Fix security vulnerabilities: Add deserialization filtering and use SecureRandom

[Copilot]

Overview

This PR addresses two critical security vulnerabilities identified in the codebase:

1. Insecure Deserialization in ExceptionSerializer
2. Weak Random Number Generation in IdWorker

Security Issues Fixed

1. Insecure Deserialization (CRITICAL)

File: saga/seata-saga-engine/src/main/java/org/apache/seata/saga/engine/serializer/impl/ExceptionSerializer.java

Vulnerability: The deserializeByObjectInputStream method used ObjectInputStream without any class filtering, making it vulnerable to deserialization attacks (CWE-502). Attackers could potentially execute arbitrary code by crafting malicious serialized objects.

Fix: Implemented a custom ObjectInputStream that overrides resolveClass() to enforce a strict class whitelist. Only the following types are permitted for deserialization:

• Java exception types (java.lang.Exception, java.lang.Throwable, java.lang.RuntimeException, java.lang.Error)
• Standard Java classes (java.io.*, java.util.*, java.time.*, java.lang.String, java.lang.Number)
• Arrays
• Seata internal classes (org.apache.seata.*)

Any attempt to deserialize unauthorized classes now throws a SecurityException with a descriptive error message.

2. Weak Random Number Generation (MEDIUM)

File: common/src/main/java/org/apache/seata/common/util/IdWorker.java

Vulnerability: The generateRandomWorkerId() method used java.util.Random (CWE-338), which is a pseudo-random number generator that is predictable and not cryptographically secure.

Fix: Replaced new Random().nextInt(maxWorkerId + 1) with new SecureRandom().nextInt(maxWorkerId + 1). SecureRandom provides cryptographically strong random numbers, ensuring worker IDs are unpredictable and secure.

Testing

• ✅ IdWorker unit tests pass with SecureRandom implementation
• ✅ Common module builds and tests successfully
• ✅ Saga-engine module compiles without errors
• ✅ Saga-spring module compiles successfully (uses ExceptionSerializer)
• ✅ No breaking changes to public APIs

Security Compliance

These fixes align with industry security standards:

• OWASP Top 10 (2021) - A08: Software and Data Integrity Failures
• CWE-502: Deserialization of Untrusted Data
• CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator

Additional Notes

During the security audit, we verified that RaftSnapshotSerializer and RaftSyncMessageSerializer already implement proper deserialization security with class whitelisting. All deserialization points in the codebase are now properly protected.

Impact

• ExceptionSerializer: The comprehensive whitelist should accommodate all legitimate use cases while preventing exploitation attempts
• IdWorker: The change to SecureRandom maintains full backward compatibility while providing enhanced security

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• httpbin.org
• registry.npmmirror.com
  • Triggering command: npm install (dns block)
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• repository.apache.org
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.11/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.11/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.11 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.11/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/fescar/fescar org.codehaus.plexus.classworlds.launcher.Launcher clean test -DskipTests=false -Dtest=IdWorkerTest (dns block)
• seata.io
• www.apache.org

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

扫描代码中可能存在的安全风险并修复它。

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.