filmov
tv
58 - Java Serialization using ObjectInputFilter as pattern based - Code Demo 4
Показать описание
@backstreetbrogrammer
--------------------------------------------------------------------------------
Chapter 21 - Java Serialization using ObjectInputFilter as pattern based - Code Demo 4
--------------------------------------------------------------------------------
Deserialization of untrusted data can lead to vulnerabilities that allow an attacker to execute arbitrary code.
The readObject() method in ObjectInputStream class will construct any sort of serializable object that can be found on the classpath before passing it back to the caller.
Thus, if a rogue process sent us very large arrays or instances of classes that could be considered dangerous, we could perhaps check the generated instances using the ObjectInputValidation interface, but at that point the instance had already been constructed. We might already have run out of memory on the server or been hacked in some way.
It also means that if an attacker is able to put malicious data into the serialized object, this will cause serious security issues to the system.
To prevent Java deserialization vulnerabilities, an application has to restrict a set of classes which may be deserialized.
To do so, we can use serialization filters via ObjectInputFilter interface introduced in Java 9.
It has a method checkInput(FilterInfo), and the FilterInfo provides the following filters choices to check:
- serialClass(): the class of an object being deserialized
- arrayLength(): the number of array elements when deserializing an array of the class
- depth(): the depth of the object graph at that point
- references(): the current number of object references
- streamBytes(): the current number of bytes consumed
The method checkInput(FilterInfo) returns either Status.UNDECIDED, Status.ALLOWED, or Status.REJECTED.
We should use ALLOWED if we want the object to be accepted, or we would mark them as REJECTED if we want this to be rejected.
UNDECIDED means we allow later filters to override but currently, it is undecided, not allowed and not rejected.
We can implement serialization filters in 2 ways:
- Custom filters by implementing checkInput(FilterInfo) method of ObjectInputFilter interface
- Pattern-based filters which can accept or reject specific classes, packages, or modules =: A class that matches a pattern that is preceded by ! is rejected. A class that matches a pattern without ! is accepted.
#java #javadevelopers #javaprogramming #javaserialization
--------------------------------------------------------------------------------
Chapter 21 - Java Serialization using ObjectInputFilter as pattern based - Code Demo 4
--------------------------------------------------------------------------------
Deserialization of untrusted data can lead to vulnerabilities that allow an attacker to execute arbitrary code.
The readObject() method in ObjectInputStream class will construct any sort of serializable object that can be found on the classpath before passing it back to the caller.
Thus, if a rogue process sent us very large arrays or instances of classes that could be considered dangerous, we could perhaps check the generated instances using the ObjectInputValidation interface, but at that point the instance had already been constructed. We might already have run out of memory on the server or been hacked in some way.
It also means that if an attacker is able to put malicious data into the serialized object, this will cause serious security issues to the system.
To prevent Java deserialization vulnerabilities, an application has to restrict a set of classes which may be deserialized.
To do so, we can use serialization filters via ObjectInputFilter interface introduced in Java 9.
It has a method checkInput(FilterInfo), and the FilterInfo provides the following filters choices to check:
- serialClass(): the class of an object being deserialized
- arrayLength(): the number of array elements when deserializing an array of the class
- depth(): the depth of the object graph at that point
- references(): the current number of object references
- streamBytes(): the current number of bytes consumed
The method checkInput(FilterInfo) returns either Status.UNDECIDED, Status.ALLOWED, or Status.REJECTED.
We should use ALLOWED if we want the object to be accepted, or we would mark them as REJECTED if we want this to be rejected.
UNDECIDED means we allow later filters to override but currently, it is undecided, not allowed and not rejected.
We can implement serialization filters in 2 ways:
- Custom filters by implementing checkInput(FilterInfo) method of ObjectInputFilter interface
- Pattern-based filters which can accept or reject specific classes, packages, or modules =: A class that matches a pattern that is preceded by ! is rejected. A class that matches a pattern without ! is accepted.
#java #javadevelopers #javaprogramming #javaserialization
0:06:49
0:10:53
0:07:06
0:03:21
0:09:22
0:05:20
0:58:21
0:00:58
1:09:18
0:34:47
0:10:55
0:03:25
0:02:32
0:03:35
0:17:50
0:06:58
0:14:29
0:10:01
0:07:40
0:16:29
0:06:58
0:21:23
0:10:57
0:00:58