-
Notifications
You must be signed in to change notification settings - Fork 38k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use a custom ObjectInputStream for secure deserialization in Spring #26618
Comments
I've edited your comment to improve the formatting. You might want to check out this Mastering Markdown guide for future reference. |
Let me start by answering your questions.
No.
No. Jackson deserializes JSON documents (i.e., text input) and therefore does not use an
The only place where you can change the #19880 updated the guidelines for serialization-based endpoints, leading to the following note in the reference manual:
In general, Spring cannot influence how third-party libraries handle Java deserialization (i.e., binary input). If you really need to use Java deserialization to process binary input from untrusted sources, as an alternative to the However, we strongly recommend using any other message format (such as JSON) instead. In light of the above, I am closing this issue. |
thank you. I have one question: When spring and jpa/hibernate are implemented, does hibernate use the ConfigurableObjectInputStream? One more point is that as per JPA spec, PKs of classes with composite IDs have to be serializable. And in this specific context , can you pl confirm that hibernate would not be using Spring's ConfigurableObjectInputStream in this case as well? when there are composite IDs? |
That was covered by this part of my response:
In any case, when you're using Hibernate/JPA and your entities get serialized/deserialized (for example, due to the use of a 2nd-level cache with overflow to disk), you're talking about classes under your control. In other words, this is trusted code that is undergoing serialization. It's not some potentially malicious binary input provided by an external source. |
Thanks a lot for your clarifications. This really helped. |
Overview
Our tech stack is Spring, JPA using Hibernate, and SQL server.
implements Serializable
.ObjectMapper
which Spring uses also implementsSerializable
.As we can see, Hibernate has serialization which is binary (Java), and Jackson is text (JSON) based serialization.
We would like to harden all uses of
ObjectInputStream
of java and make sure that there are no deserialization issues in our application.@jhoeller, we request your insights in building a hardened application.
Questions
ConfigurableObjectInputStream
?ConfigurableObjectInputStream
?LookAheadObjectInputStream
instead ofConfigurableObjectInputStream
?Custom ObjectInputStream
Inspired by an example from OWASP, we would like to define a
LookAheadObjectInputStream
which would extend Spring'sConfigurableObjectInputStream
where we can define our own application classes that can be resolved.The text was updated successfully, but these errors were encountered: