Uploaded image for project: 'Lucene - Core'
  1. Lucene - Core
  2. LUCENE-9094

Ban ObjectInputStream and ObjectOutputStream in forbidden-apis

Details

    • Task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 8.5
    • general/build
    • None
    • New

    Description

      suggested build failure message:

      [forbidden-apis] Forbidden class/interface use: java.io.ObjectInputStream [Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!]

      I will whitelist existing places doing this for now.

      Attachments

        1. LUCENE-9094.patch
          13 kB
          Robert Muir

        Issue Links

          Activity

            People

              rcmuir Robert Muir
              rcmuir Robert Muir
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Slack

                  Issue deployment