Restore compatibility of runtime with pre-3.22.x gencode impacted by CVE-2022-3171

Generated code from this range is covered by CVE-2022-3171 and potentially vulnerable to a Denial of Service issue.

JavaProto 4.x previously dropped compatibility with the potentially vulnerable generated code, having the behavior of:

* The vulnerable generated code was source-incompatible with new runtime (would not compile when built from source)

* The vulnerable generated code was ABI-incompatible with new runtime (when using a .class file compiled against old runtime, a NoSuchMethodException would be thrown at parse time).

After this change, instead:

* The vulnerable generated code is now source-compatible (will compile).
The first time each potentially vulnerable type is parsed,  an error message will be logged noting that potentially vulnerable generated code is in use and the name of the corresponding type.

* Environment variables may be set to either throw an exception instead (-Dcom.google.protobuf.error_on_unsafe_pre22_gencode) or to entirely silence the logged messages (-Dcom.google.protobuf.use_unsafe_pre22_gencode)
This change was made based on community feedback regarding the difficulty in identifying and quickly remediating stale gencode in their transitive dependencies weighed against a careful evaluation of the realistic risk exposure of DoS (with no risk of other concerns including information leak or RCE).

We strongly recommend that any users who observe the log messages to regenerate the corresponding code with a newer protoc. We recommend that any security-conscious services opt into error_on_unsafe_pre22_gencode to preclude any risk of a Denial of Service surface area being exposed.

A future release may flip the default behavior to error by default as a measure to further help the ecosystem avoid the Denial of Service risks.

PiperOrigin-RevId: 790798112

Author: protobuf-github-bot

java/core/src/main/java/com/google/protobuf/GeneratedMessage.java

@@ -30,11 +30,14 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.SortedMap;
 import java.util.TreeMap;
+import java.util.logging.Logger;
 
 /**
  * All generated protocol message classes extend this class. This class implements most of the
@@ -52,6 +55,8 @@
 public abstract class GeneratedMessage extends AbstractMessage implements Serializable {
   private static final long serialVersionUID = 1L;
 
+  private static final Logger logger = Logger.getLogger(GeneratedMessage.class.getName());
+
   /**
    * For testing. Allows a test to disable the optimization that avoids using field builders for
    * nested messages until they are requested. By disabling this optimization, existing tests can be
@@ -394,6 +399,59 @@ protected static IntList emptyIntList() {
     return IntArrayList.emptyList();
   }
 
+  static final String PRE22_GENCODE_SILENCE_PROPERTY =
+      "com.google.protobuf.use_unsafe_pre22_gencode";
+  static final String PRE22_GENCODE_ERROR_PROPERTY =
+      "com.google.protobuf.error_on_unsafe_pre22_gencode";
+
+  static final String PRE22_GENCODE_VULNERABILITY_MESSAGE =
+      "As of 2022/09/29 (release 21.7) makeExtensionsImmutable should not be called from protobuf"
+          + " gencode. If you are seeing this message, your gencode is vulnerable to a denial of"
+          + " service attack. You should regenerate your code using protobuf 25.6 or later. Use the"
+          + " latest version that meets your needs. However, if you understand the risks and wish"
+          + " to continue with vulnerable gencode, you can set the system property"
+          + " `-Dcom.google.protobuf.use_unsafe_pre22_gencode` on the command line to silence this"
+          + " warning. You also can set"
+          + " `-Dcom.google.protobuf.error_on_unsafe_pre22_gencode` to throw an error instead. See"
+          + " security vulnerability:"
+          + " https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2";
+
+  protected static final Set<String> loggedPre22TypeNames =
+      Collections.synchronizedSet(new HashSet<String>());
+
+  static void warnPre22Gencode(Class<?> messageClass) {
+    if (System.getProperty(PRE22_GENCODE_SILENCE_PROPERTY) != null) {
+      return;
+    }
+    String messageName = messageClass.getName();
+    String vulnerabilityMessage =
+        "Vulnerable protobuf generated type in use: "
+            + messageName
+            + "\n"
+            + PRE22_GENCODE_VULNERABILITY_MESSAGE;
+
+    if (System.getProperty(PRE22_GENCODE_ERROR_PROPERTY) != null) {
+      throw new UnsupportedOperationException(vulnerabilityMessage);
+    }
+
+    if (!loggedPre22TypeNames.add(messageName)) {
+      return;
+    }
+
+    logger.warning(vulnerabilityMessage);
+  }
+
+  /**
+   * This method only exists as a shim for pre-22 gencode. This function is a no-op other than
+   * warning or throwing an error for messages that are not extendable.
+   *
+   * @throws UnsupportedOperationException if the {@link #PRE22_GENCODE_ERROR_PROPERTY} system
+   *     property is set.
+   */
+  protected void makeExtensionsImmutable() {
+    warnPre22Gencode(getClass());
+  }
+
   protected static LongList emptyLongList() {
     return LongArrayList.emptyList();
   }
@@ -1037,6 +1095,16 @@ public boolean isInitialized() {
       return super.isInitialized() && extensionsAreInitialized();
     }
 
+    /**
+     * This method only exists as a shim for pre-22 gencode (see {@link
+     * GeneratedMessage.warnPre22Gencode}.
+     */
+    @Override
+    protected void makeExtensionsImmutable() {
+      GeneratedMessage.warnPre22Gencode(getClass());
+      extensions.makeImmutable();
+    }
+
     /**
      * Used by subclasses to serialize extensions. Extension ranges may be interleaved with field
      * numbers, but we must write them in canonical (sorted by field number) order.

java/core/src/test/java/com/google/protobuf/GeneratedMessageTest.java

@@ -1976,4 +1976,104 @@ public void getAllFields_repeatedFieldsAreNotMutable() {
     builder.clearField(repeatedMsgField);
     assertThat(list).hasSize(1);
   }
+
+  private TestUtil.TestLogHandler setupLogger() {
+    TestUtil.TestLogHandler logHandler = new TestUtil.TestLogHandler();
+    Logger logger = Logger.getLogger(GeneratedMessage.class.getName());
+    logger.addHandler(logHandler);
+    logHandler.setLevel(Level.ALL);
+    return logHandler;
+  }
+
+  static class TestMessageBaseForPre22WarningsTests extends GeneratedMessage {
+    @Override
+    protected FieldAccessorTable internalGetFieldAccessorTable() {
+      return null;
+    }
+
+    @Override
+    protected Message.Builder newBuilderForType(BuilderParent parent) {
+      return null;
+    }
+
+    @Override
+    public Message.Builder newBuilderForType() {
+      return null;
+    }
+
+    @Override
+    public Message.Builder toBuilder() {
+      return null;
+    }
+
+    @Override
+    public Message getDefaultInstanceForType() {
+      return null;
+    }
+  }
+
+  @Test
+  public void generatedMessage_makeExtensionsImmutableShouldLog() {
+    TestUtil.TestLogHandler logHandler = setupLogger();
+    GeneratedMessage.loggedPre22TypeNames.clear();
+
+    class TestMessage1 extends TestMessageBaseForPre22WarningsTests {}
+    class TestMessage2 extends TestMessageBaseForPre22WarningsTests {}
+
+    TestMessage1 msg = new TestMessage1();
+    TestMessage2 msg2 = new TestMessage2();
+
+    msg.makeExtensionsImmutable();
+    List<LogRecord> logs = logHandler.getStoredLogRecords();
+    assertThat(logs).hasSize(1);
+    String message = logs.get(0).getMessage();
+    // The generated type
+    assertThat(message)
+        .contains(
+            "Vulnerable protobuf generated type in use: "
+                + "com.google.protobuf.GeneratedMessageTest$1TestMessage1");
+    assertThat(message).contains(GeneratedMessage.PRE22_GENCODE_VULNERABILITY_MESSAGE);
+    assertThat(message).contains(GeneratedMessage.PRE22_GENCODE_SILENCE_PROPERTY);
+
+    // Subsequent calls for the same type do not log again.
+    msg.makeExtensionsImmutable();
+    assertThat(logHandler.getStoredLogRecords()).hasSize(1);
+
+    // A call on a second type does log for that type.
+    msg2.makeExtensionsImmutable();
+    assertThat(logHandler.getStoredLogRecords()).hasSize(2);
+    // And not again (only once per type).
+    msg2.makeExtensionsImmutable();
+    assertThat(logHandler.getStoredLogRecords()).hasSize(2);
+  }
+
+  @Test
+  public void extendableMessage_makeExtensionsImmutableShouldThrowWhenOptedIn() {
+    System.setProperty("com.google.protobuf.error_on_unsafe_pre22_gencode", "true");
+    GeneratedMessage.loggedPre22TypeNames.clear();
+
+    class TestMessage3 extends TestMessageBaseForPre22WarningsTests {}
+    TestMessage3 msg = new TestMessage3();
+    assertThrows(UnsupportedOperationException.class, msg::makeExtensionsImmutable);
+
+    // When opting into throwing, it should throw every time, not just the first time.
+    assertThrows(UnsupportedOperationException.class, msg::makeExtensionsImmutable);
+    assertThrows(UnsupportedOperationException.class, msg::makeExtensionsImmutable);
+
+    System.clearProperty("com.google.protobuf.error_on_unsafe_pre22_gencode");
+  }
+
+  @Test
+  public void extendableMessage_makeExtensionsImmutableShouldBeSilentWhenOptedIn() {
+    System.setProperty("com.google.protobuf.use_unsafe_pre22_gencode", "true");
+    TestUtil.TestLogHandler logHandler = setupLogger();
+    GeneratedMessage.loggedPre22TypeNames.clear();
+
+    class TestMessage4 extends TestMessageBaseForPre22WarningsTests {}
+    TestMessage4 msg = new TestMessage4();
+    msg.makeExtensionsImmutable();
+    assertThat(logHandler.getStoredLogRecords()).isEmpty();
+
+    System.clearProperty("com.google.protobuf.use_unsafe_pre22_gencode");
+  }
 }