Skip to content
This repository has been archived by the owner on Dec 9, 2024. It is now read-only.

Update Java_Gadget_Injector.java #9

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Java_Gadget_Injector.java #9

wants to merge 1 commit into from

Conversation

novysodope
Copy link

@novysodope novysodope commented Feb 19, 2024
edited
Loading

Not using readObject to read messages,prevent exploitation of deserialization vulnerabilities

@vmwclabot
Copy link

@novysodope, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <[email protected]> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

@novysodope
Copy link
Author

InputStream.read was used in the submitted branch, which may affect functionality. It is recommended to rewrite the resolveClass method to restrict deserialization classes in a whitelist manner:

@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
    String className = desc.getName();

    // Check if it is the expected class name
    if (!allowedClassName.equals(className)) {
        throw new SecurityException("Class not allowed: " + className);
    }

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dco-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@novysodope @vmwclabot