英文:
reason behind spring.json.trusted.packages
问题
请解释一下关于spring-kafka反序列化器的"spring.json.trusted.packages"设计决策是什么?
在Spring MVC中,我对一些DTO进行序列化和反序列化没有任何问题。我不需要添加这个。但为什么spring-kafka需要这个呢?
英文:
Can someone please explain the design decision behind the "spring.json.trusted.packages" for spring-kafka deserializer?
I have no issues in Serializing and deserialing some DTOs in spring mvc. I do not have to add this. but why does spring-kafka need this?
答案1
得分: 1
因为当前的spring-kafka中的JsonDeserializer支持将接收到的数据反序列化为由__TypeId__消息头指定的特定Java类型。
众所周知,Java反序列化存在漏洞,可能导致代码执行(详见此链接)。如果您的类路径某种方式包含一些恶意类,攻击者可以发送一个消息,配置__TypeId__头为恶意类并执行一些代码。因此,spring.json.trusted.packages用于缓解这个问题,仅允许受信任包中的类进行反序列化。
在Spring MVC中,通常不会设计一个API端点,允许请求体配置将数据反序列化为哪个Java类。这就是为什么在Spring MVC中找不到这种配置的原因。但如果您有这样的API端点,它也存在此处提到的漏洞。
英文:
Because currently JsonDeserializer in spring-kafka supports deserialising the receiving data to a particular java type that is specified by the __TypeId__ message header.
And it is known that Java deserialisation has vulnerability that can cause code execution (see this for details) and if your classpath somehow contains some malicious classes , an attacker can send a message which configure the __TypeId__ header to be a malicious class and execute some codes. So spring.json.trusted.packages is used to alleviate this problem which only allow classess under the trusted package to be deserialized into.
In spring-mvc , normally you will not design an API endpoint which the request body allows users to configure which java class it will deserialise into. That 's why you cannot found such configuration in the spring-mvc. But if you have such API endpoint , it also has this vulnerability which is mentioned at here.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论