Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable -and in many cases allows an attacker to execute arbitrary code. Even before a +and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, -and finalizers. Automatic deserialization of fields means that an attacker may +and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.
-There are many different serialization frameworks. This query currently
+There are many different serialization frameworks. This query currently
supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through
-Avoid deserialization of untrusted data if at all possible. If the
+Avoid deserialization of untrusted data if at all possible. If the
architecture permits it then use other formats instead of serialized objects,
-for example JSON or XML. However, these formats should not be deserialized
+for example JSON or XML. However, these formats should not be deserialized
into complex objects because this provides further opportunities for attack.
For example, XML-based deserialization attacks
are possible through libraries such as XStream and XmlDecoder.
@@ -43,7 +43,7 @@ Recommendations specific to particular frameworks supported by this query:
FasterXML - FasterXML - ObjectInputStream - ObjectInputStream - SnakeYAML - XML Decoder - ObjectInputStream/ObjectOutputStream.
@@ -22,9 +22,9 @@ Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization thro
com.alibaba.fastjson.parser.ParserConfig#setSafeMode with the argument true before deserializing untrusted data.com.fasterxml.jackson.core:jackson-databindcom.fasterxml.jackson.core:jackson-databind
-com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping and don't annotate any object fields with com.fasterxml.jackson.annotation.JsonTypeInfo passing either the CLASS or MINIMAL_CLASS values to the annotation.
@@ -56,16 +56,16 @@ Recommendations specific to particular frameworks supported by this query:
com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired with the argument false on any Kryo instance that may deserialize untrusted data.Java Standard LibraryJava Standard Library
org.apache.commons.io.serialization.ValidatingObjectInputStream.org.apache.commons.io.serialization.ValidatingObjectInputStream.org.yaml:snakeyaml
org.yaml.snakeyaml.constructor.SafeConstructor to org.yaml.snakeyaml.Yaml's constructor before using it to deserialize untrusted data.org.yaml.snakeyaml.constructor.SafeConstructor to org.yaml.snakeyaml.Yaml's constructor before using it to deserialize untrusted data.Standard Java Library