[ https://issues.apache.org/jira/browse/RNG-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16941413#comment-16941413 ]
Gilles Sadowski commented on RNG-120: ------------------------------------- Is there any correct use for methods {{writeObject}} and {{readObject}}? > Fix security issues in serialization code for Random instances > -------------------------------------------------------------- > > Key: RNG-120 > URL: https://issues.apache.org/jira/browse/RNG-120 > Project: Commons RNG > Issue Type: Improvement > Components: core, simple > Affects Versions: 1.3 > Reporter: Alex Herbert > Assignee: Alex Herbert > Priority: Minor > Time Spent: 20m > Remaining Estimate: 0h > > SonarCloud has highlighted security issues in the use of serialization to > save and restore the state of java.util.Random instances. > When reading objects using ObjectInputStream.readObject() the class is first > identified and the private readObject() method of the class type is executed > (if it is present). If the class is a malicious class then potentially > malicious code can be executed. > h2. JDKRandom > Uses serialisation to save the {{java.util.Random}} instance to the > RandomProviderState. > The code requires that {{java.util.Random}} is read using > ObjectInputStream.readObject(). To ensure the code only allows > {{java.util.Random}} to be read the code can adapt the > [ValidatingObjectInputStream|https://commons.apache.org/proper/commons-io/javadocs/api-2.6/org/apache/commons/io/serialization/ValidatingObjectInputStream.html] > idea from Commons IO to prevent malicious code execution. > h2. JDKRandomBridge > This writes and reads a byte[] using the writeObject and readObject methods > of ObjectOutput/InputStream. To avoid use of readObject() the code can be > refactored to write the byte[] using the write(byte[]) method of > ObjectOutputStream and the readFully(byte[]) method of ObjectInputStream. -- This message was sent by Atlassian Jira (v8.3.4#803005)