Merge pull request #22998 from protocolbuffers/gberg-cp-32

Restore compatibility of runtime with pre-3.22.x gencode impacted by …

Author: googleberg

java/core/src/main/java/com/google/protobuf/GeneratedMessage.java

@@ -30,11 +30,14 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.SortedMap;
 import java.util.TreeMap;
+import java.util.logging.Logger;
 
 /**
  * All generated protocol message classes extend this class. This class implements most of the
@@ -52,6 +55,8 @@
 public abstract class GeneratedMessage extends AbstractMessage implements Serializable {
   private static final long serialVersionUID = 1L;
 
+  private static final Logger logger = Logger.getLogger(GeneratedMessage.class.getName());
+
   /**
    * For testing. Allows a test to disable the optimization that avoids using field builders for
    * nested messages until they are requested. By disabling this optimization, existing tests can be
@@ -394,6 +399,59 @@ protected static IntList emptyIntList() {
     return IntArrayList.emptyList();
   }
 
+  static final String PRE22_GENCODE_SILENCE_PROPERTY =
+      "com.google.protobuf.use_unsafe_pre22_gencode";
+  static final String PRE22_GENCODE_ERROR_PROPERTY =
+      "com.google.protobuf.error_on_unsafe_pre22_gencode";
+
+  static final String PRE22_GENCODE_VULNERABILITY_MESSAGE =
+      "As of 2022/09/29 (release 21.7) makeExtensionsImmutable should not be called from protobuf"
+          + " gencode. If you are seeing this message, your gencode is vulnerable to a denial of"
+          + " service attack. You should regenerate your code using protobuf 25.6 or later. Use the"
+          + " latest version that meets your needs. However, if you understand the risks and wish"
+          + " to continue with vulnerable gencode, you can set the system property"
+          + " `-Dcom.google.protobuf.use_unsafe_pre22_gencode` on the command line to silence this"
+          + " warning. You also can set"
+          + " `-Dcom.google.protobuf.error_on_unsafe_pre22_gencode` to throw an error instead. See"
+          + " security vulnerability:"
+          + " https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2";
+
+  protected static final Set<String> loggedPre22TypeNames =
+      Collections.synchronizedSet(new HashSet<String>());
+
+  static void warnPre22Gencode(Class<?> messageClass) {
+    if (System.getProperty(PRE22_GENCODE_SILENCE_PROPERTY) != null) {
+      return;
+    }
+    String messageName = messageClass.getName();
+    String vulnerabilityMessage =
+        "Vulnerable protobuf generated type in use: "
+            + messageName
+            + "\n"
+            + PRE22_GENCODE_VULNERABILITY_MESSAGE;
+
+    if (System.getProperty(PRE22_GENCODE_ERROR_PROPERTY) != null) {
+      throw new UnsupportedOperationException(vulnerabilityMessage);
+    }
+
+    if (!loggedPre22TypeNames.add(messageName)) {
+      return;
+    }
+
+    logger.warning(vulnerabilityMessage);
+  }
+
+  /**
+   * This method only exists as a shim for pre-22 gencode. This function is a no-op other than
+   * warning or throwing an error for messages that are not extendable.
+   *
+   * @throws UnsupportedOperationException if the {@link #PRE22_GENCODE_ERROR_PROPERTY} system
+   *     property is set.
+   */
+  protected void makeExtensionsImmutable() {
+    warnPre22Gencode(getClass());
+  }
+
   protected static LongList emptyLongList() {
     return LongArrayList.emptyList();
   }
@@ -1037,6 +1095,16 @@ public boolean isInitialized() {
       return super.isInitialized() && extensionsAreInitialized();
     }
 
+    /**
+     * This method only exists as a shim for pre-22 gencode (see {@link
+     * GeneratedMessage.warnPre22Gencode}.
+     */
+    @Override
+    protected void makeExtensionsImmutable() {
+      GeneratedMessage.warnPre22Gencode(getClass());
+      extensions.makeImmutable();
+    }
+
     /**
      * Used by subclasses to serialize extensions. Extension ranges may be interleaved with field
      * numbers, but we must write them in canonical (sorted by field number) order.

java/core/src/test/java/com/google/protobuf/GeneratedMessageTest.java

@@ -1976,4 +1976,104 @@ public void getAllFields_repeatedFieldsAreNotMutable() {
     builder.clearField(repeatedMsgField);
     assertThat(list).hasSize(1);
   }
+
+  private TestUtil.TestLogHandler setupLogger() {
+    TestUtil.TestLogHandler logHandler = new TestUtil.TestLogHandler();
+    Logger logger = Logger.getLogger(GeneratedMessage.class.getName());
+    logger.addHandler(logHandler);
+    logHandler.setLevel(Level.ALL);
+    return logHandler;
+  }
+
+  static class TestMessageBaseForPre22WarningsTests extends GeneratedMessage {
+    @Override
+    protected FieldAccessorTable internalGetFieldAccessorTable() {
+      return null;
+    }
+
+    @Override
+    protected Message.Builder newBuilderForType(BuilderParent parent) {
+      return null;
+    }
+
+    @Override
+    public Message.Builder newBuilderForType() {
+      return null;
+    }
+
+    @Override
+    public Message.Builder toBuilder() {
+      return null;
+    }
+
+    @Override
+    public Message getDefaultInstanceForType() {
+      return null;
+    }
+  }
+
+  @Test
+  public void generatedMessage_makeExtensionsImmutableShouldLog() {
+    TestUtil.TestLogHandler logHandler = setupLogger();
+    GeneratedMessage.loggedPre22TypeNames.clear();
+
+    class TestMessage1 extends TestMessageBaseForPre22WarningsTests {}
+    class TestMessage2 extends TestMessageBaseForPre22WarningsTests {}
+
+    TestMessage1 msg = new TestMessage1();
+    TestMessage2 msg2 = new TestMessage2();
+
+    msg.makeExtensionsImmutable();
+    List<LogRecord> logs = logHandler.getStoredLogRecords();
+    assertThat(logs).hasSize(1);
+    String message = logs.get(0).getMessage();
+    // The generated type
+    assertThat(message)
+        .contains(
+            "Vulnerable protobuf generated type in use: "
+                + "com.google.protobuf.GeneratedMessageTest$1TestMessage1");
+    assertThat(message).contains(GeneratedMessage.PRE22_GENCODE_VULNERABILITY_MESSAGE);
+    assertThat(message).contains(GeneratedMessage.PRE22_GENCODE_SILENCE_PROPERTY);
+
+    // Subsequent calls for the same type do not log again.
+    msg.makeExtensionsImmutable();
+    assertThat(logHandler.getStoredLogRecords()).hasSize(1);
+
+    // A call on a second type does log for that type.
+    msg2.makeExtensionsImmutable();
+    assertThat(logHandler.getStoredLogRecords()).hasSize(2);
+    // And not again (only once per type).
+    msg2.makeExtensionsImmutable();
+    assertThat(logHandler.getStoredLogRecords()).hasSize(2);
+  }
+
+  @Test
+  public void extendableMessage_makeExtensionsImmutableShouldThrowWhenOptedIn() {
+    System.setProperty("com.google.protobuf.error_on_unsafe_pre22_gencode", "true");
+    GeneratedMessage.loggedPre22TypeNames.clear();
+
+    class TestMessage3 extends TestMessageBaseForPre22WarningsTests {}
+    TestMessage3 msg = new TestMessage3();
+    assertThrows(UnsupportedOperationException.class, msg::makeExtensionsImmutable);
+
+    // When opting into throwing, it should throw every time, not just the first time.
+    assertThrows(UnsupportedOperationException.class, msg::makeExtensionsImmutable);
+    assertThrows(UnsupportedOperationException.class, msg::makeExtensionsImmutable);
+
+    System.clearProperty("com.google.protobuf.error_on_unsafe_pre22_gencode");
+  }
+
+  @Test
+  public void extendableMessage_makeExtensionsImmutableShouldBeSilentWhenOptedIn() {
+    System.setProperty("com.google.protobuf.use_unsafe_pre22_gencode", "true");
+    TestUtil.TestLogHandler logHandler = setupLogger();
+    GeneratedMessage.loggedPre22TypeNames.clear();
+
+    class TestMessage4 extends TestMessageBaseForPre22WarningsTests {}
+    TestMessage4 msg = new TestMessage4();
+    msg.makeExtensionsImmutable();
+    assertThat(logHandler.getStoredLogRecords()).isEmpty();
+
+    System.clearProperty("com.google.protobuf.use_unsafe_pre22_gencode");
+  }
 }