fix[PPP-5720]: remove instances of unsafe deserialization by readObject

[miguelappleton]

My main changes involve 3 different fixes for these insecure uses of readObject:

• when the object was a String, I replaced writeObject and readObject with writeUTF and readUTF;

• when the object was a custom type, I added it to an ObjectInputFilter, which is passed into the ObjectInputStream, to only allow those types:

  • I had to create a custom filter class because ObjectInputStream does some stream header reading on its constructor, and you can only set an ObjectInputFilter when the stream has not read anything, so I had to do it via this custom class, as the filter could not be set after class instantiation;

• for extraCacheKey I could not add it to the filter as is, because the object was a Serializable, and if I allow the ObjectInputStream to accept Serializable objects, the danger of injection attacks still remains. However I saw that extraCacheKey was just a CacheKey object that was being unnecessarily converted (or "extended") to its parent type Serializable, so I just made it "remain" as a CacheKey through the whole process and then filtered that custom type, similarly to the ones on the above step.

I also addressed (in a separate commit) some of the SonarQube changes suggested for the files I altered (and some other files that I had altered but ended up not altering), but I wasn't super thorough and basically only did the changes which I believed would not cause problems elsewhere.

[miguelappleton]

From running a test workflow without these changes, I can see that 19 of the 24 failed tests are failing regardless of the changes in this PR.

The ones that are currently failing due to this PR are the following:

• pt.webdetails.cda.filetests.CompoundQueryTest.testCompoundUnion: filter can not be set after an object has been read;
• pt.webdetails.cda.filetests.SqlTest.testSqlQueryCache: filter can not be set after an object has been read;
• pt.webdetails.cda.filetests.SqlTest.testStringArrayParameter: filter can not be set after an object has been read;
• pt.webdetails.cda.filetests.SqlTest.testFormulaCacheSql: filter can not be set after an object has been read;
• pt.webdetails.cda.utils.ParameterTest.testParamNumericArraySerialization: filter status: REJECTED.

(Which makes sense because they relate to the addition of the ObjectInputFilter)

Currently working on addressing these.

[befc]

LGTM ✅

[hitachivantarasonarqube]

• 67.80% Coverage on New Code (is less than 80.00%)

Analysis Details

0 Issues

• 0 Bugs
• 0 Vulnerabilities
• 0 Code Smells

Coverage and Duplications

• 67.80% Coverage (47.40% Estimated after merge)
• 0.00% Duplicated Code (2.10% Estimated after merge)

Project ID: pentaho:cda-plugin

View in SonarQube

[buildguy]

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

✅ Build finished in 16m 11s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox

---

👌 All tests passed!

Tests run: 240, Failures: 0, Skipped: 0    Test Results

---

ℹ️ This is an automatic message