From 328c2e7b8c112c0f4fd9aa6b441e1cd01c372f68 Mon Sep 17 00:00:00 2001
From: teresa <teresa.hong.2023@cis.smu.edu.sg>
Date: Wed, 21 May 2025 00:03:33 +0800
Subject: [PATCH 1/2] Fix Insecure Deserialization Vulnerability in toObject
 Method

Summary
This PR addresses a critical security vulnerability in the toObject method which performs unrestricted deserialization of objects, potentially allowing remote code execution if the serialized data comes from untrusted sources.

Description
The current implementation uses standard ObjectInputStream without any class validation, which is vulnerable to deserialization attacks. This change implements proper validation by using Apache Commons IO's ValidatingObjectInputStream and explicitly whitelisting allowed classes.
---
 .../risesoft/service/cache/impl/CacheServiceRocksDBImpl.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/y9-module-jodconverter/risenet-y9boot-webapp-jodconverter/src/main/java/net/risesoft/service/cache/impl/CacheServiceRocksDBImpl.java b/y9-module-jodconverter/risenet-y9boot-webapp-jodconverter/src/main/java/net/risesoft/service/cache/impl/CacheServiceRocksDBImpl.java
index d7f600ba0..81a73dea6 100644
--- a/y9-module-jodconverter/risenet-y9boot-webapp-jodconverter/src/main/java/net/risesoft/service/cache/impl/CacheServiceRocksDBImpl.java
+++ b/y9-module-jodconverter/risenet-y9boot-webapp-jodconverter/src/main/java/net/risesoft/service/cache/impl/CacheServiceRocksDBImpl.java
@@ -261,7 +261,8 @@ private byte[] toByteArray(Object obj) throws IOException {
     private Object toObject(byte[] bytes) throws IOException, ClassNotFoundException {
         Object obj;
         ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
-        ObjectInputStream ois = new ObjectInputStream(bis);
+        ValidatingObjectInputStream ois = new ValidatingObjectInputStream(bis); {
+        ois.accept(LinkedList.class, LogMutation.class, HashMap.class, String.class);
         obj = ois.readObject();
         ois.close();
         bis.close();

From f37b91352192c6119d70111cd4ba25ac419c0428 Mon Sep 17 00:00:00 2001
From: teresa <teresa.hong.2023@cis.smu.edu.sg>
Date: Wed, 21 May 2025 00:25:51 +0800
Subject: [PATCH 2/2] Fix HTTP Header Injection Vulnerability in BPMN Export
 Feature

Summary
This PR addresses a security vulnerability in the model export feature where filenames are not properly encoded in HTTP headers, potentially allowing for HTTP header injection attacks.

Description
The current implementation adds the filename directly to the Content-Disposition header without encoding, which can lead to security issues if model keys contain special characters. This change adds proper URL encoding to the filename to prevent HTTP header injection and ensure correct handling of special characters.

the code is vulnerable because:

It doesn't encode the filename in the Content-Disposition HTTP header
This could lead to HTTP header injection if model.getKey() contains characters like CR, LF, or other special characters
It might also cause filename rendering issues with international characters or spaces
The input is user-controlled (via modelId parameter) and its output is reflected in HTTP headers

References
https://github.com/hs-web/hsweb-framework/commit/b72a2275ed21240296c6539bae1049c56abb542f
https://nvd.nist.gov/vuln/detail/CVE-2023-29285
---
 .../controller/ProcessModelVueController.java   | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/y9-module-processadmin/risenet-y9boot-webapp-processadmin/src/main/java/net/risesoft/controller/ProcessModelVueController.java b/y9-module-processadmin/risenet-y9boot-webapp-processadmin/src/main/java/net/risesoft/controller/ProcessModelVueController.java
index aa0dce535..c4084c086 100644
--- a/y9-module-processadmin/risenet-y9boot-webapp-processadmin/src/main/java/net/risesoft/controller/ProcessModelVueController.java
+++ b/y9-module-processadmin/risenet-y9boot-webapp-processadmin/src/main/java/net/risesoft/controller/ProcessModelVueController.java
@@ -156,13 +156,22 @@ public Y9Result<String> deployModel(@RequestParam @NotBlank String modelId) {
     public void exportModel(@RequestParam @NotBlank String modelId, HttpServletResponse response) {
         try {
             Model model = modelService.getModel(modelId);
+            if (model == null) {
+                response.sendError(HttpServletResponse.SC_NOT_FOUND, "Model not found");
+                return;
+            }
+            
             byte[] bpmnBytes = modelService.getBpmnXML(model);
 
-            ByteArrayInputStream in = new ByteArrayInputStream(bpmnBytes);
             String filename = model.getKey() + ".bpmn20.xml";
-            response.setHeader("Content-Disposition", "attachment; filename=" + filename);
-            IOUtils.copy(in, response.getOutputStream());
-            response.flushBuffer();
+            response.setCharacterEncoding("UTF-8");
+            response.setContentType("application/octet-stream");
+            response.setHeader("Content-Disposition", "attachment; filename=" + URLEncoder.encode(filename, "UTF-8"));
+            
+            try (ByteArrayInputStream in = new ByteArrayInputStream(bpmnBytes)) {
+                IOUtils.copy(in, response.getOutputStream());
+                response.flushBuffer();
+            }
         } catch (Exception e) {
             LOGGER.error("导出模型失败,modelId:{} 异常：{}", modelId, e.getMessage());
         }