Added an example with deserialization filter to UnsafeDeserializationRmi.qhelp

java/ql/src/experimental/Security/CWE/CWE-502/RmiRemoteObjectWithFilter.java

@@ -0,0 +1,9 @@
+public void bindRemoteObject(Registry registry, int port) throws Exception {
+    ObjectInputFilter filter = info -> {
+        if (info.serialClass().getCanonicalName().startsWith("com.safe.package.")) {
+            return ObjectInputFilter.Status.ALLOWED;
+        }
+        return ObjectInputFilter.Status.REJECTED;
+    };
+    registry.bind("safer", UnicastRemoteObject.exportObject(new RemoteObjectImpl(), port, filter));
+}

java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java

@@ -1,6 +1,5 @@
 public class Server {
-    public static void main(String... args) throws Exception {
+    public void bindRemoteObject(Registry registry) throws Exception {
-        Registry registry = LocateRegistry.createRegistry(1099);
         registry.bind("safe", new RemoteObjectImpl());
     }
 }

java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java

@@ -1,6 +1,5 @@
 public class Server {
-    public static void main(String... args) throws Exception {
+    public void bindRemoteObject(Registry registry) throws Exception {
-        Registry registry = LocateRegistry.createRegistry(1099);
         registry.bind("unsafe", new RemoteObjectImpl());
     }
 }

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp

@@ -15,14 +15,21 @@ In the worst case, it results in remote code execution.
 <p>
 Use only strings and primitive types in parameters of remote objects.
 </p>
+</p>
+Set a filter for incoming serialized data by wrapping remote objects using either <code>UnicastRemoteObject.exportObject(Remote, int, ObjectInputFilter)</code>
+or <code>UnicastRemoteObject.exportObject(Remote, int, RMIClientSocketFactory, RMIServerSocketFactory, ObjectInputFilter)</code> methods.
+Those methods accept an <code>ObjectInputFilter</code> that decides which classes are allowed for deserialization.
+The filter should allow deserializing only safe classes.
+</p>
 <p>
-Java RMI does not offer API for specifying classes which are only allowed for deserialization.
+It is also possible to set a process-wide deserialization filter.
-However, it is possible to set a process-wide deserialization filter that was introduced in JEP 290.
+The filter can be set by with <code>ObjectInputFilter.Config.setSerialFilter(ObjectInputFilter)</code> method,
-The filter can be set via system or security property <code>jdk.serialFilter</code>.
+or by setting system or security property <code>jdk.serialFilter</code>.
 Make sure that you use the latest Java versions that include JEP 290.
 </p>
 <p>
-Consider using other implementations of remote procedure calls. For example, HTTP API with JSON.
+If switching to the latest Java versions is not possible,
+consider using other implementations of remote procedure calls. For example, HTTP API with JSON.
 Make sure that the underlying deserialization mechanism is properly configured
 so that deserialization attacks are not possible.
 </p>
@@ -30,17 +37,22 @@ so that deserialization attacks are not possible.
 
 <example>
 <p>
-The following code registers a vulnerable remote object 
+The following code registers a remote object
-which has a method that accepts a complex object:
+with a vulnerable method that accepts a complex object:
 </p>
 <sample src="RmiUnsafeRemoteObject.java" />
 
 <p>
 The next example registers a safe remote object
-which has methods that use only primitive types and strings:
+whose methods use only primitive types and strings:
 </p>
 <sample src="RmiSafeRemoteObject.java" />
 
+<p>
+The next example shows how to set a deserilization filter for a remote object:
+</p>
+<sample src="RmiRemoteObjectWithFilter.java" />
+
 </example>
 
 <references>