commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Herbert (Jira)" <>
Subject [jira] [Resolved] (RNG-120) Fix security issues in serialization code for Random instances
Date Wed, 02 Oct 2019 16:26:00 GMT


Alex Herbert resolved RNG-120.
    Fix Version/s: 1.3
       Resolution: Implemented

In git master.

> Fix security issues in serialization code for Random instances
> --------------------------------------------------------------
>                 Key: RNG-120
>                 URL:
>             Project: Commons RNG
>          Issue Type: Improvement
>          Components: core, simple
>    Affects Versions: 1.3
>            Reporter: Alex Herbert
>            Assignee: Alex Herbert
>            Priority: Minor
>             Fix For: 1.3
>          Time Spent: 40m
>  Remaining Estimate: 0h
> SonarCloud has highlighted security issues in the use of serialization to save and restore
the state of java.util.Random instances.
> When reading objects using ObjectInputStream.readObject() the class is first identified
and the private readObject() method of the class type is executed (if it is present). If the
class is a malicious class then potentially malicious code can be executed.
> h2. JDKRandom
> Uses serialisation to save the {{java.util.Random}} instance to the RandomProviderState.
> The code requires that {{java.util.Random}} is read using ObjectInputStream.readObject().
To ensure the code only allows {{java.util.Random}} to be read the code can adapt the [ValidatingObjectInputStream|]
idea from Commons IO to prevent malicious code execution.
> h2. JDKRandomBridge
> This writes and reads a byte[] using the writeObject and readObject methods of ObjectOutput/InputStream.
To avoid use of readObject() the code can be refactored to write the byte[] using the write(byte[])
method of ObjectOutputStream and the readFully(byte[]) method of ObjectInputStream.

This message was sent by Atlassian Jira

View raw message