 2.0 https://jooby.io/LICENSE.txt
+ * Copyright 2014 Edgar Espina
+ */
+package io.jooby.pac4j;
+
+import io.jooby.StatusCode;
+import io.jooby.exception.StatusCodeException;
+
+/**
+ * Occurs when sensitive encoded data is set outside pac4j internals.
+ *
+ * @since 2.16.6
+ */
+public class Pac4jUntrustedDataFound extends StatusCodeException {
+  public Pac4jUntrustedDataFound(String message) {
+    super(StatusCode.FORBIDDEN, message);
+  }
+}

modules/jooby-pac4j/src/main/java/io/jooby/pac4j/Pac4jUntrustedDataFound.java

@@ -13,4 +13,5 @@
   requires org.slf4j;
   requires pac4j.core;
   requires pac4j.http;
+  requires jsr305;
 }