[
https://issues.apache.org/jira/browse/KAFKA-20450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chia-Ping Tsai resolved KAFKA-20450.
------------------------------------
Fix Version/s: 4.4.0
Resolution: Fixed
> SafeObjectInputStream uses denylist based approach
> --------------------------------------------------
>
> Key: KAFKA-20450
> URL: https://issues.apache.org/jira/browse/KAFKA-20450
> Project: Kafka
> Issue Type: Bug
> Reporter: Subbu
> Priority: Major
> Fix For: 4.4.0
>
>
> File :
> connect/runtime/src/main/java/org/apache/kafka/connect/util/SafeObjectInputStream.java
>
> The current SafeObjectInputStream uses a denylist based approach - having a
> fixed denylist to be validated against for deserialization. This is a bad
> security practise and has also been mentioned in the original PR.
> We need to use allowlisting as a better security practise.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
