fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization#60884
Open
XananasX7 wants to merge 1 commit into
Open
Conversation
…cache The availableTaskTypes cache stores serialized arrays containing ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum values. The unserialize() call did not restrict which classes could be instantiated. Restrict deserialization to the three known types: - OCP\TaskProcessing\ShapeDescriptor - OCP\TaskProcessing\ShapeEnumValue - OCP\TaskProcessing\EShapeType This prevents PHP Object Injection if an attacker gains write access to the distributed cache backend (e.g., a Redis instance without authentication or with weak ACLs), which is a known real-world attack vector in shared hosting and container environments.
XananasX7
requested review from
Altahrim,
CarlSchwan,
leftybournes and
salmart-dev
and removed request for
a team
Contributor
|
Can you please run the php linter by running Add your changes, then amend you last commit by running:
and then push:
which will fix the CI issues. |
marcelklehr
approved these changes
Jun 1, 2026
julien-nc
reviewed
Jun 1, 2026
Member
julien-nc
left a comment
julien-nc
left a comment
There was a problem hiding this comment.
From Php doc:
Warning Do not pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.
@marcelklehr Wdyt? Are we good with the allowed classes?
Member
Yes, these do not have any constructor code with side effects |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OC\TaskProcessing\Manager::getAvailableTaskTypes()deserializes the task type cache from the distributed cache backend without restricting which PHP classes can be instantiated.The issue
The serialized data contains
ShapeDescriptorobjects,ShapeEnumValueobjects, andEShapeTypeenum values. An attacker who can write to the cache backend (e.g., Redis without authentication or with weak ACLs — a common misconfiguration in cloud deployments) can inject a PHP gadget chain and achieve Remote Code Execution via PHP Object Injection.The fix
Restrict
unserialize()to only the three known classes actually stored in the cache:This is verified by inspecting the write path:
serialize($this->availableTaskTypes)where$availableTaskTypesis built fromgetInputShape(),getOutputShape()etc. which return arrays ofShapeDescriptorobjects withEShapeTypevalues.Security impact
Redis Object Injection via unprotected cache backends is a well-known attack class. Nextcloud already uses
allowed_classesinFileProfilerStorage,CommandJob, andQueueBus— this PR extends the same pattern toTaskProcessing\Manager.Signed-off-by: XananasX7