Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Noncompliant Code Example

      public class RequestProcessor {
        protected void processRequest(HttpServletRequest request) {
          ServletInputStream sis = request.getInputStream();
          ObjectInputStream ois = new ObjectInputStream(sis);
          Object obj = ois.readObject(); // Noncompliant
        }
      }
      

      Compliant Solution

      public class SecureObjectInputStream extends ObjectInputStream {
        // Constructor here
      
        @Override
        protected Class<?> resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException {
          // Only deserialize instances of AllowedClass
          if (!osc.getName().equals(AllowedClass.class.getName())) {
            throw new InvalidClassException("Unauthorized deserialization", osc.getName());
          }
          return super.resolveClass(osc);
        }
      }
      
      public class RequestProcessor {
        protected void processRequest(HttpServletRequest request) {
          ServletInputStream sis = request.getInputStream();
          SecureObjectInputStream sois = new SecureObjectInputStream(sis);
          Object obj = sois.readObject();
        }
      }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lars.svensson Lars Svensson (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: