Skip to content

Introduced protections against deserialization attacks #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Introduced protections against deserialization attacks #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@
<sonar.projectKey>iluwatar_java-design-patterns</sonar.projectKey>
<sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
<sonar.projectName>Java Design Patterns</sonar.projectName>
<versions.java-security-toolkit>1.1.3</versions.java-security-toolkit>
</properties>
<modules>
<module>abstract-factory</module>
Expand Down Expand Up @@ -248,6 +249,12 @@
<version>${system-lambda.version}</version>
<scope>test</scope>
</dependency>
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

<dependency>
<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit</artifactId>

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

<version>${versions.java-security-toolkit}</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
Expand Down
4 changes: 4 additions & 0 deletions serialized-entity/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
</dependency>
<dependency>
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
Expand Down
2 changes: 2 additions & 0 deletions serialized-entity/src/main/java/com/iluwatar/serializedentity/CountrySchemaSql.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
*/
package com.iluwatar.serializedentity;

import io.github.pixee.security.ObjectInputFilters;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
Expand Down Expand Up @@ -109,6 +110,7 @@ public int selectCountry() throws IOException, ClassNotFoundException {
Blob countryBlob = rs.getBlob("country");
ByteArrayInputStream baos = new ByteArrayInputStream(countryBlob.getBytes(1, (int) countryBlob.length()));
ObjectInputStream ois = new ObjectInputStream(baos);
ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
country = (Country) ois.readObject();
LOGGER.info("Country: " + country);
Comment on lines 111 to 115
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code is vulnerable to Java deserialization attacks because it deserializes objects without validating the source or the content of the serialized data. This can lead to various attacks, including arbitrary code execution if the application is processing data from untrusted sources.

To mitigate this risk, it's recommended to implement a more secure form of serialization or use a library that provides safe deserialization features. Additionally, consider using validation mechanisms such as custom ObjectInputFilters to check the classes being deserialized or the size of the object graph being created.

}
Expand Down
4 changes: 4 additions & 0 deletions tolerant-reader/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@
<artifactId>junit-jupiter-engine</artifactId>
<scope>test</scope>
</dependency>
<dependency>
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
Expand Down
2 changes: 2 additions & 0 deletions tolerant-reader/src/main/java/com/iluwatar/tolerantreader/RainbowFishSerializer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
*/
package com.iluwatar.tolerantreader;

import io.github.pixee.security.ObjectInputFilters;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
Expand Down Expand Up @@ -90,6 +91,7 @@ public static RainbowFish readV1(String filename) throws IOException, ClassNotFo

try (var fileIn = new FileInputStream(filename);
var objIn = new ObjectInputStream(fileIn)) {
ObjectInputFilters.enableObjectFilterIfUnprotected(objIn);
map = (Map<String, String>) objIn.readObject();
Comment on lines 92 to 95
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The use of ObjectInputStream without a proper validation mechanism for deserialized objects can lead to security vulnerabilities, such as arbitrary code execution if the content of the file is malicious. While ObjectInputFilters.enableObjectFilterIfUnprotected(objIn); is an attempt to mitigate this, it's crucial to ensure that the filter is correctly configured to only allow safe classes to be deserialized. Recommended solution is to explicitly check or restrict the classes that can be deserialized by configuring the ObjectInputFilter to only allow known safe classes.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Casting the result of objIn.readObject() directly to (Map<String, String>) without checking can lead to a ClassCastException if the object read is not actually a Map<String, String>. This can be a problem especially when dealing with serialized objects from untrusted sources or when the serialized form might change. It's recommended to perform a type check before casting, or use a safer deserialization method that can handle type mismatches gracefully.

}

Expand Down