Skip to content

Deserialization filter allows overly permissive package patterns vulnerable to gadget chains #220

Description

@sfloess

Location

File: ./src/main/java/org/flossware/commons/util/StringUtil.java
Line: 339

Description

The toCompressedString/fromCompressedString and toString/fromString methods use Java native serialization which is vulnerable to Remote Code Execution (RCE) attacks. While ObjectInputFilter was added in fromStream (line 390-405), the filter only allows org.flossware.*, java.lang.*, and java.util.* packages.

This is still too permissive and can be exploited via gadget chains in java.util classes (e.g., java.util.PriorityQueue, java.util.HashMap with custom Comparators). The methods are deprecated but still present and executable.

Recommendation

  1. If these methods must remain until removal, implement a strict whitelist of specific safe classes (not entire packages)
  2. Add deep inspection to reject any nested objects from untrusted packages
  3. Consider runtime detection of gadget chain patterns
  4. Add mandatory security documentation requiring authentication/integrity checks before deserialization
  5. Accelerate migration to JSON-based serialization (Jackson with safe default typing disabled)

Severity

CRITICAL - Remote Code Execution risk

Related

Related to but distinct from #216 (which focuses on array type bypass). This issue addresses the broader problem of overly permissive package-level filtering.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions