pippo-java · decebals · Oct 26, 2018 · Oct 25, 2018 · Oct 25, 2018 · Oct 25, 2018
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,9 +5,10 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 ### [Unreleased][unreleased]
 
 #### Fixed
+- [#458]: Java deserialization vulnerability in SerializationSessionDataTranscoder.decode()
 
 #### Changed
-- [#466]: Updated `FastJson` to latest version 1.2.51
+- [#466]: Updated `FastJson` tp latest version 1.2.51
 
 #### Added
 

diff --git a/pippo-session-parent/pippo-session/src/main/java/ro/pippo/session/ClassFilter.java b/pippo-session-parent/pippo-session/src/main/java/ro/pippo/session/ClassFilter.java
@@ -0,0 +1,24 @@
+package ro.pippo.session;
+
+import java.util.ArrayList;
+
+/**
+ * @author idealzh
+ */
+public class ClassFilter {
+    private ArrayList<String> WhiteList= null;
+    public ClassFilter() {
+        WhiteList=new ArrayList<String>();
+        WhiteList.add("ro.pippo.session.DefaultSessionData");
+        WhiteList.add("java.util.HashMap");
+        WhiteList.add("ro.pippo.core.Flash");
+        WhiteList.add("java.util.ArrayList");
+    }
+
+    public boolean isWhiteListed(String className) {
+        if (className==null) return false;
+        for(String name:WhiteList) {
+            if(name.equals(className)) return true;
+        } return false;
+    }
+}
diff --git a/...ssion-parent/pippo-session/src/main/java/ro/pippo/session/FilteringObjectInputStream.java b/...ssion-parent/pippo-session/src/main/java/ro/pippo/session/FilteringObjectInputStream.java
@@ -0,0 +1,25 @@
+package ro.pippo.session;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+
+/**
+ * @author idealzh
+ */
+public class FilteringObjectInputStream extends ObjectInputStream {
+    public FilteringObjectInputStream(InputStream in) throws IOException {
+        super(in);
+    }
+
+    protected Class<?> resolveClass(java.io.ObjectStreamClass descriptor) throws ClassNotFoundException, IOException {
+        String className = descriptor.getName();
+        ClassFilter classFilter = new ClassFilter();
+        if(className != null && className.length() > 0 && !classFilter.isWhiteListed(className)) {
+            throw new InvalidClassException("Unauthorized deserialization attempt", descriptor.getName());
+        } else {
+            return super.resolveClass(descriptor);
+        }
+    }
+}
diff --git a/...rent/pippo-session/src/main/java/ro/pippo/session/SerializationSessionDataTranscoder.java b/...rent/pippo-session/src/main/java/ro/pippo/session/SerializationSessionDataTranscoder.java
@@ -48,7 +48,7 @@ public String encode(SessionData sessionData) {
     public SessionData decode(String data) {
         byte[] bytes = Base64.getDecoder().decode(data);
         try (ByteArrayInputStream inputStream = new ByteArrayInputStream(bytes);
-                ObjectInputStream objectInputStream = new ObjectInputStream(inputStream)) {
+             FilteringObjectInputStream objectInputStream = new FilteringObjectInputStream(inputStream)) {
             return (SessionData) objectInputStream.readObject();
         } catch (IOException | ClassNotFoundException e) {
             throw new PippoRuntimeException(e, "Cannot deserialize session. A new one will be created.");