Re: SafeObjectInputStream prototype

2015-11-17 Thread Bertrand Delacretaz
On Mon, Nov 16, 2015 at 4:18 PM, Jason Bailey wrote: > We've been looking at a javaagent and/or a WeavingHook to do the same > thing I've been looking a bit more at https://github.com/kantega/notsoserial and it looks quite good, and his author Erik is open to

RE: SafeObjectInputStream prototype

2015-11-16 Thread Jason Bailey
...@apache.org] Sent: Wednesday, November 11, 2015 2:20 PM To: Bertrand Delacretaz <bdelacre...@apache.org> Cc: dev <dev@sling.apache.org> Subject: Re: SafeObjectInputStream prototype On Tue, Nov 10, 2015 at 3:09 PM, Bertrand Delacretaz <bdelacre...@apache.org> wrote: &

Re: SafeObjectInputStream prototype

2015-11-11 Thread Bertrand Delacretaz
On Tue, Nov 10, 2015 at 4:57 PM, Bertrand Delacretaz wrote: > ...maybe we can provide the current mode with whitelist of fixed class > names, with the option of a set of white + blacklists based on regexp > class name patterns... I have now implemented this using a

Re: SafeObjectInputStream prototype

2015-11-11 Thread Bertrand Delacretaz
On Tue, Nov 10, 2015 at 3:09 PM, Bertrand Delacretaz wrote: > ...I have created a prototype at SLING-5288 to guard against recently > reported Java deserialization risks... In the meantime I also tested https://github.com/kantega/notsoserial which is very interesting as

Re: SafeObjectInputStream prototype

2015-11-10 Thread Bertrand Delacretaz
On Tue, Nov 10, 2015 at 4:06 PM, Antonio Sanso wrote: > ...I was wondering if we can have a combination of white/black list approach > though... SerialKiller [1] which was also recently created uses regular expression patterns with both black and white lists (and gets them

Re: SafeObjectInputStream prototype

2015-11-10 Thread Antonio Sanso
Thanks a lot Bertrand!! This look promising. I have seen you used a white list approach (that is the best way by far). I was wondering if we can have a combination of white/black list approach though regards antonio On Nov 10, 2015, at 3:09 PM, Bertrand Delacretaz

SafeObjectInputStream prototype

2015-11-10 Thread Bertrand Delacretaz
Hi, I have created a prototype at SLING-5288 to guard against recently reported Java deserialization risks. Feedback is welcome, and if someone feels like enhancing that with an ObjectInputStream wrapper that would be useful. -Bertrand