You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 13, 2023. It is now read-only.
As discussed in this mailing list thread, for applications which deserialize untrusted data there's some security merit in being able to say at compile time what classes you expect to have to deserialize. This could be handled entirely by serialization libraries, but putting it in the serialization API makes it trivial for serialization library authors to implement.
Specifically this could be done by adding a functional parameter to deserialization():
great you took it up! I find it well done and it has instructive tests. From a security perspecive it would maybe need some helpers e.g. to whitelist "org.myorg." and "ceylon." easily enough to get used in practice, but that can be done any time.
I would, however, suggest adding a serialization (i.e. not de-serialization) counterpart. This would make it easy to support older API versions, e.g. my server needs to support on old client that I know cannot handle certain types. By blacklisting types or evaluating their apiLevel tags during serialization I could help ensure my backwards compatibility guarantees in simple unit tests.
Regarding my last comment, the serialization counterpart could be informed by #6075 output, or the tool could even produce white/blacklisting code from API diffs for those who don't like maintaining compatibility level annotations.
As discussed in this mailing list thread, for applications which deserialize untrusted data there's some security merit in being able to say at compile time what classes you expect to have to deserialize. This could be handled entirely by serialization libraries, but putting it in the serialization API makes it trivial for serialization library authors to implement.
Specifically this could be done by adding a functional parameter to
deserialization()
:If the serialization API was asked to instantiate any class for which
whitelisted()
returnedfalse
an exception would be thrown.The text was updated successfully, but these errors were encountered: