...
This non-compliant code deserializes a byte array without first validating what classes will be created and without using a SecurityManager.
| Code Block | ||||
|---|---|---|---|---|
| ||||
class DeserializeExample {
public static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (ObjectInputStream ois = new ObjectInputStream(bais)) {
ret = ois.readObject();
}
}
return ret;
}
} |
Compliant Solution
This compliant solution is based on http://www.ibm.com/developerworks/library/se-lookahead/ :
| Code Block | ||||
|---|---|---|---|---|
| ||||
class LookAheadObjectInputStream extends ObjectInputStream {
public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
super(inputStream);
}
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
switch (desc.getName()) {
case "GoodClass1": break;
case "GoodClass2": break;
default:
throw new InvalidClassException("Unexpected serialized class", desc.getName());
}
return super.resolveClass(desc);
}
}
class DeserializeExample {
private static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (LookAheadObjectInputStream ois = new LookAheadObjectInputStream(bais)) {
ret = ois.readObject();
}
}
return ret;
}
} |
Risk Assessment
Whether a violation of this rule is exploitable depends on what classes are on the JVM's classpath. (Note that is a property of the execution environment, not of the code being audited.) In the worst case, it could lead to remote execution of arbitrary code.
...