Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Another security scan ding, but not a very big concern.
We use ObjectInputStream to serialize/deserialize a Map which contains the columns+values of the primary key constraint. The problem with ObjectInputStream is that it doesn't care what Class it deserializes. If a malicious user can someone coerce some unknowing user to use an InputSplit that has this specially crafted class, we can get into an arbitrary code execution.
https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to work around this issue in code, but it leaves a bit to be desired. The ObjectInputStream recursively calls itself as it deserializes the fields in the Object. By trusting some classes from the packages java.lang, java.util, and java.sql, I believe we can remove this minor concern.