[
https://issues.apache.org/jira/browse/LANG-1734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18045196#comment-18045196
]
Gary D. Gregory commented on LANG-1734:
---------------------------------------
I updated the javadoc to Document a safer deserialization option in Javadoc for
SerializationUtils.
> Deprecate/replace SerializationUtils.deserialize
> ------------------------------------------------
>
> Key: LANG-1734
> URL: https://issues.apache.org/jira/browse/LANG-1734
> Project: Commons Lang
> Issue Type: Task
> Components: lang.*
> Reporter: Arnout Engelen
> Priority: Minor
> Fix For: 3.20.1
>
>
> SerializationUtils.deserialize should never be used with untrusted input: it
> is generally not possible to prove the absence of classes on the classpath
> that can be used as 'gadgets' for deserialization attacks.
> When SerializationUtils.deserialize was introduced, Java serialization was
> still 'in vogue' and the JDK APIs for deserialization were awkward to use.
> Nowadays, other serialization mechanisms (and serialization proxies) are more
> popular, and the Java APIs have gotten much better, so there isn't much
> reason for "SerializationUtils.deserialize" anymore.
> For these reasons, it might be good to deprecate
> SerializationUtils.deserialize, or at least more clearly mark it as not
> suitable to be used with untrusted input. We might also want to replace it
> with variants that encourage allow/denylisting or other security filters, or
> recommend
> [https://docs.oracle.com/en/java/javase/11/core/serialization-filtering1.html]
> for that.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
