英文:
Java Jackson json to object deserilization. How to deal with OWASP insecure Deserialization?
问题
The OWASP 不安全的反序列化 威胁是一个众所周知的问题。
我的问题是,在使用 Java 部分的解析库如 Jackson 等时,如何减轻这个威胁?
使用 Hibernate 验证或 Java 验证进行验证是否解决了这个问题?或者是否存在特殊或更好的技术来减轻这个问题?
英文:
The OWASP insecure Deserialization threat is a well known one.
My question is how to mitigate this threat when we are using parser libaries like Jackson etc on the java part?
Does validations using Hibernate validation or Java validation solve the issue? Or does any special or better techniques exists to mitigate this issue?
答案1
得分: 3
整个反序列化过程实际上是关于反序列化Java对象的。这与XML解组或读取JSON无关。还有其他漏洞类别来处理这些问题。
想象一下,您的代码接受Java类作为输入(可以使用Base64编码并通过REST端点提供)。为什么有人会这样做呢?嗯,如果您想远程存储状态,那么您可以将Java类序列化,发送它,并在需要时接收回来。没有道理?嗯,Jenkins曾经也这样做。
真正的问题不是反序列化,而是在反序列化期间防止代码执行。如何防止readObject()被调用?它会自动调用。而阻止发生在Java代码深处的事情是很困难的。
您可以尝试使用notsoserial或SerialKiller进行测试,但这不会使您的代码更简单或更易读。实际上有效的方法是在代码中根本不使用不受信任对象的反序列化。
英文:
First of all the whole deserialization thing is about deserialization of Java objects. It's not about XML demarshaling or reading JSON. There are other vulnerability classes to deal with these problems.
Imagine your code accepts a Java class as input (can be Bas64 encoded and provided over a REST endpoint). Why would someone do that? Well, if you would like to store the state remotely then you could serialize the Java class, send it and receive it back when it is needed. Makes no sense? Well, Jenkins did it anyway a while ago.
The real problem is not the deserialization, but the prevention of code execution during deserialization. How to prevent readObject() from being called? It will be called automatically. And preventing something that happens deep in Java code is a pain.
You can try and play with notsoserial or SerialKiller, but it will not make your code simpler and easier to read. The one thing that actually works is not using deserialization of untrusted objects anywhere in the code.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论