You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Bertrand Delacretaz <bd...@apache.org> on 2015/11/10 15:09:12 UTC
SafeObjectInputStream prototype
Hi,
I have created a prototype at SLING-5288 to guard against recently
reported Java deserialization risks.
Feedback is welcome, and if someone feels like enhancing that with an
ObjectInputStream wrapper that would be useful.
-Bertrand
Re: SafeObjectInputStream prototype
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Mon, Nov 16, 2015 at 4:18 PM, Jason Bailey <Ja...@sas.com> wrote:
> We've been looking at a javaagent and/or a WeavingHook to do the same thing....
I've been looking a bit more at https://github.com/kantega/notsoserial
and it looks quite good, and his author Erik is open to contributions
as far as I can see from the github project.
We'll probably need both an agent and a WeavingHook for different use
cases, along with https://issues.apache.org/jira/browse/IO-487 for
code that we can modify. Contributions are welcome of course!
-Bertrand
RE: SafeObjectInputStream prototype
Posted by Jason Bailey <Ja...@sas.com>.
We've been looking at a javaagent and/or a WeavingHook to do the same thing. Prefer the WeavingHook since we could configure it as a service, but half our environments are on an older platform that doesn't that ability yet.
-----Original Message-----
From: Bertrand Delacretaz [mailto:bdelacretaz@apache.org]
Sent: Wednesday, November 11, 2015 2:20 PM
To: Bertrand Delacretaz <bd...@apache.org>
Cc: dev <de...@sling.apache.org>
Subject: Re: SafeObjectInputStream prototype
On Tue, Nov 10, 2015 at 3:09 PM, Bertrand Delacretaz <bd...@apache.org> wrote:
> ...I have created a prototype at SLING-5288 to guard against recently
> reported Java deserialization risks...
In the meantime I also tested https://github.com/kantega/notsoserial
which is very interesting as that's a Java agent that can protect existing unmodified code. Requires bootdelegating org.kantega.* to use in an OSGi environment.
-Bertrand
Re: SafeObjectInputStream prototype
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Nov 10, 2015 at 3:09 PM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> ...I have created a prototype at SLING-5288 to guard against recently
> reported Java deserialization risks...
In the meantime I also tested https://github.com/kantega/notsoserial
which is very interesting as that's a Java agent that can protect
existing unmodified code. Requires bootdelegating org.kantega.* to use
in an OSGi environment.
-Bertrand
Re: SafeObjectInputStream prototype
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Nov 10, 2015 at 4:57 PM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> ...maybe we can provide the current mode with whitelist of fixed class
> names, with the option of a set of white + blacklists based on regexp
> class name patterns...
I have now implemented this using a ClassAcceptor interface as
suggested by Alex Klimetschek in SLING-5288.
-Bertrand
Re: SafeObjectInputStream prototype
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Nov 10, 2015 at 4:06 PM, Antonio Sanso <as...@adobe.com> wrote:
> ...I was wondering if we can have a combination of white/black list approach though...
SerialKiller [1] which was also recently created uses regular
expression patterns with both black and white lists (and gets them
from an XML config which I don't like).
That might be a bit slow for the common cases where you know exactly
which class you want, at least in Sling I think most or all use cases
are like that.
So maybe we can provide the current mode with whitelist of fixed class
names, with the option of a set of white + blacklists based on regexp
class name patterns.
-Bertrand
[1] https://github.com/ikkisoft/SerialKiller/blob/master/src/org/nibblesec/tools/SerialKiller.java
Re: SafeObjectInputStream prototype
Posted by Antonio Sanso <as...@adobe.com>.
Thanks a lot Bertrand!!
This look promising.
I have seen you used a white list approach (that is the best way by far).
I was wondering if we can have a combination of white/black list approach though
regards
antonio
On Nov 10, 2015, at 3:09 PM, Bertrand Delacretaz <bd...@apache.org> wrote:
> Hi,
>
> I have created a prototype at SLING-5288 to guard against recently
> reported Java deserialization risks.
>
> Feedback is welcome, and if someone feels like enhancing that with an
> ObjectInputStream wrapper that would be useful.
>
> -Bertrand