Check object type at SparseMatrix deserialization (GHSA-f5cx-h789-j959)

Signed-off-by: Olivier Perrin <[email protected]>

Author: olperr1

math/src/main/java/com/powsybl/math/matrix/SparseMatrix.java

@@ -10,13 +10,13 @@
 import com.powsybl.commons.exceptions.UncheckedClassNotFoundException;
 import com.powsybl.commons.util.trove.TDoubleArrayListHack;
 import com.powsybl.commons.util.trove.TIntArrayListHack;
+import gnu.trove.list.array.TDoubleArrayList;
+import gnu.trove.list.array.TIntArrayList;
 
 import java.io.*;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Objects;
+import java.util.*;
 
 /**
  * Sparse matrix implementation in <a href="https://en.wikipedia.org/wiki/Sparse_matrix#Compressed_sparse_column_(CSC_or_CCS)">CSC</a></a> format.
@@ -26,9 +26,14 @@
  * @author Geoffroy Jamgotchian {@literal <geoffroy.jamgotchian at rte-france.com>}
  */
 public class SparseMatrix extends AbstractMatrix implements Serializable {
-
     private static final long serialVersionUID = -7810324161942335828L;
 
+    // Classes allowed during deserialization
+    private static final Set<Class<?>> ALLOWED_CLASSES = Set.of(SparseMatrix.class,
+            int[].class, double[].class,
+            TIntArrayListHack.class, TDoubleArrayListHack.class,
+            TIntArrayList.class, TDoubleArrayList.class);
+
     /**
      * Sparse Element implementation.
      * An element in a sparse matrix is defined by its index in the values vector.
@@ -487,6 +492,11 @@ public void write(OutputStream outputStream) {
     public static SparseMatrix read(InputStream inputStream) {
         Objects.requireNonNull(inputStream);
         try (ObjectInputStream objectInputStream = new ObjectInputStream(inputStream)) {
+            // Check that the object to deserialize is really a SparseMatrix.
+            // This check is done prior to its complete deserialization to prevent security problems (RCE).
+            // - Check that all non-null encountered classes are among the accepted ones (the one composing a SparseMatrix).
+            ObjectInputFilter allowedClassesFilter = ObjectInputFilter.allowFilter(ALLOWED_CLASSES::contains, ObjectInputFilter.Status.REJECTED);
+            objectInputStream.setObjectInputFilter(allowedClassesFilter);
             return (SparseMatrix) objectInputStream.readObject();
         } catch (IOException e) {
             throw new UncheckedIOException(e);

math/src/test/java/com/powsybl/math/matrix/SparseMatrixDeserializationTest.java

@@ -0,0 +1,75 @@
+/**
+ * Copyright (c) 2025, RTE (http://www.rte-france.com)
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+package com.powsybl.math.matrix;
+
+import com.google.common.jimfs.Configuration;
+import com.google.common.jimfs.Jimfs;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.io.*;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.FileSystem;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+/**
+ * @author Olivier Perrin {@literal <olivier.perrin at rte-france.com>}
+ */
+class SparseMatrixDeserializationTest {
+    private static FileSystem fileSystem;
+    protected static Path testDir;
+
+    @BeforeAll
+    static void setUp() throws Exception {
+        fileSystem = Jimfs.newFileSystem(Configuration.unix());
+        testDir = fileSystem.getPath("/tmp");
+        Files.createDirectories(testDir);
+    }
+
+    @AfterAll
+    static void tearDown() throws Exception {
+        fileSystem.close();
+    }
+
+    @Test
+    void testSecureDeserialization() throws IOException {
+        // Prepare exploit payload
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        try (ObjectOutputStream oos = new ObjectOutputStream(baos)) {
+            oos.writeObject(new Exploit());
+        }
+
+        // Try to deserialize the false SparseMatrix object
+        ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
+        assertThrows(UncheckedIOException.class, () -> SparseMatrix.read(bais), "Exploit may be present.");
+
+        // Confirm there is no exploit: the "rce" file should not exist
+        Path rceFile = testDir.resolve("rce");
+        assertFalse(Files.exists(rceFile), "The exploit is present.");
+    }
+
+    static class Exploit implements Serializable {
+        @Serial
+        private static final long serialVersionUID = 1L;
+
+        @Serial
+        private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
+            // Emulate a security problem: when reading the object, create a new file.
+            // If this file is indeed created when deserializing the payload, then an attacker
+            // may perform dangerous operations (download and install a malware, connect to an external server, ...)
+            in.defaultReadObject();
+            Path rceFile = testDir.resolve("rce");
+            Files.writeString(rceFile, "Security problem", StandardCharsets.UTF_8);
+        }
+    }
+}