Uploaded image for project: 'Lucene - Core'
  1. Lucene - Core
  2. LUCENE-9094

Ban ObjectInputStream and ObjectOutputStream in forbidden-apis

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 8.5
    • Component/s: general/build
    • Labels:
      None
    • Lucene Fields:
      New

      Description

      suggested build failure message:

      [forbidden-apis] Forbidden class/interface use: java.io.ObjectInputStream [Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!]

      I will whitelist existing places doing this for now.

        Attachments

        1. LUCENE-9094.patch
          13 kB
          Robert Muir

          Issue Links

            Activity

              People

              • Assignee:
                rcmuir Robert Muir
                Reporter:
                rcmuir Robert Muir
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: