-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
16
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
Despite being discouraged, ObjectInputStream is sometimes used to deserialize untrusted data (as seen by numerous CVEs in the past).
Interestingly it appears often callers of ObjectInputStream.readObject(), ObjectInputStream.readUnshared() and ObjectInput.readObject() know beforehand which class they expect. This can be seen using the following CodeQL query: https://lgtm.com/query/6479907050745830770/
(Feel free to check other projects as well)
Unfortunately these methods deserialize any object and then require the caller to perform a cast. However, at that point a malicious payload might have already been executed (e.g. in the constructor or through custom readObject(ObjectInputStream) methods).
Therefore the following enhancements are requested:
- Add:
- <T> T ObjectInputStream.readObject(Class<? extends T>)
- <T> T ObjectInputStream.readUnshared(Class<? extends T>)
- <T> T ObjectInput.readObject(Class<? extends T>)
Default implementation could simply be `clazz.cast(readObject())`
- Update example code snippets using readObject(), such as the one in the ObjectInputStream documentation
Though, the existing methods without Class parameter cannot be deprecated because the new methods do not work for classes which use surrogates and `readResolve()` for serialization.
These new methods should then be implemented in a way that they check the class in the serialized stream data, and throw an exception on mismatch (i.e. that class is not the same or a subtype) **before** the class is initialized and any instance is created.
Similarly `ObjectInput.readObject` should have an @implNote encouraging implementations to check the class before initializing untrusted classes.
While this certainly does not prevent all deserialization attacks, it hopefully at least makes deserialization slightly more secure (assuming that the JDK does not deserialize forged super classes or fields specified in the serialized data stream), extending (but not replacing!) the security provided by ObjectInputFilter.
Despite being discouraged, ObjectInputStream is sometimes used to deserialize untrusted data (as seen by numerous CVEs in the past).
Interestingly it appears often callers of ObjectInputStream.readObject(), ObjectInputStream.readUnshared() and ObjectInput.readObject() know beforehand which class they expect. This can be seen using the following CodeQL query: https://lgtm.com/query/6479907050745830770/
(Feel free to check other projects as well)
Unfortunately these methods deserialize any object and then require the caller to perform a cast. However, at that point a malicious payload might have already been executed (e.g. in the constructor or through custom readObject(ObjectInputStream) methods).
Therefore the following enhancements are requested:
- Add:
- <T> T ObjectInputStream.readObject(Class<? extends T>)
- <T> T ObjectInputStream.readUnshared(Class<? extends T>)
- <T> T ObjectInput.readObject(Class<? extends T>)
Default implementation could simply be `clazz.cast(readObject())`
- Update example code snippets using readObject(), such as the one in the ObjectInputStream documentation
Though, the existing methods without Class parameter cannot be deprecated because the new methods do not work for classes which use surrogates and `readResolve()` for serialization.
These new methods should then be implemented in a way that they check the class in the serialized stream data, and throw an exception on mismatch (i.e. that class is not the same or a subtype) **before** the class is initialized and any instance is created.
Similarly `ObjectInput.readObject` should have an @implNote encouraging implementations to check the class before initializing untrusted classes.
While this certainly does not prevent all deserialization attacks, it hopefully at least makes deserialization slightly more secure (assuming that the JDK does not deserialize forged super classes or fields specified in the serialized data stream), extending (but not replacing!) the security provided by ObjectInputFilter.