Deserializing untrusted data can cause Java to create an object of an arbitrary attackedattacker-specified class, provided that the class is available on the classpath specified for the JVM. Some classes have triggers that execute additional code when they are created in this manner. If such classes are poorly designed, such code could even call to call Runtime.exec with () with an attacker-supplied argument. Therefore, untrusted input to be deserialized should be validated to ensure that the serialized data contains only classes from a whitelist of expected classes. This can be done by overloading the resolveClass method () method of the ObjectInputStream class.
Non-Compliant Solution
| Code Block | ||
|---|---|---|
| ||
class DeserializeExample {
public static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (ObjectInputStream ois = new ObjectInputStream(bais)) {
ret = ois.readObject();
}
}
return ret;
}
} |
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
High | Likely | High | P9 | L2 |
Automated Detection
No known tools for automated detection exist yet. However, it should not to be hard to write a static analysis to check for deserialization that fails to overload resolveClass to () to compare against a whitelist.
...