Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BACKPORT 3.10.x] Add basic protection against untrusted deserialization. #13080

Merged
merged 1 commit into from May 15, 2018
Merged

[BACKPORT 3.10.x] Add basic protection against untrusted deserialization. #13080

merged 1 commit into from May 15, 2018

Conversation

kwart
Copy link
Member

@kwart kwart commented May 14, 2018

Backport of #12230 to 3.10.x.

The configuration of the backported feature doesn't depend on XSD changes, but it is based on following Hazelcast group properties:

Property name Description Default value
hazelcast.serialization.filter.enabled Enables Java deserialization protection - filtering based on blacklist and whitelist. false
hazelcast.serialization.filter.blacklist.classes Comma separated list of blacklisted class names in Java deserialization protection feature "" (empty)
hazelcast.serialization.filter.blacklist.packages Comma separated list of blacklisted package names in Java deserialization protection feature "" (empty)
hazelcast.serialization.filter.whitelist.classes Comma separated list of whitelisted class names in Java deserialization protection feature "" (empty)
hazelcast.serialization.filter.whitelist.packages Comma separated list of whitelisted package names in Java deserialization protection feature "" (empty)

If both *.blacklist.classes and *.blacklist.packages properties are empty and deserialization protection is enabled, then a hardcoded list of well known vulnerable classes and packages is used.

@kwart kwart added this to the 3.10.1 milestone May 14, 2018
@kwart kwart self-assigned this May 14, 2018
@kwart kwart requested review from tkountis and Donnerbart May 14, 2018 14:25
@kwart kwart merged commit ef4bea0 into hazelcast:maintenance-3.x May 15, 2018
@kwart kwart deleted the deser-filtering-3.x branch October 25, 2018 15:56
@mmedenjak mmedenjak added the Source: Internal PR or issue was opened by an employee label Apr 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pveentjer pveentjer pveentjer approved these changes

@tkountis tkountis tkountis approved these changes

@Donnerbart Donnerbart Awaiting requested review from Donnerbart

Assignees

@kwart kwart

Labels
Source: Internal PR or issue was opened by an employee
Projects
None yet
Milestone
3.10.1
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kwart @pveentjer @tkountis @mmedenjak