Skip to content
This repository was archived by the owner on Dec 9, 2024. It is now read-only.

Update Java_Gadget_Injector.java#9

Open
novysodope wants to merge 1 commit into
omnissa-archive:masterfrom
novysodope:master
Open

Update Java_Gadget_Injector.java#9
novysodope wants to merge 1 commit into
omnissa-archive:masterfrom
novysodope:master

Conversation

@novysodope

@novysodope novysodope commented Feb 19, 2024
edited
Loading

Copy link
Copy Markdown

Not using readObject to read messages,prevent exploitation of deserialization vulnerabilities

@vmwclabot

vmwclabot commented Feb 19, 2024

Copy link
Copy Markdown

@novysodope, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <john.doe@email.org> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

@novysodope

novysodope commented Feb 19, 2024

Copy link
Copy Markdown
Author

InputStream.read was used in the submitted branch, which may affect functionality. It is recommended to rewrite the resolveClass method to restrict deserialization classes in a whitelist manner:

@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
    String className = desc.getName();

    // Check if it is the expected class name
    if (!allowedClassName.equals(className)) {
        throw new SecurityException("Class not allowed: " + className);
    }

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dco-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@novysodope @vmwclabot