Two serialization protocols `nami.coder.fury` and `solon.serialization.fury` in Solon are vulnerable, the modules associated with them are at risk of RCE attacks. about solon HOT 7 CLOSED

Thanks for the feedback!

from solon.

Thanks for the feedback. Excuse me, which country are you from?

from solon.

There was a problem with the previous pr merge. rpc calls can no longer pass exceptions。

from solon.

Thanks for the feedback. Excuse me, which country are you from?

Hi, I'm a student recently focused on Java deserialization vulnerability mining and exploitability research. We found that this kind of vulnerability patch is easy to incomplete (E.g. Issue#226), so I try to submit a patch to help fix it.

I found the prior patch for issue #226 only updated the Fury, but it didn't quite beef up the deserialization security. It didn't tweak Fury's default blacklist or dial up the security levels. Therefore, I submitted the patches, though, shakes things up by slotting in custom blacklists for a niftier guard strategy.

from solon.

All serialization schemes that declare metadata directly from data have this problem. And the problems are endless, the headaches

from solon.

所有直接从数据声明元数据的序列化方案都有这个问题。问题无穷无尽，令人头疼

Yeah, it's a headache, and even different users and different deployment environments should require different levels of defense. So I suggest Solon can be configured with a more flexible, user-defined deserialization defense mechanism.
For example, to further improve the blacklist, or to change the AllowListChecker.CheckLevel (to set different levels of stringency) according to business needs. If it's convenient, can we exchange emails to further discuss the default blacklist configuration?

And thanks for your efforts in reviewing my prs. I was very sorry to find out that there were some issues in prior ones. I've been more into bug hunting and suggesting blacklist tweaks until now, so this is my first stab at a PR fix. I do my best efforts to review this patch, but I might still miss some corner cases. I'd be grateful for the check you made before the official release.

from solon.

That's good advice. Later I made the serialization blacklist a standard interface.

from solon.