Skip to content

Commit

Permalink
Deprecate SerializationUtils#deserialize
Browse files Browse the repository at this point in the history
Since SerializationUtils#deserialize is based on Java's serialization
mechanism, it can be the source of Remote Code Execution (RCE)
vulnerabilities.

Closes gh-28075
  • Loading branch information
ledoyen authored and sbrannen committed Mar 29, 2022
1 parent e681e71 commit 7f7fb58
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ private static CacheOperationInvoker.ThrowableWrapper rewriteCallStack(
@Nullable
private static <T extends Throwable> T cloneException(T exception) {
try {
return (T) SerializationUtils.deserialize(SerializationUtils.serialize(exception));

This comment was marked as off-topic.

Copy link
@hackchend

hackchend Mar 30, 2022

1

return SerializationUtils.clone(exception);

This comment was marked as off-topic.

Copy link
@tengyer

tengyer Mar 30, 2022

SerializationUtils.deserialize(SerializationUtils.serialize(exception)) change to SerializationUtils.clone(exception)
but clone(exception) equals deserialize(SerializationUtils.serialize(exception)) .
so , what have changed ?

This comment was marked as off-topic.

Copy link
@tengyer

tengyer Mar 30, 2022

oh , it' marked @Deprecated on SerializationUtils#deserialize.
Will the method SerializationUtils#clone be overridden in the future ?

}
catch (Exception ex) {
return null; // exception parameter cannot be cloned
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;

import org.springframework.lang.Nullable;

Expand Down Expand Up @@ -57,8 +58,13 @@ public static byte[] serialize(@Nullable Object object) {
* Deserialize the byte array into an object.
* @param bytes a serialized object
* @return the result of deserializing the bytes
* @deprecated This utility uses Java's reflection, which allows arbitrary code to be
* run and is known for being the source of many Remote Code Execution vulnerabilities.
* <p>Prefer the use of an external tool (that serializes to JSON, XML or any other format)
* which is regularly checked and updated for not allowing RCE.
*/
@Nullable
@Deprecated
public static Object deserialize(@Nullable byte[] bytes) {
if (bytes == null) {
return null;
Expand All @@ -74,4 +80,15 @@ public static Object deserialize(@Nullable byte[] bytes) {
}
}

/**
* Clone the given object using Java's serialization.
* @param object the object to clone
* @param <T> the type of the object to clone
* @return a clone (deep-copy) of the given object
* @since 6.0.0
*/
@SuppressWarnings("unchecked")
public static <T extends Serializable> T clone(T object) {
return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,9 @@ void deserializeNull() throws Exception {
assertThat(SerializationUtils.deserialize(null)).isNull();
}

@Test
void cloneException() {
IllegalArgumentException ex = new IllegalArgumentException("foo");
assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex);
}
}

This comment was marked as off-topic.

Copy link
@bugj

8 comments on commit 7f7fb58

@sbrannen
Copy link
Member

@sbrannen sbrannen commented on 7f7fb58 Mar 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there specific detection and defense rules?

In general we recommend that Java Serialization never be used with untrusted sources.

In addition, SerializationUtils now contains a warning which provides a link to guidance provided by the Java team.

* <p><strong>WARNING</strong>: These utilities should be used with caution. See
* <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
* target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
* for details.

@TuAgT

This comment was marked as off-topic.

@cloudwafs

This comment was marked as off-topic.

@noahzark

This comment was marked as off-topic.

@robot183

This comment was marked as off-topic.

@caonima-png

This comment was marked as off-topic.

@Kontinuation
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This commit does not resolve any already existing vulnerabilities and has nothing to do with spring core RCE. Just stop spamming this commit.

@sbrannen
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This commit does not resolve any already existing vulnerabilities and has nothing to do with spring core RCE. Just stop spamming this commit.

What @Kontinuation said is correct.

The purpose of this commit is to inform anyone who had previously been using SerializationUtils#deserialize that it is dangerous to deserialize objects from untrusted sources.

The core Spring Framework does not use SerializationUtils to deserialize objects from untrusted sources.

If you believe you have discovered a security issue, please report it responsibly with the dedicated page: https://spring.io/security-policy

And please refrain from posting any additional comments to this commit.

Thank you

Please sign in to comment.