commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gilles Sadowski (Jira)" <j...@apache.org>
Subject [jira] [Commented] (RNG-120) Fix security issues in serialization code for Random instances
Date Tue, 01 Oct 2019 15:35:00 GMT

    [ https://issues.apache.org/jira/browse/RNG-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942078#comment-16942078
] 

Gilles Sadowski commented on RNG-120:
-------------------------------------

bq. Yes. You can use them if you are sure that the object that will be deserialised is OK.


But how can one be sure?
Doesn't your fixes imply that one should always perform validation (even though it does not
seem obvious to me that "Commons RNG" is the right place to do so)?

Do I understand correctly this paragraph (from the article which you provided)
{noformat}
The attacker cannot simply send a serialized object of any class, because
the service will be unable to load the class.
{noformat}
that your {{SerializableTestObject}} would fail to be loaded if the data were actually coming
from an untrusted source (i.e. read from the network)?


> Fix security issues in serialization code for Random instances
> --------------------------------------------------------------
>
>                 Key: RNG-120
>                 URL: https://issues.apache.org/jira/browse/RNG-120
>             Project: Commons RNG
>          Issue Type: Improvement
>          Components: core, simple
>    Affects Versions: 1.3
>            Reporter: Alex Herbert
>            Assignee: Alex Herbert
>            Priority: Minor
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> SonarCloud has highlighted security issues in the use of serialization to save and restore
the state of java.util.Random instances.
> When reading objects using ObjectInputStream.readObject() the class is first identified
and the private readObject() method of the class type is executed (if it is present). If the
class is a malicious class then potentially malicious code can be executed.
> h2. JDKRandom
> Uses serialisation to save the {{java.util.Random}} instance to the RandomProviderState.
> The code requires that {{java.util.Random}} is read using ObjectInputStream.readObject().
To ensure the code only allows {{java.util.Random}} to be read the code can adapt the [ValidatingObjectInputStream|https://commons.apache.org/proper/commons-io/javadocs/api-2.6/org/apache/commons/io/serialization/ValidatingObjectInputStream.html]
idea from Commons IO to prevent malicious code execution.
> h2. JDKRandomBridge
> This writes and reads a byte[] using the writeObject and readObject methods of ObjectOutput/InputStream.
To avoid use of readObject() the code can be refactored to write the byte[] using the write(byte[])
method of ObjectOutputStream and the readFully(byte[]) method of ObjectInputStream.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message