Comments (7)
Thanks for the feedback!
from solon.
Thanks for the feedback. Excuse me, which country are you from?
from solon.
There was a problem with the previous pr merge. rpc calls can no longer pass exceptions。
from solon.
Thanks for the feedback. Excuse me, which country are you from?
Hi, I'm a student recently focused on Java deserialization vulnerability mining and exploitability research. We found that this kind of vulnerability patch is easy to incomplete (E.g. Issue#226), so I try to submit a patch to help fix it.
I found the prior patch for issue #226 only updated the Fury
, but it didn't quite beef up the deserialization security. It didn't tweak Fury's default blacklist or dial up the security levels. Therefore, I submitted the patches, though, shakes things up by slotting in custom blacklists for a niftier guard strategy.
from solon.
All serialization schemes that declare metadata directly from data have this problem. And the problems are endless, the headaches
from solon.
所有直接从数据声明元数据的序列化方案都有这个问题。问题无穷无尽,令人头疼
Yeah, it's a headache, and even different users and different deployment environments should require different levels of defense. So I suggest Solon can be configured with a more flexible, user-defined deserialization defense mechanism.
For example, to further improve the blacklist, or to change the AllowListChecker.CheckLevel (to set different levels of stringency) according to business needs. If it's convenient, can we exchange emails to further discuss the default blacklist configuration?
And thanks for your efforts in reviewing my prs. I was very sorry to find out that there were some issues in prior ones. I've been more into bug hunting and suggesting blacklist tweaks until now, so this is my first stab at a PR fix. I do my best efforts to review this patch, but I might still miss some corner cases. I'd be grateful for the check you made before the official release.
from solon.
That's good advice. Later I made the serialization blacklist a standard interface.
from solon.
Related Issues (20)
- 任务发放:优化 onMissingBean 条件与 List[Bean] 注入的边界问题 HOT 2
- 同时有 queryString 和 from-data 参数时,Controller 方法中的参数无法正确注入 HOT 4
- 建议官网RPC未来支持高性能序列化框架-flatbuffers和simple-binary-encoding HOT 1
- Solon 框架可以增加Javalin容器支持 HOT 2
- 建议Solon 未来可以支持物联网MQTT协议 HOT 2
- 新增组件 Solon Cloud SnailJob HOT 2
- 申明:Solon 的社区活动主要在 GitEE(欢迎参与)
- 【任务发放】把 solon.test 里带的 HttpUtils 改为基于 smart-http 适配
- 【任务发放】添加 Solon Auth Server 模块
- 【任务发放】添加“@Destroy”注解支持 HOT 1
- 希望插件按需加载 HOT 2
- 希望增加热部署 HOT 5
- IOC包扫描时排队某些包 HOT 3
- 【任务发放】优化 List[Bean] 注入,支持排序 HOT 1
- 【任务发放】增加 @NamiService 注解,替代 @Remoting 注解(让 Nami 成为前后配套服务) HOT 1
- 建议未来nami RPC 支持-Aeron 协议、低延迟RPC
- 后扫描的包,依赖注入List对象为空 HOT 1
- 安卓中运行solon,发现bug HOT 6
- lettuce-solon-plugin native编译出来的包,无法注入配置 HOT 4
- controller接口输出数据添加GZIP压缩数据 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from solon.