[
https://issues.apache.org/jira/browse/RNG-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16941413#comment-16941413
]
Gilles Sadowski commented on RNG-120:
-------------------------------------
Is there any correct use for methods {{writeObject}} and {{readObject}}?
> Fix security issues in serialization code for Random instances
> --------------------------------------------------------------
>
> Key: RNG-120
> URL: https://issues.apache.org/jira/browse/RNG-120
> Project: Commons RNG
> Issue Type: Improvement
> Components: core, simple
> Affects Versions: 1.3
> Reporter: Alex Herbert
> Assignee: Alex Herbert
> Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> SonarCloud has highlighted security issues in the use of serialization to
> save and restore the state of java.util.Random instances.
> When reading objects using ObjectInputStream.readObject() the class is first
> identified and the private readObject() method of the class type is executed
> (if it is present). If the class is a malicious class then potentially
> malicious code can be executed.
> h2. JDKRandom
> Uses serialisation to save the {{java.util.Random}} instance to the
> RandomProviderState.
> The code requires that {{java.util.Random}} is read using
> ObjectInputStream.readObject(). To ensure the code only allows
> {{java.util.Random}} to be read the code can adapt the
> [ValidatingObjectInputStream|https://commons.apache.org/proper/commons-io/javadocs/api-2.6/org/apache/commons/io/serialization/ValidatingObjectInputStream.html]
> idea from Commons IO to prevent malicious code execution.
> h2. JDKRandomBridge
> This writes and reads a byte[] using the writeObject and readObject methods
> of ObjectOutput/InputStream. To avoid use of readObject() the code can be
> refactored to write the byte[] using the write(byte[]) method of
> ObjectOutputStream and the readFully(byte[]) method of ObjectInputStream.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
