ISSUE#12905 - Introduced protections against deserialization attacks (#2)

[pixeeai]

Hi, my name is Zach and I'm a developer for Pixee. I wanted to bring some light to this change as it was generated from our automated code security bot.

This change hardens Java deserialization operations against attack. Even a simple operation like an object deserialization is an opportunity to yield control of your system to an attacker. In fact, without specific, non-default protections, any object deserialization call can lead to arbitrary code execution. The JavaDoc now even says:

Deserialization of untrusted data is inherently dangerous and should be avoided.

Let's discuss the attack. In Java, types can customize how they should be deserialized by specifying a readObject() method like this real example from an old version of Spring:

static class MethodInvokeTypeProvider implements TypeProvider {
    private final TypeProvider provider;
    private final String methodName;

    private void readObject(ObjectInputStream inputStream) {
        inputStream.defaultReadObject();
        Method method = ReflectionUtils.findMethod(
                this.provider.getType().getClass(),
                this.methodName
        );
        this.result = ReflectionUtils.invokeMethod(method,this.provider.getType());
    }
}

Reflecting on this code reveals a terrifying conclusion. If an attacker presents this object to be deserialized by your app, the runtime will take a class and a method name from the attacker and then call them. Note that an attacker can provide any serliazed type -- it doesn't have to be the one you're expecting, and it will still deserialize.

Attackers can repurpose the logic of selected types within the Java classpath (called "gadgets") and chain them together to achieve arbitrary remote code execution. There are a limited number of publicly known gadgets that can be used for attack, and our change simply inserts an ObjectInputFilter into the ObjectInputStream to prevent them from being used.

+ import io.github.pixee.security.ObjectInputFilters;
  ObjectInputStream ois = new ObjectInputStream(is);
+ ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
  AcmeObject acme = (AcmeObject)ois.readObject();

This is a tough vulnerability class to understand, but it is deadly serious. It offers the highest impact possible (remote code execution), it's a common vulnerability (it's in the OWASP Top 10), and exploitation is easy enough that automated exploitation is possible. It's best to remove deserialization entirely, but our protections is effective against all known exploitation strategies.

More reading

• https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
• https://portswigger.net/web-security/deserialization/exploiting

I have additional improvements ready for this repo! If you want to see them, leave the comment: (after installing for your repo here)

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:java/harden-java-deserialization

Follow this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
• Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in test module.
• Run mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true to make sure basic checks pass. Run mvn clean install -DskipITs to make sure unit-test pass. Run mvn clean test-compile failsafe:integration-test to make sure integration-test pass.

[CLAassistant]

All committers have signed the CLA.

[github-actions]

Thanks for your this PR. 🙏
Please check again for your PR changes whether contains any usage/api/configuration change such as Add new API , Add new configuration, Change default value of configuration.
If so, please add or update documents(markdown type) in docs/next/ for repository nacos-group/nacos-group.github.io

---

感谢您提交的PR。 🙏
请再次查看您的PR内容，确认是否包含任何使用方式/API/配置参数的变更，如：新增API、新增配置参数、修改默认配置等操作。
如果是，请确保在提交之前，在仓库nacos-group/nacos-group.github.io中的docs/next/目录下添加或更新文档（markdown格式）。

[KomachiSion]

1. add an new dependency should be discuss and to find out the copyright and license first.
2. copy of Member is unused from the newest codes, I think if there is vulnerability, we should delete the codes otherwise add some dependencies to solve it.
3. CI no pass.

[Majidrazaee]

سلام تمام دارایی مرا دزدیده شده کیف اول مرا ۱۲کلمه عبور آن حک شده 0x14f4f11f6aA6dFc3eFB70a1661b2c2A8598E46BEاین ادرس کیف اول است دوباره کیف جدید ساختم وشروع به کار کردم ولی این هم خالی شد برای اینکه رد کیف اول را گم نکنم از کیف دوم به کیف اول واریز میکردم وبرداشت میشدوادرس کیف دوم0xe430f15477dD0642354EC6C82d368D5005dDC983این است

[Dario-s-j]

Ok Em ter., 7 de jan. de 2025, 05:43, Majid ***@***.***> escreveu:

…

سلام تمام دارایی مرا دزدیده شده کیف اول مرا ۱۲کلمه عبور آن حک شده 0x14f4f11f6aA6dFc3eFB70a1661b2c2A8598E46BEاین ادرس کیف اول است دوباره کیف جدید ساختم وشروع به کار کردم ولی این هم خالی شد برای اینکه رد کیف اول را گم نکنم از کیف دوم به کیف اول واریز میکردم وبرداشت میشدوادرس کیف دوم0xe430f15477dD0642354EC6C82d368D5005dDC983این است — Reply to this email directly, view it on GitHub <#12906 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A4MT7RFDCGICFKQSEASK4ID2JOHTBAVCNFSM6AAAAABSYP22SKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZUGY4TONJTGU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Majidrazaee]

کیفم راحک کردند