Açıklaması şöyle
There are two approaches we can take when filtering specific serializable objects:
Whitelist — block everything and allow specific classes or packages in.
Blacklist — block specific problematic classes and packages.
A blacklist lets us block well-known vulnerabilities, and that might be enough. But we have no guarantee that we blocked everything. A whitelist is usually the more secure option, yet it might break your code if you missed a class that’s required in an edge case.
Örnek - Her Şeyi Engelle
Şöyle yaparız
java “-Djdk.serialFilter=!*” -jar MyJar.jar
Açıklaması şöyle
This command will block all serialization. Notice I need to use the quotes to prevent bash from expanding the star sign. The exclamation point means we wish to block and the star means we block everything.
Örnek - Bir Paketi Engelle
Şöyle yaparız
java “-Djdk.serialFilter=!mypackage.*” -jar MyJar.jar
Açıklaması şöyle
We’re blocking a specific package.
Örnek - Bir Paket İzin Ver, Geri Kalan Her Şeyi Engelle
Şöyle yaparız
java “-Djdk.serialFilter=mypackage.*;!*” -jar MyJar.jar
ObjectInputFilter Sınıfı
Şu satırı dahil ederiz
import java.io.ObjectInputFilter;
Açıklaması şöyle
You can use the object deserialization filtering added in Java 9 (java.io.ObjectInputFilter). It lets you accept or reject centrain classes. Prefer whitelisting to blacklisting.
Örnek
Şöyle yaparız
ObjectInputFilter.Config.setSerialFilter(info -> info.depth() > 10 ? Status.REJECTED : Status.UNDECIDED);
Açıklaması şöyle
This is a sample from the Oracle documentation of a simple serialization filter. Notice it can reject the serialization or leave it undecided. This is part of a filter chain where each stage in the validation process can reject the serialization or pass it on to the next stage. We can bind the filter globally as we do here or on a per-stream basis. The API is remarkably flexible and provides a lot of information about the process:
Hiç yorum yok:
Yorum Gönder