[RNG-120] Fix security issues in serialization code for Random instances - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Implemented
Affects Version/s: 1.3
Fix Version/s: 1.3
Component/s: core, simple
Labels:
None

Description

SonarCloud has highlighted security issues in the use of serialization to save and restore the state of java.util.Random instances.

When reading objects using ObjectInputStream.readObject() the class is first identified and the private readObject() method of the class type is executed (if it is present). If the class is a malicious class then potentially malicious code can be executed.

JDKRandom

Uses serialisation to save the java.util.Random instance to the RandomProviderState.

The code requires that java.util.Random is read using ObjectInputStream.readObject(). To ensure the code only allows java.util.Random to be read the code can adapt the ValidatingObjectInputStream idea from Commons IO to prevent malicious code execution.

JDKRandomBridge

This writes and reads a byte[] using the writeObject and readObject methods of ObjectOutput/InputStream. To avoid use of readObject() the code can be refactored to write the byte[] using the write(byte[]) method of ObjectOutputStream and the readFully(byte[]) method of ObjectInputStream.

Attachments

Issue Links

links to

GitHub Pull Request #72

Activity

People

Assignee:: Alex Herbert

Reporter:: Alex Herbert

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 30/Sep/19 22:58

Updated:: 11/Nov/19 14:26

Resolved:: 02/Oct/19 16:25

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m