fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization#60884
fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization#60884XananasX7 wants to merge 2 commits into
Conversation
…cache The availableTaskTypes cache stores serialized arrays containing ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum values. The unserialize() call did not restrict which classes could be instantiated. Restrict deserialization to the three known types: - OCP\TaskProcessing\ShapeDescriptor - OCP\TaskProcessing\ShapeEnumValue - OCP\TaskProcessing\EShapeType This prevents PHP Object Injection if an attacker gains write access to the distributed cache backend (e.g., a Redis instance without authentication or with weak ACLs), which is a known real-world attack vector in shared hosting and container environments.
XananasX7
requested review from
Altahrim,
CarlSchwan,
leftybournes and
salmart-dev
and removed request for
a team
|
Can you please run the php linter by running Add your changes, then amend you last commit by running:
and then push:
which will fix the CI issues. |
julien-nc
left a comment
julien-nc
left a comment
There was a problem hiding this comment.
From Php doc:
Warning Do not pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.
@marcelklehr Wdyt? Are we good with the allowed classes?
Yes, these do not have any constructor code with side effects |
…alization The availableTaskTypes cache stores serialized arrays containing ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum values. The unserialize() call did not restrict which classes could be instantiated. Restrict deserialization to the three known types: - OCP\TaskProcessing\ShapeDescriptor - OCP\TaskProcessing\ShapeEnumValue - OCP\TaskProcessing\EShapeType This prevents PHP Object Injection if an attacker gains write access to the distributed cache backend. Signed-off-by: El Mehdi Abenhazou <mehdiananas007@gmail.com>
XananasX7
force-pushed
the
security/taskprocessing-unserialize-allowed-classes
branch
from
eccf1df to
d987212
Compare
|
Fixed the remaining CI issues:
The PR now has correct author, DCO sign-off, and passes php-cs. All 3 approvals (marcelklehr, kesselb, julien-nc) are in place. Ready for merge 🙏 |
5 participants
Summary
OC\TaskProcessing\Manager::getAvailableTaskTypes()deserializes the task type cache from the distributed cache backend without restricting which PHP classes can be instantiated.The issue
The serialized data contains
ShapeDescriptorobjects,ShapeEnumValueobjects, andEShapeTypeenum values. An attacker who can write to the cache backend (e.g., Redis without authentication or with weak ACLs — a common misconfiguration in cloud deployments) can inject a PHP gadget chain and achieve Remote Code Execution via PHP Object Injection.The fix
Restrict
unserialize()to only the three known classes actually stored in the cache:This is verified by inspecting the write path:
serialize($this->availableTaskTypes)where$availableTaskTypesis built fromgetInputShape(),getOutputShape()etc. which return arrays ofShapeDescriptorobjects withEShapeTypevalues.Security impact
Redis Object Injection via unprotected cache backends is a well-known attack class. Nextcloud already uses
allowed_classesinFileProfilerStorage,CommandJob, andQueueBus— this PR extends the same pattern toTaskProcessing\Manager.Signed-off-by: XananasX7