...
| Code Block | ||||
|---|---|---|---|---|
| ||||
class LookAheadObjectInputStream extends ObjectInputStream {
public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
super(inputStream);
}
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
switch (desc.getName()) {
case "GoodClass1": break;
case "GoodClass2": break;
default:
throw new InvalidClassException("Unexpected serialized class", desc.getName());
}
return super.resolveClass(desc);
}
}
class DeserializeExample {
private static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (LookAheadObjectInputStream ois = new LookAheadObjectInputStream(bais)) {
ret = ois.readObject();
}
}
return ret;
}
} |
Exceptions
SER12-J-EX1. Trusted serialized data does not need be validated, provided that the code has clear documentation that it relies on the serialized data being trusted. For example, if a library is being audited, a routine of that library may have a documented precondition that its callers pre-validate any passed-in serialized data.
Risk Assessment
Whether a violation of this rule is exploitable depends on what classes are on the JVM's classpath. (Note that is a property of the execution environment, not of the code being audited.) In the worst case, it could lead to remote execution of arbitrary code.
...