动态代码求值:serializationutils.clone()上的不安全反序列化

yhuiod9q  于 2021-06-29  发布在  Java
关注(0)|答案(1)|浏览(712)

我得到强化问题动态代码评估:不安全反序列化在下面的行:

@RequestMapping(value="/v2/doc", method=RequestMethod.POST)
    public JsonDocVerifyResponse verify(@RequestBody JsonDocVerifyRequestV3 request)
JsonDocVerifyRequestV3 temp = (JsonDocVerifyRequestV3)SerializationUtils.clone(request);

不安全反序列化的解决方案如下https://www.ibm.com/developerworks/library/se-lookahead/ 但正如您在我的代码中看到的,我没有使用bytearrayoutputstream来反序列化对象。
这是强化的假阳性吗?如果没有,我怎么用

org.apache.commons.io.serialization.ValidatingObjectInputStream

验证类?任何代码示例都会有很大帮助!
以下是片段:

@RequestMapping(value="/v2/doc", method=RequestMethod.POST)
    public JsonDocVerifyResponse verify(@RequestBody JsonDocVerifyRequestV3 request) {

        debugJsonRequest(request, DOC_TYPE.khIdBack);

        JsonDocVerifyResponse response = new JsonDocVerifyResponse();

        return response;
    }
   public void debugJsonRequest(JsonDocVerifyRequestV3 request, DOC_TYPE docType) {

        try {

          JsonDocVerifyRequestV3 temp(JsonDocVerifyRequestV3) SerializationUtils.clone(request);

          LOGGER.debug("{}|{}", docType, CommonUtil.debugJsonObject(temp));

        } catch(Exception e) {
         LOGGER.error("Error in debug json object", e);
        }

 }
bvk5enib

bvk5enib1#

你可以用 accept 以及 reject 方法更安全的反序列化操作。
例子:

import com.sun.xml.internal.ws.util.ByteArrayBuffer;
import org.apache.commons.io.serialization.ValidatingObjectInputStream;

import java.io.*;

public class Main {
    public static void main(String[] args) throws IOException, ClassNotFoundException {
        Bar bar = new Bar("bar-test");
        Foo foo = new Foo("test-foo", bar);

        // write into an array buffer
        ByteArrayBuffer buffer = new ByteArrayBuffer();
        try (ObjectOutputStream serializeStream = new ObjectOutputStream(buffer)) {
            serializeStream.writeObject(foo);
        }

        try (ValidatingObjectInputStream stream = new ValidatingObjectInputStream(buffer.newInputStream())) {
            // add validated classes
            stream.accept(Foo.class);
            stream.accept(Bar.class);

            Foo foo2 = (Foo) stream.readObject();
            System.out.println(foo2);
        }
    }

    public static class Foo implements Serializable {
        private String name;
        private Bar bar;

        public Foo(String name, Bar bar) {
            this.name = name;
            this.bar = bar;
        }

        @Override
        public String toString() {
            return "Foo{" +
                    "name='" + name + '\'' +
                    ", bar=" + bar +
                    '}';
        }
    }

    public static class Bar implements Serializable {
        private String name;

        public Bar(String name) {
            this.name = name;
        }

        @Override
        public String toString() {
            return "Bar{" +
                    "name='" + name + '\'' +
                    '}';
        }
    }
}

相关问题