Skip to content

Commit

Permalink
Fixed: Adds a blacklist (to be renamed soon to denylist) in Java seri…
Browse files Browse the repository at this point in the history
…alisation (OFBIZ-12167)

Adds an example based on RMI which is known to be a problem
  • Loading branch information
JacquesLeRoux committed Feb 5, 2021
1 parent 11634ae commit af9ed4e
Showing 1 changed file with 11 additions and 2 deletions.
Expand Up @@ -62,9 +62,18 @@ public SafeObjectInputStream(InputStream in) throws IOException {

@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
if (!whitelistPattern.matcher(classDesc.getName()).find()) {
String className = classDesc.getName();
// BlackList exploits; eg: don't allow RMI here
if (className.contains("java.rmi.server")) {
Debug.logWarning("***Incompatible class***: "
+ classDesc.getName()
+ ". java.rmi.server classes are not allowed for security reason",
"SafeObjectInputStream");
return null;
}
if (!whitelistPattern.matcher(className).find()) {
// DiskFileItem, FileItemHeadersImpl are not serializable.
if (classDesc.getName().contains("org.apache.commons.fileupload")) {
if (className.contains("org.apache.commons.fileupload")) {
return null;
}
Debug.logWarning("***Incompatible class***: "
Expand Down

0 comments on commit af9ed4e

Please sign in to comment.