Critical severityCISA KEVNVD Advisory· Published Oct 27, 2023· Updated Nov 3, 2025
Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack
CVE-2023-46604
Description
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:activemq-clientMaven | < 5.15.16 | 5.15.16 |
org.apache.activemq:activemq-clientMaven | >= 5.16.0, < 5.16.7 | 5.16.7 |
org.apache.activemq:activemq-clientMaven | >= 5.17.0, < 5.17.6 | 5.17.6 |
org.apache.activemq:activemq-clientMaven | >= 5.18.0, < 5.18.3 | 5.18.3 |
org.apache.activemq:activemq-openwire-legacyMaven | >= 5.8.0, < 5.15.16 | 5.15.16 |
org.apache.activemq:activemq-openwire-legacyMaven | >= 5.16.0, < 5.16.7 | 5.16.7 |
org.apache.activemq:activemq-openwire-legacyMaven | >= 5.17.0, < 5.17.6 | 5.17.6 |
org.apache.activemq:activemq-openwire-legacyMaven | >= 5.18.0, < 5.18.3 | 5.18.3 |
Affected products
2- Apache Software Foundation/Apache ActiveMQv5Range: 5.18.0
- Apache Software Foundation/Apache ActiveMQ Legacy OpenWire Modulev5Range: 5.18.0
Patches
580089f9f476aMerge pull request #1098 from cshannon/openwire-throwable-fix
18 files changed · +405 −0
activemq-client/pom.xml+11 −0 modified@@ -268,6 +268,17 @@ </execution> </executions> </plugin> + <!-- generate the attached tests jar --> + <plugin> + <artifactId>maven-jar-plugin</artifactId> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> </plugins> <pluginManagement> <plugins>
activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java+32 −0 added@@ -0,0 +1,32 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +public class OpenWireUtil { + + /** + * Verify that the provided class extends {@link Throwable} and throw an + * {@link IllegalArgumentException} if it does not. + * + * @param clazz + */ + public static void validateIsThrowable(Class<?> clazz) { + if (!Throwable.class.isAssignableFrom(clazz)) { + throw new IllegalArgumentException("Class " + clazz + " is not assignable to Throwable"); + } + } +}
activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -229,8 +230,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java+166 −0 added@@ -0,0 +1,166 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import static org.junit.Assert.assertTrue; + +import java.io.DataOutput; +import java.io.IOException; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.apache.activemq.command.CommandTypes; +import org.apache.activemq.command.ExceptionResponse; +import org.apache.activemq.util.ByteSequence; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireValidationTest { + + protected final int version; + + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Integer> versions = List.of(1, 9, 10, 11, 12); + List<Object[]> versionObjs = new ArrayList<>(); + for (int i : versions) { + versionObjs.add(new Object[]{i}); + } + + // Sanity check to make sure the latest generated version is contained in the list + // This will make sure that we don't forget to update this test to include + // any future versions that are generated + assertTrue("List of Openwire versions does not include latest version", + versions.contains((int)CommandTypes.PROTOCOL_VERSION)); + + return versionObjs; + } + + public OpenWireValidationTest(int version) { + this.version = version; + } + + @Test + public void testOpenwireThrowableValidation() throws Exception { + // Create a format which will use loose encoding by default + // The code for handling exception creation is shared between both + // tight/loose encoding so only need to test 1 + OpenWireFormat format = new OpenWireFormat(); + + // Override the marshaller map with a custom impl to purposely marshal a class type that is + // not a Throwable for testing the unmarshaller + Class<?> marshallerFactory = getMarshallerFactory(); + Method createMarshallerMap = marshallerFactory.getMethod("createMarshallerMap", OpenWireFormat.class); + DataStreamMarshaller[] map = (DataStreamMarshaller[]) createMarshallerMap.invoke(marshallerFactory, format); + map[ExceptionResponse.DATA_STRUCTURE_TYPE] = getExceptionMarshaller(); + // This will trigger updating the marshaller from the marshaller map with the right version + format.setVersion(version); + + // Build the response and try to unmarshal which should give an IllegalArgumentExeption on unmarshall + // as the test marshaller should have encoded a class type that is not a Throwable + ExceptionResponse r = new ExceptionResponse(); + r.setException(new Exception()); + ByteSequence bss = format.marshal(r); + ExceptionResponse response = (ExceptionResponse) format.unmarshal(bss); + + assertTrue(response.getException() instanceof IllegalArgumentException); + assertTrue(response.getException().getMessage().contains("is not assignable to Throwable")); + } + + static class NotAThrowable { + private String message; + + public NotAThrowable(String message) { + this.message = message; + } + + public NotAThrowable() { + } + } + + private Class<?> getMarshallerFactory() throws ClassNotFoundException { + return Class.forName("org.apache.activemq.openwire.v" + version + ".MarshallerFactory"); + } + + // Create test marshallers for all non-legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 12: + return new org.apache.activemq.openwire.v12.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 11: + return new org.apache.activemq.openwire.v11.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 10: + return new org.apache.activemq.openwire.v10.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 9: + return new org.apache.activemq.openwire.v9.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 1: + return new org.apache.activemq.openwire.v1.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
activemq-openwire-legacy/pom.xml+12 −0 modified@@ -35,6 +35,18 @@ <groupId>org.apache.activemq</groupId> <artifactId>activemq-client</artifactId> </dependency> + + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> </dependencies> </project>
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java+129 −0 added@@ -0,0 +1,129 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import java.io.DataOutput; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling for legacy versions will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireLegacyValidationTest extends OpenWireValidationTest { + + + // Run through version 2 - 8 which are legacy + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Object[]> versions = new ArrayList<>(); + for (int i = 2; i <= 8; i++) { + versions.add(new Object[]{i}); + } + return versions; + } + + public OpenWireLegacyValidationTest(int version) { + super(version); + } + + // Create test marshallers for all legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 2: + return new org.apache.activemq.openwire.v2.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 3: + return new org.apache.activemq.openwire.v3.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 4: + return new org.apache.activemq.openwire.v4.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 5: + return new org.apache.activemq.openwire.v5.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 6: + return new org.apache.activemq.openwire.v6.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 7: + return new org.apache.activemq.openwire.v7.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 8: + return new org.apache.activemq.openwire.v8.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
pom.xml+7 −0 modified@@ -297,6 +297,13 @@ <artifactId>activemq-client</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> <dependency> <groupId>org.apache.activemq</groupId> <artifactId>activemq-openwire-legacy</artifactId>
d0ccdd31544aAMQ-9370 - Openwire marshaller should validate Throwable class type
18 files changed · +405 −0
activemq-client/pom.xml+11 −0 modified@@ -273,6 +273,17 @@ </execution> </executions> </plugin> + <!-- generate the attached tests jar --> + <plugin> + <artifactId>maven-jar-plugin</artifactId> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> </plugins> <pluginManagement> <plugins>
activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java+32 −0 added@@ -0,0 +1,32 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +public class OpenWireUtil { + + /** + * Verify that the provided class extends {@link Throwable} and throw an + * {@link IllegalArgumentException} if it does not. + * + * @param clazz + */ + public static void validateIsThrowable(Class<?> clazz) { + if (!Throwable.class.isAssignableFrom(clazz)) { + throw new IllegalArgumentException("Class " + clazz + " is not assignable to Throwable"); + } + } +}
activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -229,8 +230,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java+166 −0 added@@ -0,0 +1,166 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import static org.junit.Assert.assertTrue; + +import java.io.DataOutput; +import java.io.IOException; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.apache.activemq.command.CommandTypes; +import org.apache.activemq.command.ExceptionResponse; +import org.apache.activemq.util.ByteSequence; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireValidationTest { + + protected final int version; + + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Integer> versions = List.of(1, 9, 10, 11, 12); + List<Object[]> versionObjs = new ArrayList<>(); + for (int i : versions) { + versionObjs.add(new Object[]{i}); + } + + // Sanity check to make sure the latest generated version is contained in the list + // This will make sure that we don't forget to update this test to include + // any future versions that are generated + assertTrue("List of Openwire versions does not include latest version", + versions.contains((int)CommandTypes.PROTOCOL_VERSION)); + + return versionObjs; + } + + public OpenWireValidationTest(int version) { + this.version = version; + } + + @Test + public void testOpenwireThrowableValidation() throws Exception { + // Create a format which will use loose encoding by default + // The code for handling exception creation is shared between both + // tight/loose encoding so only need to test 1 + OpenWireFormat format = new OpenWireFormat(); + + // Override the marshaller map with a custom impl to purposely marshal a class type that is + // not a Throwable for testing the unmarshaller + Class<?> marshallerFactory = getMarshallerFactory(); + Method createMarshallerMap = marshallerFactory.getMethod("createMarshallerMap", OpenWireFormat.class); + DataStreamMarshaller[] map = (DataStreamMarshaller[]) createMarshallerMap.invoke(marshallerFactory, format); + map[ExceptionResponse.DATA_STRUCTURE_TYPE] = getExceptionMarshaller(); + // This will trigger updating the marshaller from the marshaller map with the right version + format.setVersion(version); + + // Build the response and try to unmarshal which should give an IllegalArgumentExeption on unmarshall + // as the test marshaller should have encoded a class type that is not a Throwable + ExceptionResponse r = new ExceptionResponse(); + r.setException(new Exception()); + ByteSequence bss = format.marshal(r); + ExceptionResponse response = (ExceptionResponse) format.unmarshal(bss); + + assertTrue(response.getException() instanceof IllegalArgumentException); + assertTrue(response.getException().getMessage().contains("is not assignable to Throwable")); + } + + static class NotAThrowable { + private String message; + + public NotAThrowable(String message) { + this.message = message; + } + + public NotAThrowable() { + } + } + + private Class<?> getMarshallerFactory() throws ClassNotFoundException { + return Class.forName("org.apache.activemq.openwire.v" + version + ".MarshallerFactory"); + } + + // Create test marshallers for all non-legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 12: + return new org.apache.activemq.openwire.v12.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 11: + return new org.apache.activemq.openwire.v11.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 10: + return new org.apache.activemq.openwire.v10.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 9: + return new org.apache.activemq.openwire.v9.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 1: + return new org.apache.activemq.openwire.v1.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
activemq-openwire-legacy/pom.xml+12 −0 modified@@ -35,6 +35,18 @@ <groupId>org.apache.activemq</groupId> <artifactId>activemq-client</artifactId> </dependency> + + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> </dependencies> </project>
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java+129 −0 added@@ -0,0 +1,129 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import java.io.DataOutput; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling for legacy versions will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireLegacyValidationTest extends OpenWireValidationTest { + + + // Run through version 2 - 8 which are legacy + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Object[]> versions = new ArrayList<>(); + for (int i = 2; i <= 8; i++) { + versions.add(new Object[]{i}); + } + return versions; + } + + public OpenWireLegacyValidationTest(int version) { + super(version); + } + + // Create test marshallers for all legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 2: + return new org.apache.activemq.openwire.v2.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 3: + return new org.apache.activemq.openwire.v3.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 4: + return new org.apache.activemq.openwire.v4.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 5: + return new org.apache.activemq.openwire.v5.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 6: + return new org.apache.activemq.openwire.v6.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 7: + return new org.apache.activemq.openwire.v7.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 8: + return new org.apache.activemq.openwire.v8.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
pom.xml+7 −0 modified@@ -296,6 +296,13 @@ <artifactId>activemq-client</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> <dependency> <groupId>org.apache.activemq</groupId> <artifactId>activemq-openwire-legacy</artifactId>
958330df26cfAMQ-9370 - Openwire marshaller should validate Throwable class type
18 files changed · +405 −0
activemq-client/pom.xml+11 −0 modified@@ -268,6 +268,17 @@ </execution> </executions> </plugin> + <!-- generate the attached tests jar --> + <plugin> + <artifactId>maven-jar-plugin</artifactId> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> </plugins> <pluginManagement> <plugins>
activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java+32 −0 added@@ -0,0 +1,32 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +public class OpenWireUtil { + + /** + * Verify that the provided class extends {@link Throwable} and throw an + * {@link IllegalArgumentException} if it does not. + * + * @param clazz + */ + public static void validateIsThrowable(Class<?> clazz) { + if (!Throwable.class.isAssignableFrom(clazz)) { + throw new IllegalArgumentException("Class " + clazz + " is not assignable to Throwable"); + } + } +}
activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -229,8 +230,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java+166 −0 added@@ -0,0 +1,166 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import static org.junit.Assert.assertTrue; + +import java.io.DataOutput; +import java.io.IOException; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.apache.activemq.command.CommandTypes; +import org.apache.activemq.command.ExceptionResponse; +import org.apache.activemq.util.ByteSequence; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireValidationTest { + + protected final int version; + + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Integer> versions = List.of(1, 9, 10, 11, 12); + List<Object[]> versionObjs = new ArrayList<>(); + for (int i : versions) { + versionObjs.add(new Object[]{i}); + } + + // Sanity check to make sure the latest generated version is contained in the list + // This will make sure that we don't forget to update this test to include + // any future versions that are generated + assertTrue("List of Openwire versions does not include latest version", + versions.contains((int)CommandTypes.PROTOCOL_VERSION)); + + return versionObjs; + } + + public OpenWireValidationTest(int version) { + this.version = version; + } + + @Test + public void testOpenwireThrowableValidation() throws Exception { + // Create a format which will use loose encoding by default + // The code for handling exception creation is shared between both + // tight/loose encoding so only need to test 1 + OpenWireFormat format = new OpenWireFormat(); + + // Override the marshaller map with a custom impl to purposely marshal a class type that is + // not a Throwable for testing the unmarshaller + Class<?> marshallerFactory = getMarshallerFactory(); + Method createMarshallerMap = marshallerFactory.getMethod("createMarshallerMap", OpenWireFormat.class); + DataStreamMarshaller[] map = (DataStreamMarshaller[]) createMarshallerMap.invoke(marshallerFactory, format); + map[ExceptionResponse.DATA_STRUCTURE_TYPE] = getExceptionMarshaller(); + // This will trigger updating the marshaller from the marshaller map with the right version + format.setVersion(version); + + // Build the response and try to unmarshal which should give an IllegalArgumentExeption on unmarshall + // as the test marshaller should have encoded a class type that is not a Throwable + ExceptionResponse r = new ExceptionResponse(); + r.setException(new Exception()); + ByteSequence bss = format.marshal(r); + ExceptionResponse response = (ExceptionResponse) format.unmarshal(bss); + + assertTrue(response.getException() instanceof IllegalArgumentException); + assertTrue(response.getException().getMessage().contains("is not assignable to Throwable")); + } + + static class NotAThrowable { + private String message; + + public NotAThrowable(String message) { + this.message = message; + } + + public NotAThrowable() { + } + } + + private Class<?> getMarshallerFactory() throws ClassNotFoundException { + return Class.forName("org.apache.activemq.openwire.v" + version + ".MarshallerFactory"); + } + + // Create test marshallers for all non-legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 12: + return new org.apache.activemq.openwire.v12.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 11: + return new org.apache.activemq.openwire.v11.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 10: + return new org.apache.activemq.openwire.v10.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 9: + return new org.apache.activemq.openwire.v9.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 1: + return new org.apache.activemq.openwire.v1.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
activemq-openwire-legacy/pom.xml+12 −0 modified@@ -35,6 +35,18 @@ <groupId>org.apache.activemq</groupId> <artifactId>activemq-client</artifactId> </dependency> + + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> </dependencies> </project>
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java+129 −0 added@@ -0,0 +1,129 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import java.io.DataOutput; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling for legacy versions will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireLegacyValidationTest extends OpenWireValidationTest { + + + // Run through version 2 - 8 which are legacy + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Object[]> versions = new ArrayList<>(); + for (int i = 2; i <= 8; i++) { + versions.add(new Object[]{i}); + } + return versions; + } + + public OpenWireLegacyValidationTest(int version) { + super(version); + } + + // Create test marshallers for all legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 2: + return new org.apache.activemq.openwire.v2.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 3: + return new org.apache.activemq.openwire.v3.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 4: + return new org.apache.activemq.openwire.v4.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 5: + return new org.apache.activemq.openwire.v5.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 6: + return new org.apache.activemq.openwire.v6.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 7: + return new org.apache.activemq.openwire.v7.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 8: + return new org.apache.activemq.openwire.v8.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
pom.xml+7 −0 modified@@ -301,6 +301,13 @@ <artifactId>activemq-client</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> <dependency> <groupId>org.apache.activemq</groupId> <artifactId>activemq-openwire-legacy</artifactId>
22442b2385b1AMQ-9370 - Openwire marshaller should validate Throwable class type
18 files changed · +405 −0
activemq-client/pom.xml+11 −0 modified@@ -268,6 +268,17 @@ </execution> </executions> </plugin> + <!-- generate the attached tests jar --> + <plugin> + <artifactId>maven-jar-plugin</artifactId> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> </plugins> <pluginManagement> <plugins>
activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java+32 −0 added@@ -0,0 +1,32 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +public class OpenWireUtil { + + /** + * Verify that the provided class extends {@link Throwable} and throw an + * {@link IllegalArgumentException} if it does not. + * + * @param clazz + */ + public static void validateIsThrowable(Class<?> clazz) { + if (!Throwable.class.isAssignableFrom(clazz)) { + throw new IllegalArgumentException("Class " + clazz + " is not assignable to Throwable"); + } + } +}
activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -229,8 +230,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java+166 −0 added@@ -0,0 +1,166 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import static org.junit.Assert.assertTrue; + +import java.io.DataOutput; +import java.io.IOException; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.apache.activemq.command.CommandTypes; +import org.apache.activemq.command.ExceptionResponse; +import org.apache.activemq.util.ByteSequence; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireValidationTest { + + protected final int version; + + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Integer> versions = List.of(1, 9, 10, 11, 12); + List<Object[]> versionObjs = new ArrayList<>(); + for (int i : versions) { + versionObjs.add(new Object[]{i}); + } + + // Sanity check to make sure the latest generated version is contained in the list + // This will make sure that we don't forget to update this test to include + // any future versions that are generated + assertTrue("List of Openwire versions does not include latest version", + versions.contains((int)CommandTypes.PROTOCOL_VERSION)); + + return versionObjs; + } + + public OpenWireValidationTest(int version) { + this.version = version; + } + + @Test + public void testOpenwireThrowableValidation() throws Exception { + // Create a format which will use loose encoding by default + // The code for handling exception creation is shared between both + // tight/loose encoding so only need to test 1 + OpenWireFormat format = new OpenWireFormat(); + + // Override the marshaller map with a custom impl to purposely marshal a class type that is + // not a Throwable for testing the unmarshaller + Class<?> marshallerFactory = getMarshallerFactory(); + Method createMarshallerMap = marshallerFactory.getMethod("createMarshallerMap", OpenWireFormat.class); + DataStreamMarshaller[] map = (DataStreamMarshaller[]) createMarshallerMap.invoke(marshallerFactory, format); + map[ExceptionResponse.DATA_STRUCTURE_TYPE] = getExceptionMarshaller(); + // This will trigger updating the marshaller from the marshaller map with the right version + format.setVersion(version); + + // Build the response and try to unmarshal which should give an IllegalArgumentExeption on unmarshall + // as the test marshaller should have encoded a class type that is not a Throwable + ExceptionResponse r = new ExceptionResponse(); + r.setException(new Exception()); + ByteSequence bss = format.marshal(r); + ExceptionResponse response = (ExceptionResponse) format.unmarshal(bss); + + assertTrue(response.getException() instanceof IllegalArgumentException); + assertTrue(response.getException().getMessage().contains("is not assignable to Throwable")); + } + + static class NotAThrowable { + private String message; + + public NotAThrowable(String message) { + this.message = message; + } + + public NotAThrowable() { + } + } + + private Class<?> getMarshallerFactory() throws ClassNotFoundException { + return Class.forName("org.apache.activemq.openwire.v" + version + ".MarshallerFactory"); + } + + // Create test marshallers for all non-legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 12: + return new org.apache.activemq.openwire.v12.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 11: + return new org.apache.activemq.openwire.v11.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 10: + return new org.apache.activemq.openwire.v10.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 9: + return new org.apache.activemq.openwire.v9.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 1: + return new org.apache.activemq.openwire.v1.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
activemq-openwire-legacy/pom.xml+12 −0 modified@@ -35,6 +35,18 @@ <groupId>org.apache.activemq</groupId> <artifactId>activemq-client</artifactId> </dependency> + + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> </dependencies> </project>
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java+129 −0 added@@ -0,0 +1,129 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import java.io.DataOutput; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling for legacy versions will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireLegacyValidationTest extends OpenWireValidationTest { + + + // Run through version 2 - 8 which are legacy + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Object[]> versions = new ArrayList<>(); + for (int i = 2; i <= 8; i++) { + versions.add(new Object[]{i}); + } + return versions; + } + + public OpenWireLegacyValidationTest(int version) { + super(version); + } + + // Create test marshallers for all legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 2: + return new org.apache.activemq.openwire.v2.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 3: + return new org.apache.activemq.openwire.v3.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 4: + return new org.apache.activemq.openwire.v4.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 5: + return new org.apache.activemq.openwire.v5.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 6: + return new org.apache.activemq.openwire.v6.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 7: + return new org.apache.activemq.openwire.v7.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 8: + return new org.apache.activemq.openwire.v8.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
pom.xml+7 −0 modified@@ -313,6 +313,13 @@ <artifactId>activemq-client</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> <dependency> <groupId>org.apache.activemq</groupId> <artifactId>activemq-openwire-legacy</artifactId>
9905e2a5bf98AMQ-9370 - Openwire marshaller should validate Throwable class type
18 files changed · +405 −0
activemq-client/pom.xml+11 −0 modified@@ -261,6 +261,17 @@ </execution> </executions> </plugin> + <!-- generate the attached tests jar --> + <plugin> + <artifactId>maven-jar-plugin</artifactId> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> </plugins> <pluginManagement> <plugins>
activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java+32 −0 added@@ -0,0 +1,32 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +public class OpenWireUtil { + + /** + * Verify that the provided class extends {@link Throwable} and throw an + * {@link IllegalArgumentException} if it does not. + * + * @param clazz + */ + public static void validateIsThrowable(Class<?> clazz) { + if (!Throwable.class.isAssignableFrom(clazz)) { + throw new IllegalArgumentException("Class " + clazz + " is not assignable to Throwable"); + } + } +}
activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -229,8 +230,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java+166 −0 added@@ -0,0 +1,166 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import static org.junit.Assert.assertTrue; + +import java.io.DataOutput; +import java.io.IOException; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.apache.activemq.command.CommandTypes; +import org.apache.activemq.command.ExceptionResponse; +import org.apache.activemq.util.ByteSequence; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireValidationTest { + + protected final int version; + + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Integer> versions = List.of(1, 9, 10, 11, 12); + List<Object[]> versionObjs = new ArrayList<>(); + for (int i : versions) { + versionObjs.add(new Object[]{i}); + } + + // Sanity check to make sure the latest generated version is contained in the list + // This will make sure that we don't forget to update this test to include + // any future versions that are generated + assertTrue("List of Openwire versions does not include latest version", + versions.contains((int)CommandTypes.PROTOCOL_VERSION)); + + return versionObjs; + } + + public OpenWireValidationTest(int version) { + this.version = version; + } + + @Test + public void testOpenwireThrowableValidation() throws Exception { + // Create a format which will use loose encoding by default + // The code for handling exception creation is shared between both + // tight/loose encoding so only need to test 1 + OpenWireFormat format = new OpenWireFormat(); + + // Override the marshaller map with a custom impl to purposely marshal a class type that is + // not a Throwable for testing the unmarshaller + Class<?> marshallerFactory = getMarshallerFactory(); + Method createMarshallerMap = marshallerFactory.getMethod("createMarshallerMap", OpenWireFormat.class); + DataStreamMarshaller[] map = (DataStreamMarshaller[]) createMarshallerMap.invoke(marshallerFactory, format); + map[ExceptionResponse.DATA_STRUCTURE_TYPE] = getExceptionMarshaller(); + // This will trigger updating the marshaller from the marshaller map with the right version + format.setVersion(version); + + // Build the response and try to unmarshal which should give an IllegalArgumentExeption on unmarshall + // as the test marshaller should have encoded a class type that is not a Throwable + ExceptionResponse r = new ExceptionResponse(); + r.setException(new Exception()); + ByteSequence bss = format.marshal(r); + ExceptionResponse response = (ExceptionResponse) format.unmarshal(bss); + + assertTrue(response.getException() instanceof IllegalArgumentException); + assertTrue(response.getException().getMessage().contains("is not assignable to Throwable")); + } + + static class NotAThrowable { + private String message; + + public NotAThrowable(String message) { + this.message = message; + } + + public NotAThrowable() { + } + } + + private Class<?> getMarshallerFactory() throws ClassNotFoundException { + return Class.forName("org.apache.activemq.openwire.v" + version + ".MarshallerFactory"); + } + + // Create test marshallers for all non-legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 12: + return new org.apache.activemq.openwire.v12.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 11: + return new org.apache.activemq.openwire.v11.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 10: + return new org.apache.activemq.openwire.v10.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 9: + return new org.apache.activemq.openwire.v9.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 1: + return new org.apache.activemq.openwire.v1.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
activemq-openwire-legacy/pom.xml+12 −0 modified@@ -35,6 +35,18 @@ <groupId>org.apache.activemq</groupId> <artifactId>activemq-client</artifactId> </dependency> + + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> </dependencies> </project>
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java+4 −0 modified@@ -25,6 +25,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -228,8 +229,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java+4 −0 modified@@ -24,6 +24,7 @@ import org.apache.activemq.openwire.BooleanStream; import org.apache.activemq.openwire.DataStreamMarshaller; import org.apache.activemq.openwire.OpenWireFormat; +import org.apache.activemq.openwire.OpenWireUtil; import org.apache.activemq.util.ByteSequence; public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller { @@ -227,8 +228,11 @@ protected Throwable tightUnmarsalThrowable(OpenWireFormat wireFormat, DataInput private Throwable createThrowable(String className, String message) { try { Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader()); + OpenWireUtil.validateIsThrowable(clazz); Constructor constructor = clazz.getConstructor(new Class[] {String.class}); return (Throwable)constructor.newInstance(new Object[] {message}); + } catch (IllegalArgumentException e) { + return e; } catch (Throwable e) { return new Throwable(className + ": " + message); }
activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java+129 −0 added@@ -0,0 +1,129 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.openwire; + +import java.io.DataOutput; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +/** + * Test that Openwire marshalling for legacy versions will validate Throwable types during + * unmarshalling commands that contain a Throwable + */ +@RunWith(Parameterized.class) +public class OpenWireLegacyValidationTest extends OpenWireValidationTest { + + + // Run through version 2 - 8 which are legacy + @Parameters(name = "version={0}") + public static Collection<Object[]> data() { + List<Object[]> versions = new ArrayList<>(); + for (int i = 2; i <= 8; i++) { + versions.add(new Object[]{i}); + } + return versions; + } + + public OpenWireLegacyValidationTest(int version) { + super(version); + } + + // Create test marshallers for all legacy versions that will encode NotAThrowable + // instead of the exception type for testing purposes + protected DataStreamMarshaller getExceptionMarshaller() { + switch (version) { + case 2: + return new org.apache.activemq.openwire.v2.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 3: + return new org.apache.activemq.openwire.v3.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 4: + return new org.apache.activemq.openwire.v4.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 5: + return new org.apache.activemq.openwire.v5.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 6: + return new org.apache.activemq.openwire.v6.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 7: + return new org.apache.activemq.openwire.v7.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + case 8: + return new org.apache.activemq.openwire.v8.ExceptionResponseMarshaller() { + @Override + protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o, + DataOutput dataOut) throws IOException { + dataOut.writeBoolean(o != null); + looseMarshalString(NotAThrowable.class.getName(), dataOut); + looseMarshalString(o.getMessage(), dataOut); + } + }; + default: + throw new IllegalArgumentException("Unknown openwire version of " + version); + } + } + +}
pom.xml+7 −0 modified@@ -325,6 +325,13 @@ <artifactId>activemq-client</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>activemq-client</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> <dependency> <groupId>org.apache.activemq</groupId> <artifactId>activemq-openwire-legacy</artifactId>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
21- activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txtghsavendor-advisoryWEB
- github.com/advisories/GHSA-crg9-44h2-xw35ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46604ghsaADVISORY
- packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.htmlghsaWEB
- seclists.org/fulldisclosure/2024/Apr/18ghsaWEB
- www.openwall.com/lists/oss-security/2023/10/27/5ghsaWEB
- activemq.apache.org/security-advisories.data/CVE-2023-46604ghsaWEB
- github.com/apache/activemq/commit/22442b2385b1000312aec3d19e510131d595a5fcghsaWEB
- github.com/apache/activemq/commit/80089f9f476afab7d976f5fc37c5ab4aa0c2139dghsaWEB
- github.com/apache/activemq/commit/958330df26cf3d5cdb63905dc2c6882e98781d8fghsaWEB
- github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436ghsaWEB
- github.com/apache/activemq/commit/d0ccdd31544ada83185554c87c7aa141064020f0ghsaWEB
- github.com/apache/activemq/pull/1098ghsaWEB
- issues.apache.org/jira/browse/AMQ-9370ghsaWEB
- lists.debian.org/debian-lts-announce/2023/11/msg00013.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2024/10/msg00027.htmlghsaWEB
- packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.htmlghsaWEB
- security.netapp.com/advisory/ntap-20231110-0010ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.openwall.com/lists/oss-security/2023/10/27/5ghsaWEB
- security.netapp.com/advisory/ntap-20231110-0010/mitre
News mentions
1- Exploits and vulnerabilities in Q1 2026Securelist · May 7, 2026