Ported object-file IO onto a safe codec to mitigate gadget chain attack

[novatechflow]

Port object-file IO onto a safe codec

• add ObjectFileSerializationMode + helper to switch between legacy Java serialization and a JSON-based format, with unit tests covering both paths
• rework Java/Flink/Spark object-file sources/sinks (and Flink’s output format) to use the shared serializer, log deprecation warnings for the legacy mode, and stop calling raw ObjectInputStream
• update Spark’s SequenceFile readers/writers to chunk records via RDD transformations and share logic with the new serializer

Motivation: the legacy path deserializes untrusted SequenceFile payloads via ObjectInputStream.readObject, letting an attacker ship a gadget chain that runs arbitrary bytecode inside the Wayang JVM. That RCE can be used to execute system commands, exfiltrate data, or tamper with jobs, so we move to JSON by default and require explicit opt-in for the old codec.

========================== IMPORTANT =========================
Before we merge test the patch, ideally in a setup with source and sink platforms. Compilation and tests when through in my setup.

mvn -pl wayang-commons/wayang-basic -Dtest=org.apache.wayang.basic.operators.ObjectFileSerializationTest test
[INFO] Building Wayang Basic 1.1.1-SNAPSHOT
[WARNING] 2 problems were encountered while building the effective model for org.apache.yetus:audience-annotations:jar:0.5.0 during dependency collection step for project (use -X to see details)
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.683 s
[INFO] Finished at: 2025-12-08T19:47:45+01:00
[INFO] ------------------------------------------------------------------------

[zkaoudi]

There are individual operator tests for sources and sinks in each platform. See eg:
https://github.com/apache/incubator-wayang/blob/afb8e413c13b20c5094c818ec2d0b9cf92d499f0/wayang-platforms/wayang-java/src/test/java/org/apache/wayang/java/operators/JavaObjectFileSourceTest.java

Which setup would you suggest for testing besides these tests?

[novatechflow]

@zkaoudi - did a local test with Flink, no issues - let’s merge if no objections. Can you please check if we might have a collision with #639?

[juripetersen]

If deprecated, shouldn't this utilize the JSON variant by default?

[juripetersen]

If deprecated, shouldn't this utilize the JSON variant by default?

[juripetersen]

If deprecated, shouldn't this utilize the JSON variant by default?

[novatechflow]

we should not switch off functions directly, instead give users a certain amount of time to use the new feature for backwards compatibility. Thoughts?

[juripetersen]

I think it depends on the consequences for the user. If they have to implement further things to make sure their data types implement Serializable, I agree. If this is a change without any overhead for the user, fixing a potential security threat, then it should be the new default.

[juripetersen]

This is repeated in every implementation extending ObjectFileSink, so it should just be moved there and called here for checking the serializationMode

[juripetersen]

This field could also be moved to the ObjectFileSink to make it less redundant.

[novatechflow]

Yeah, but (I know ...) from past experiences it's better to tell every time a soon deprecated function is called. We can refactor it, main goal is to close the already known security bug.

[novatechflow]

created #640 - my fork gots messy with merges.