From 426081c856ed967c9855247f577c680b058ccd98 Mon Sep 17 00:00:00 2001
From: Michael Stepankin <44605151+artsploit@users.noreply.github.com>
Date: Tue, 11 Nov 2025 10:29:47 +0000
Subject: [PATCH] Security fix: Resolve FastJSON deserialization vulnerability
 (GHSL-2024-282)

- Upgrade FastJSON from 1.2.68 to 2.0.60 for enhanced security
- Remove dangerous ParserConfig.setAutoTypeSupport(true) calls
- Eliminate deserialization of untrusted data vulnerability
- Maintain backward compatibility using com.alibaba.fastjson imports
- FastJSON 2.0.60 has autoType disabled by default, preventing RCE

Fixes security vulnerability where attackers could exploit autoType
setting to instantiate arbitrary classes and potentially execute
remote code through malicious JSON payloads.
---
 KCenter-Base/pom.xml                                          | 2 +-
 .../main/java/org/nesc/ec/bigdata/service/KsqlDbService.java  | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/KCenter-Base/pom.xml b/KCenter-Base/pom.xml
index cd70d29..cccb299 100644
--- a/KCenter-Base/pom.xml
+++ b/KCenter-Base/pom.xml
@@ -77,7 +77,7 @@
 		<dependency>
 			<groupId>com.alibaba</groupId>
 			<artifactId>fastjson</artifactId>
-			<version>1.2.68</version>
+			<version>2.0.60</version>
 		</dependency>
 	</dependencies>
 </project>
diff --git a/KCenter-Core/src/main/java/org/nesc/ec/bigdata/service/KsqlDbService.java b/KCenter-Core/src/main/java/org/nesc/ec/bigdata/service/KsqlDbService.java
index 2f576b9..87170b5 100644
--- a/KCenter-Core/src/main/java/org/nesc/ec/bigdata/service/KsqlDbService.java
+++ b/KCenter-Core/src/main/java/org/nesc/ec/bigdata/service/KsqlDbService.java
@@ -4,7 +4,6 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONArray;
 import com.alibaba.fastjson.JSONObject;
-import com.alibaba.fastjson.parser.ParserConfig;
 import org.nesc.ec.bigdata.cache.ConnectCache;
 import org.nesc.ec.bigdata.exception.KSQLException;
 import org.slf4j.Logger;
@@ -33,7 +32,6 @@ public String executeKsqlScript(String host,String body)throws KSQLException{
         try{
             String url = restService.generatorUrl(host,"/ksql");
             ResponseEntity<String> responseEntity = sendRequest(url,HttpMethod.POST,buildQuery(body,true));
-            ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
             List<String> messageArray =  JSON.parseArray(responseEntity.getBody(), String.class);
             if(Objects.nonNull(messageArray) && !CollectionUtils.isEmpty(messageArray)){
                 JSONObject message = JSON.parseObject(messageArray.get(0));
@@ -46,7 +44,6 @@ public String executeKsqlScript(String host,String body)throws KSQLException{
             }
             return "";
         }catch (HttpClientErrorException e){
-            ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
             JSONObject message = JSON.parseObject(e.getResponseBodyAsString());
             LOGGER.error("execute ksql script has error,",e);
             throw  new KSQLException(message.getString("message"));
@@ -57,7 +54,6 @@ public String executeQueryScript(String host, String body,boolean isKsqlQuery) t
         try{
             String  query = isKsqlQuery?"/ksql":"/query";
             String url = restService.generatorUrl(host,query);
-            ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
             ResponseEntity<String> responseEntity = sendRequest(url,HttpMethod.POST,buildQuery(body,true));
             return responseEntity.getBody();
         }catch (HttpClientErrorException e){