ENT-1564 - add additional uploader check to the HashConstraint (#2845) (#2881)

* ENT-1564 - add additional uploader check to the HashConstraint (#2845)

(cherry picked from commit 1a1cd94)

* ENT-1564 changelog entry

* ENT-1564 ignored tests that were removed in master

core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt

@@ -4,6 +4,7 @@ import net.corda.core.DoNotImplement
 import net.corda.core.contracts.AlwaysAcceptAttachmentConstraint.isSatisfiedBy
 import net.corda.core.crypto.SecureHash
 import net.corda.core.internal.AttachmentWithContext
+import net.corda.core.internal.isUploaderTrusted
 import net.corda.core.serialization.CordaSerializable
 
 /** Constrain which contract-code-containing attachment can be used with a [ContractState]. */
@@ -19,9 +20,17 @@ object AlwaysAcceptAttachmentConstraint : AttachmentConstraint {
     override fun isSatisfiedBy(attachment: Attachment) = true
 }
 
-/** An [AttachmentConstraint] that verifies by hash */
+/**
+ * An [AttachmentConstraint] that verifies by hash.
+ * The state protected by this constraint can only be used in a transaction created with that version of the jar.
+ * And a receiving node will only accept it if a cordapp with that hash has (is) been deployed on the node.
+ */
 data class HashAttachmentConstraint(val attachmentId: SecureHash) : AttachmentConstraint {
-    override fun isSatisfiedBy(attachment: Attachment) = attachment.id == attachmentId
+    override fun isSatisfiedBy(attachment: Attachment): Boolean {
+        return if (attachment is AttachmentWithContext) {
+            attachment.id == attachmentId && isUploaderTrusted(attachment.contractAttachment.uploader)
+        } else false
+    }
 }
 
 /**

core/src/main/kotlin/net/corda/core/internal/AbstractAttachment.kt

@@ -20,6 +20,9 @@ const val TEST_UPLOADER = "test"
 const val P2P_UPLOADER = "p2p"
 const val UNKNOWN_UPLOADER = "unknown"
 
+fun isUploaderTrusted(uploader: String?) =
+        uploader?.let { it in listOf(DEPLOYED_CORDAPP_UPLOADER, RPC_UPLOADER, TEST_UPLOADER) } ?: false
+
 abstract class AbstractAttachment(dataLoader: () -> ByteArray) : Attachment {
     companion object {
         fun SerializeAsTokenContext.attachmentDataLoader(id: SecureHash): () -> ByteArray {

docs/source/changelog.rst

@@ -18,6 +18,9 @@ Unreleased
   released in gradle plugins version 3.0.10. For more information on the api scanner see
   the `documentation <https://github.com/corda/corda-gradle-plugins/tree/master/api-scanner>`_.
 
+* Fixed security vulnerability when using the ``HashAttachmentConstraint``. Added strict check that the contract JARs
+  referenced in a transaction were deployed on the node.
+
 .. _changelog_v3:
 
 Version 3.0

node-api/src/main/kotlin/net/corda/nodeapi/internal/AttachmentsClassLoader.kt

@@ -3,7 +3,7 @@ package net.corda.nodeapi.internal
 import net.corda.core.contracts.Attachment
 import net.corda.core.contracts.ContractAttachment
 import net.corda.core.crypto.SecureHash
-import net.corda.core.internal.DEPLOYED_CORDAPP_UPLOADER
+import net.corda.core.internal.isUploaderTrusted
 import net.corda.core.serialization.CordaSerializable
 import java.io.ByteArrayInputStream
 import java.io.ByteArrayOutputStream
@@ -33,7 +33,7 @@ class AttachmentsClassLoader(attachments: List<Attachment>, parent: ClassLoader
     }
 
     init {
-        require(attachments.mapNotNull { it as? ContractAttachment }.none { it.uploader != DEPLOYED_CORDAPP_UPLOADER }) {
+        require(attachments.mapNotNull { it as? ContractAttachment }.all { isUploaderTrusted(it.uploader) }) {
             "Attempting to load Contract Attachments downloaded from the network"
         }
 

verifier/src/integration-test/kotlin/net/corda/verifier/VerifierTests.kt

@@ -42,6 +42,7 @@ class VerifierTests {
         return transactions.map { currentLedger.resolveWireTransaction(it) }
     }
 
+    @Ignore
     @Test
     fun `single verifier works with requestor`() {
         verifierDriver(extraCordappPackagesToScan = listOf("net.corda.finance.contracts")) {
@@ -74,6 +75,7 @@ class VerifierTests {
         }
     }
 
+    @Ignore
     @Test
     fun `multiple verifiers work with requestor`() {
         verifierDriver {