Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for session object serialization filters #427

Open
jccampanero opened this issue Mar 29, 2021 · 2 comments
Open

Support for session object serialization filters #427

jccampanero opened this issue Mar 29, 2021 · 2 comments

Comments

@jccampanero
Copy link

Currently the library does not offer the ability to filter which objects are allowed to be deserialized from sessions.

This can, potentially, allow an attacker to inject arbitrarily serialized Java objects in the session, which would then get deserialized and potentially lead to remote code execution.

In addition, if a third party ObjectInputFilter is applied over the underlying ObjectInputStream, depending on the filter configuration, it can suppose that certain attributes of the session are rejected.

Please, see this related stackoverflow question and this associated answer.

I created a fork of the problem to show a possible solution to the problem, a WIP, just to get the idea. If you consider it appropriate, I can improve the forked code and submit a pull request.

@jccampanero
Copy link
Author

Please, can you provide some feedback about the issue?

@exabrial
Copy link

exabrial commented Jun 4, 2021

inject arbitrarily serialized Java objects in the session

Do mean by modifying the data in the Redis instance? Or submitting it in a web form?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants