From 511a52f760e751824b66971546669b2bdcc8ade4 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Thu, 31 Oct 2024 03:05:38 +0000
Subject: [PATCH] Introduced protections against deserialization attacks

---
 pom.xml                                                    | 7 +++++++
 serialized-entity/pom.xml                                  | 4 ++++
 .../com/iluwatar/serializedentity/CountrySchemaSql.java    | 2 ++
 .../java/com/iluwatar/serializedentity/CountryTest.java    | 2 ++
 tolerant-reader/pom.xml                                    | 4 ++++
 .../com/iluwatar/tolerantreader/RainbowFishSerializer.java | 2 ++
 6 files changed, 21 insertions(+)

diff --git a/pom.xml b/pom.xml
index 10348ef0466a..82e2a5b5638a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -54,6 +54,7 @@
     <sonar.projectKey>iluwatar_java-design-patterns</sonar.projectKey>
     <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
     <sonar.projectName>Java Design Patterns</sonar.projectName>
+    <versions.java-security-toolkit>1.2.0</versions.java-security-toolkit>
   </properties>
   <modules>
     <module>abstract-factory</module>
@@ -248,6 +249,12 @@
         <version>${system-lambda.version}</version>
         <scope>test</scope>
       </dependency>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
   <dependencies>
diff --git a/serialized-entity/pom.xml b/serialized-entity/pom.xml
index 754089acf182..1a8a7c9ba1f3 100644
--- a/serialized-entity/pom.xml
+++ b/serialized-entity/pom.xml
@@ -22,6 +22,10 @@
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
     </dependencies>
     <build>
         <plugins>
diff --git a/serialized-entity/src/main/java/com/iluwatar/serializedentity/CountrySchemaSql.java b/serialized-entity/src/main/java/com/iluwatar/serializedentity/CountrySchemaSql.java
index 971f875c6b81..026ca10869aa 100644
--- a/serialized-entity/src/main/java/com/iluwatar/serializedentity/CountrySchemaSql.java
+++ b/serialized-entity/src/main/java/com/iluwatar/serializedentity/CountrySchemaSql.java
@@ -24,6 +24,7 @@
  */
 package com.iluwatar.serializedentity;
 
+import io.github.pixee.security.ObjectInputFilters;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -109,6 +110,7 @@ public int selectCountry() throws IOException, ClassNotFoundException {
           Blob countryBlob = rs.getBlob("country");
           ByteArrayInputStream baos = new ByteArrayInputStream(countryBlob.getBytes(1, (int) countryBlob.length()));
           ObjectInputStream ois = new ObjectInputStream(baos);
+          ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
           country = (Country) ois.readObject();
           LOGGER.info("Country: " + country);
         }
diff --git a/serialized-entity/src/test/java/com/iluwatar/serializedentity/CountryTest.java b/serialized-entity/src/test/java/com/iluwatar/serializedentity/CountryTest.java
index 556aba1735ea..2890dc1c20e3 100644
--- a/serialized-entity/src/test/java/com/iluwatar/serializedentity/CountryTest.java
+++ b/serialized-entity/src/test/java/com/iluwatar/serializedentity/CountryTest.java
@@ -23,6 +23,7 @@
  * THE SOFTWARE.
  */
 package com.iluwatar.serializedentity;
+import io.github.pixee.security.ObjectInputFilters;
 import org.junit.jupiter.api.Test;
 
 import java.io.*;
@@ -85,6 +86,7 @@ void testSerializable(){
       // De-serialize Country
       try {
           ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("output.txt"));
+          ObjectInputFilters.enableObjectFilterIfUnprotected(objectInputStream);
           Country country = (Country) objectInputStream.readObject();
           objectInputStream.close();
           System.out.println(country);
diff --git a/tolerant-reader/pom.xml b/tolerant-reader/pom.xml
index c6716bb845cd..650fc22864a4 100644
--- a/tolerant-reader/pom.xml
+++ b/tolerant-reader/pom.xml
@@ -39,6 +39,10 @@
       <artifactId>junit-jupiter-engine</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>
diff --git a/tolerant-reader/src/main/java/com/iluwatar/tolerantreader/RainbowFishSerializer.java b/tolerant-reader/src/main/java/com/iluwatar/tolerantreader/RainbowFishSerializer.java
index 62410bde22f6..de257f9b3a0e 100644
--- a/tolerant-reader/src/main/java/com/iluwatar/tolerantreader/RainbowFishSerializer.java
+++ b/tolerant-reader/src/main/java/com/iluwatar/tolerantreader/RainbowFishSerializer.java
@@ -24,6 +24,7 @@
  */
 package com.iluwatar.tolerantreader;
 
+import io.github.pixee.security.ObjectInputFilters;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -90,6 +91,7 @@ public static RainbowFish readV1(String filename) throws IOException, ClassNotFo
 
     try (var fileIn = new FileInputStream(filename);
          var objIn = new ObjectInputStream(fileIn)) {
+      ObjectInputFilters.enableObjectFilterIfUnprotected(objIn);
       map = (Map<String, String>) objIn.readObject();
     }