Skip to content

Harden XML parsing, serialization, and randomness#3075

Merged
CydeWeys merged 2 commits into
google:masterfrom
CydeWeys:security-audit
Jun 1, 2026
Merged

Harden XML parsing, serialization, and randomness#3075
CydeWeys merged 2 commits into
google:masterfrom
CydeWeys:security-audit

Conversation

@CydeWeys
Copy link
Copy Markdown
Member

@CydeWeys CydeWeys commented May 29, 2026
edited by gbrodman
Loading

This commit introduces several security hardening improvements across the codebase:

  1. XML Processing: Hardened TransformerFactory and SchemaFactory instantiations in EppMessage.java by explicitly enabling XMLConstants.FEATURE_SECURE_PROCESSING and disabling external schema access.
  2. Randomness: Replaced instances of java.util.Random with java.security.SecureRandom in SelfSignedCaCertificate.java for stronger entropy. (Added documentation in ProxyModule.java explaining why java.util.Random is intentionally retained there for metrics sampling).
  3. Deserialization: Hardened SerializeUtils.java by injecting an ObjectInputFilter into the ObjectInputStream, restricting deserialization strictly to expected google.registry classes and standard Java collections.

This change is Reviewable

@CydeWeys
Harden XML parsing, serialization, and randomness
1a64fc2 
This commit introduces several security hardening improvements across the codebase:
1. XML Processing: Hardened `TransformerFactory` and `SchemaFactory` instantiations in `EppMessage.java` by explicitly enabling `XMLConstants.FEATURE_SECURE_PROCESSING` and disabling external schema access.
2. Randomness: Replaced instances of `java.util.Random` with `java.security.SecureRandom` in `SelfSignedCaCertificate.java` for stronger entropy. (Added documentation in `ProxyModule.java` explaining why `java.util.Random` is intentionally retained there for metrics sampling).
3. Deserialization: Hardened `SerializeUtils.java` by injecting an `ObjectInputFilter` into the `ObjectInputStream`, restricting deserialization strictly to expected `google.registry` classes and standard Java collections.
@CydeWeys CydeWeys requested a review from gbrodman May 29, 2026 20:47
@CydeWeys CydeWeys enabled auto-merge May 29, 2026 20:47
gbrodman
gbrodman approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@gbrodman gbrodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gbrodman reviewed 7 files and all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on CydeWeys).

@CydeWeys CydeWeys added this pull request to the merge queue Jun 1, 2026
Merged via the queue into google:master with commit 0030645 Jun 1, 2026
15 checks passed
@CydeWeys CydeWeys deleted the security-audit branch June 1, 2026 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gbrodman gbrodman gbrodman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CydeWeys @gbrodman