fix(API): add whitelist rate limiter adapter

Little-Peony · Little-Peony · commit 6bd4faaacbae · 2026-03-26T11:49:14.000+08:00
diff --git a/framework/src/main/java/org/tron/core/services/http/RateLimiterServlet.java b/framework/src/main/java/org/tron/core/services/http/RateLimiterServlet.java
@@ -4,6 +4,9 @@
 import io.prometheus.client.Histogram;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
 import javax.annotation.PostConstruct;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -31,7 +34,19 @@
 @Slf4j
 public abstract class RateLimiterServlet extends HttpServlet {
   private static final String KEY_PREFIX_HTTP = "http_";
-  private static final String ADAPTER_PREFIX = "org.tron.core.services.ratelimiter.adapter.";
+
+  // Whitelist of allowed rate limiter adapter class names.
+  // Class.forName() is intentionally NOT used; only these pre-approved classes may be loaded.
+  private static final Map<String, Class<? extends IRateLimiter>> ALLOWED_ADAPTERS;
+
+  static {
+    Map<String, Class<? extends IRateLimiter>> m = new HashMap<>();
+    m.put("GlobalPreemptibleAdapter", GlobalPreemptibleAdapter.class);
+    m.put("QpsRateLimiterAdapter", QpsRateLimiterAdapter.class);
+    m.put("IPQPSRateLimiterAdapter", IPQPSRateLimiterAdapter.class);
+    m.put("DefaultBaseQqsAdapter", DefaultBaseQqsAdapter.class);
+    ALLOWED_ADAPTERS = Collections.unmodifiableMap(m);
+  }
 
   @Autowired
   private RateLimiterContainer container;
@@ -49,8 +64,13 @@ private void addRateContainer() {
       try {
         cName = item.getStrategy();
         params = item.getParams();
-        // add the specific rate limiter strategy of servlet.
-        Class<?> c = Class.forName(ADAPTER_PREFIX + cName);
+        // Whitelist check: only allow known adapter class names to prevent
+        // arbitrary class loading (RCE) via a tampered config file.
+        Class<? extends IRateLimiter> c = ALLOWED_ADAPTERS.get(cName);
+        if (c == null) {
+          throw new IllegalArgumentException(
+              "Unknown rate limiter adapter (not in whitelist): " + cName);
+        }
         Constructor constructor;
         if (c == GlobalPreemptibleAdapter.class || c == QpsRateLimiterAdapter.class
             || c == IPQPSRateLimiterAdapter.class) {
diff --git a/framework/src/test/java/org/tron/core/services/http/RateLimiterServletWhitelistTest.java b/framework/src/test/java/org/tron/core/services/http/RateLimiterServletWhitelistTest.java
@@ -0,0 +1,128 @@
+package org.tron.core.services.http;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertFalse;
+
+import java.lang.reflect.Field;
+import java.util.Map;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.tron.core.services.ratelimiter.adapter.DefaultBaseQqsAdapter;
+import org.tron.core.services.ratelimiter.adapter.GlobalPreemptibleAdapter;
+import org.tron.core.services.ratelimiter.adapter.IPQPSRateLimiterAdapter;
+import org.tron.core.services.ratelimiter.adapter.IRateLimiter;
+import org.tron.core.services.ratelimiter.adapter.QpsRateLimiterAdapter;
+
+/**
+ * Security test: verifies that RateLimiterServlet uses a strict whitelist
+ * instead of Class.forName(), preventing arbitrary class loading (RCE)
+ * via a tampered config file.
+ */
+public class RateLimiterServletWhitelistTest {
+
+  private static Map<String, Class<? extends IRateLimiter>> allowedAdapters;
+
+  @SuppressWarnings("unchecked")
+  @BeforeClass
+  public static void loadWhitelist() throws Exception {
+    Field f = RateLimiterServlet.class.getDeclaredField("ALLOWED_ADAPTERS");
+    f.setAccessible(true);
+    allowedAdapters = (Map<String, Class<? extends IRateLimiter>>) f.get(null);
+  }
+
+  // --- whitelist completeness ---
+
+  @Test
+  public void testWhitelistContainsAllLegitimateAdapters() {
+    assertNotNull("GlobalPreemptibleAdapter must be whitelisted",
+        allowedAdapters.get("GlobalPreemptibleAdapter"));
+    assertNotNull("QpsRateLimiterAdapter must be whitelisted",
+        allowedAdapters.get("QpsRateLimiterAdapter"));
+    assertNotNull("IPQPSRateLimiterAdapter must be whitelisted",
+        allowedAdapters.get("IPQPSRateLimiterAdapter"));
+    assertNotNull("DefaultBaseQqsAdapter must be whitelisted",
+        allowedAdapters.get("DefaultBaseQqsAdapter"));
+  }
+
+  @Test
+  public void testWhitelistMapsToCorrectClasses() {
+    assertTrue(allowedAdapters.get("GlobalPreemptibleAdapter")
+        .isAssignableFrom(GlobalPreemptibleAdapter.class));
+    assertTrue(allowedAdapters.get("QpsRateLimiterAdapter")
+        .isAssignableFrom(QpsRateLimiterAdapter.class));
+    assertTrue(allowedAdapters.get("IPQPSRateLimiterAdapter")
+        .isAssignableFrom(IPQPSRateLimiterAdapter.class));
+    assertTrue(allowedAdapters.get("DefaultBaseQqsAdapter")
+        .isAssignableFrom(DefaultBaseQqsAdapter.class));
+  }
+
+  // --- security: malicious class names must be rejected ---
+
+  @Test
+  public void testArbitraryClassNameIsRejected() {
+    // Simulates a tampered config: attacker supplies a fully-qualified class name
+    assertNull("Arbitrary class name must not be in whitelist",
+        allowedAdapters.get("com.evil.MaliciousAdapter"));
+  }
+
+  @Test
+  public void testPathTraversalStyleNameIsRejected() {
+    assertNull("Path-traversal style name must not be in whitelist",
+        allowedAdapters.get("../../../../evil.Payload"));
+  }
+
+  @Test
+  public void testEmptyStrategyIsRejected() {
+    assertNull("Empty strategy must not be in whitelist",
+        allowedAdapters.get(""));
+  }
+
+  @Test
+  public void testNullStrategyIsRejected() {
+    assertNull("Null strategy must not be in whitelist",
+        allowedAdapters.get(null));
+  }
+
+  @Test
+  public void testRuntimeClassIsRejected() {
+    // Attacker tries to load java.lang.Runtime to exec arbitrary commands
+    assertNull("java.lang.Runtime must not be in whitelist",
+        allowedAdapters.get("java.lang.Runtime"));
+  }
+
+  @Test
+  public void testProcessBuilderIsRejected() {
+    assertNull("java.lang.ProcessBuilder must not be in whitelist",
+        allowedAdapters.get("java.lang.ProcessBuilder"));
+  }
+
+  // --- whitelist is immutable (cannot be tampered at runtime) ---
+
+  @Test(expected = UnsupportedOperationException.class)
+  public void testWhitelistIsImmutable() {
+    // The map must be unmodifiable to prevent runtime injection
+    allowedAdapters.put("Injected", DefaultBaseQqsAdapter.class);
+  }
+
+  // --- all whitelisted entries implement IRateLimiter ---
+
+  @Test
+  public void testAllWhitelistedClassesImplementIRateLimiter() {
+    for (Map.Entry<String, Class<? extends IRateLimiter>> entry : allowedAdapters.entrySet()) {
+      assertTrue(
+          entry.getKey() + " must implement IRateLimiter",
+          IRateLimiter.class.isAssignableFrom(entry.getValue())
+      );
+    }
+  }
+
+  // --- whitelist size is exactly what we expect (no accidental additions) ---
+
+  @Test
+  public void testWhitelistSizeIsExact() {
+    assertFalse("Whitelist must not be empty", allowedAdapters.isEmpty());
+    assertTrue("Whitelist must contain exactly 4 adapters", allowedAdapters.size() == 4);
+  }
+}
