Skip to content

Commit 5bda7d8

Browse files
authored
Add Http discovery transport to denied list for JMX (#1918)
This also prevents the Http discovery transport from being added as a connector or network connector through JMX and Jolokia
1 parent 084502a commit 5bda7d8

File tree

3 files changed

+59
-32
lines changed

3 files changed

+59
-32
lines changed

activemq-broker/src/main/java/org/apache/activemq/broker/jmx/BrokerView.java

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,8 @@ public class BrokerView implements BrokerViewMBean {
4444

4545
private static final Logger LOG = LoggerFactory.getLogger(BrokerView.class);
4646

47+
private static final Set<String> DENIED_TRANSPORT_SCHEMES = Set.of("vm", "http");
48+
4749
ManagedRegionBroker broker;
4850

4951
private final BrokerService brokerService;
@@ -402,7 +404,7 @@ public ObjectName[] getDynamicDestinationProducers() {
402404

403405
@Override
404406
public String addConnector(String discoveryAddress) throws Exception {
405-
// Verify VM transport is not used
407+
// Verify a denied transport scheme is not used
406408
validateAllowedUrl(discoveryAddress);
407409
TransportConnector connector = brokerService.addConnector(discoveryAddress);
408410
if (connector == null) {
@@ -414,7 +416,7 @@ public String addConnector(String discoveryAddress) throws Exception {
414416

415417
@Override
416418
public String addNetworkConnector(String discoveryAddress) throws Exception {
417-
// Verify VM transport is not used
419+
// Verify a denied transport scheme is not used
418420
validateAllowedUrl(discoveryAddress);
419421
NetworkConnector connector = brokerService.addNetworkConnector(discoveryAddress);
420422
if (connector == null) {
@@ -607,7 +609,7 @@ private static void validateAllowedUrl(String uriString) throws URISyntaxExcepti
607609
validateAllowedUri(new URI(uriString), 0);
608610
}
609611

610-
// Validate the URI does not contain VM transport
612+
// Validate the URI does not contain a denied transport scheme
611613
private static void validateAllowedUri(URI uri, int depth) throws URISyntaxException {
612614
// Don't allow more than 5 nested URIs to prevent blowing the stack
613615
// If we are greater than 4 then this is the 5th level of composite
@@ -635,10 +637,13 @@ private static void validateAllowedUri(URI uri, int depth) throws URISyntaxExcep
635637
}
636638
}
637639

638-
// We don't allow VM transport scheme to be used
640+
// Check all denied schemes
639641
private static void validateAllowedScheme(String scheme) {
640-
if (scheme.equals("vm")) {
641-
throw new IllegalArgumentException("VM scheme is not allowed");
642+
for (String denied : DENIED_TRANSPORT_SCHEMES) {
643+
// The schemes should be case-insensitive but ignore case as a precaution
644+
if (scheme.equalsIgnoreCase(denied)) {
645+
throw new IllegalArgumentException("Transport scheme '" + scheme + "' is not allowed");
646+
}
642647
}
643648
}
644649
}

activemq-unit-tests/src/test/java/org/apache/activemq/broker/jmx/MBeanTest.java

Lines changed: 26 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2058,34 +2058,50 @@ public void testSubscriptionViewProperties() throws Exception {
20582058
assertTrue(subscription.isExclusive());
20592059
}
20602060

2061-
// Test to verify VM transport is not allowed to be added as a connector
2061+
// Test to verify http transport is not allowed to be added as a connector
2062+
// through the Broker MBean
2063+
public void testAddHttpConnectorBlockedBrokerView() throws Exception {
2064+
testAddTransportConnectorBlockedBrokerView("http");
2065+
}
2066+
2067+
// Test to verify vm transport is not allowed to be added as a connector
20622068
// through the Broker MBean
20632069
public void testAddVmConnectorBlockedBrokerView() throws Exception {
2070+
testAddTransportConnectorBlockedBrokerView("vm");
2071+
}
2072+
2073+
protected void testAddTransportConnectorBlockedBrokerView(String scheme) throws Exception {
20642074
ObjectName brokerName = assertRegisteredObjectName(domain + ":type=Broker,brokerName=localhost");
20652075
BrokerViewMBean brokerView = MBeanServerInvocationHandler.newProxyInstance(mbeanServer, brokerName, BrokerViewMBean.class, true);
20662076

20672077
try {
2068-
brokerView.addConnector("vm://localhost");
2069-
fail("Should have failed trying to add vm connector");
2078+
brokerView.addConnector(scheme + "://localhost");
2079+
fail("Should have failed trying to add connector");
20702080
} catch (IllegalArgumentException e) {
2071-
assertEquals("VM scheme is not allowed", e.getMessage());
2081+
assertEquals("Transport scheme '" + scheme + "' is not allowed", e.getMessage());
20722082
}
20732083

20742084
try {
20752085
// verify any composite URI is blocked as well
2076-
brokerView.addConnector("failover:(tcp://0.0.0.0:0,vm://" + brokerName + ")");
2077-
fail("Should have failed trying to add vm connector");
2086+
brokerView.addConnector("failover:(tcp://0.0.0.0:0," + scheme + "://" + brokerName + ")");
2087+
fail("Should have failed trying to add connector");
20782088
} catch (IllegalArgumentException e) {
2079-
assertEquals("VM scheme is not allowed", e.getMessage());
2089+
assertEquals("Transport scheme '" + scheme + "' is not allowed", e.getMessage());
20802090
}
20812091

20822092
try {
20832093
// verify nested composite URI is blocked
2084-
brokerView.addConnector("failover:(failover:(failover:(vm://localhost)))");
2085-
fail("Should have failed trying to add vm connector");
2094+
brokerView.addConnector("failover:(failover:(failover:(" + scheme + "://localhost)))");
2095+
fail("Should have failed trying to add connector");
20862096
} catch (IllegalArgumentException e) {
2087-
assertEquals("VM scheme is not allowed", e.getMessage());
2097+
assertEquals("Transport scheme '" + scheme + "' is not allowed", e.getMessage());
20882098
}
2099+
}
2100+
2101+
// Test too many nested URIs
2102+
public void testNestedAddTransportConnector() throws Exception {
2103+
ObjectName brokerName = assertRegisteredObjectName(domain + ":type=Broker,brokerName=localhost");
2104+
BrokerViewMBean brokerView = MBeanServerInvocationHandler.newProxyInstance(mbeanServer, brokerName, BrokerViewMBean.class, true);
20892105

20902106
try {
20912107
// verify nested composite URI with more than 5 levels is blocked
@@ -2095,7 +2111,6 @@ public void testAddVmConnectorBlockedBrokerView() throws Exception {
20952111
} catch (IllegalArgumentException e) {
20962112
assertEquals("URI can't contain more than 5 nested composite URIs", e.getMessage());
20972113
}
2098-
20992114
}
21002115

21012116
}

activemq-unit-tests/src/test/java/org/apache/activemq/jmx/JmxCreateNCTest.java

Lines changed: 22 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -33,8 +33,6 @@
3333
/**
3434
* This test shows that when we create a network connector via JMX,
3535
* the NC/bridge shows up in the MBean Server
36-
*
37-
* @author <a href="http://www.christianposta.com/blog">Christian Posta</a>
3836
*/
3937
public class JmxCreateNCTest {
4038

@@ -82,35 +80,44 @@ public void testBridgeRegistration() throws Exception {
8280

8381
@Test
8482
public void testVmBridgeBlocked() throws Exception {
83+
testDeniedBridgeBlocked("vm");
84+
}
85+
86+
@Test
87+
public void testHttpBridgeBlocked() throws Exception {
88+
testDeniedBridgeBlocked("http");
89+
}
90+
91+
protected void testDeniedBridgeBlocked(String scheme) throws Exception {
8592
// Test composite network connector uri
8693
try {
87-
proxy.addNetworkConnector("static:(vm://localhost)");
88-
fail("Should have failed trying to add vm connector bridge");
94+
proxy.addNetworkConnector("static:(" + scheme + "://localhost)");
95+
fail("Should have failed trying to add connector bridge");
8996
} catch (IllegalArgumentException e) {
90-
assertEquals("VM scheme is not allowed", e.getMessage());
97+
assertEquals("Transport scheme '" + scheme + "' is not allowed", e.getMessage());
9198
}
9299

93100
try {
94-
proxy.addNetworkConnector("multicast:(vm://localhost)");
95-
fail("Should have failed trying to add vm connector bridge");
101+
proxy.addNetworkConnector("multicast:(" + scheme + "://localhost)");
102+
fail("Should have failed trying to add connector bridge");
96103
} catch (IllegalArgumentException e) {
97-
assertEquals("VM scheme is not allowed", e.getMessage());
104+
assertEquals("Transport scheme '" + scheme + "' is not allowed", e.getMessage());
98105
}
99106

100-
// verify direct vm as well
107+
// verify direct connector as well
101108
try {
102-
proxy.addNetworkConnector("vm://localhost");
103-
fail("Should have failed trying to add vm connector bridge");
109+
proxy.addNetworkConnector(scheme + "://localhost");
110+
fail("Should have failed trying to add connector bridge");
104111
} catch (IllegalArgumentException e) {
105-
assertEquals("VM scheme is not allowed", e.getMessage());
112+
assertEquals("Transport scheme '" + scheme + "' is not allowed", e.getMessage());
106113
}
107114

108115
try {
109116
// verify nested composite URI is blocked
110-
proxy.addNetworkConnector("static:(failover:(failover:(tcp://localhost:0,vm://localhost)))");
111-
fail("Should have failed trying to add vm connector bridge");
117+
proxy.addNetworkConnector("static:(failover:(failover:(tcp://localhost:0," + scheme + "://localhost)))");
118+
fail("Should have failed trying to add connector bridge");
112119
} catch (IllegalArgumentException e) {
113-
assertEquals("VM scheme is not allowed", e.getMessage());
120+
assertEquals("Transport scheme '" + scheme + "' is not allowed", e.getMessage());
114121
}
115122
}
116123

0 commit comments

Comments
 (0)