BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Object Deserialisation Filters Backported from Java 9

| by Abraham Marín Pérez on Mar 28, 2017. Estimated reading time: 2 minutes |

JEP 290, which allows the filtering of incoming data when deserialising an object, and was initially targeted to Java 9, has been backported to Java 6, 7, and 8. The feature provides a mechanism to filter incoming data in an object input stream as it is being processed, and can help prevent deserialisation vulnerabilities like the one that affected Apache Commons and other libraries a while back.

Deserialisation of untrusted data is a commonly known risk listed by the Open Web Application Security Project (OWASP) and the CERT Oracle Coding Standard for Java (particularly rules SER12-J and SER13-J), among others. Software developers are supposed to always check that the incoming data in an ObjectInputStream is valid, however, the existing tools within the JDK didn't always make this easy. JEP 290 changes this by providing a way to filter incoming data without having to extend ObjectInputStream. This is done through several mechanisms, depending on how involved developers need to be.

At a basic level, developers can configure the default ObjectInputFilter by editing the system property jdk.serialFilter, or the security property jdk.serialFilter in conf/security/java.properties. These properties accept one or more patterns that can be used to identify classes (using syntax similar to Ant's file patterns), or to set limits in the properties of the objects being deserialised:

// reject deserialisation of any class belonging to untrustedmodule,
// and of any array with more than 500 items in it
jdk.serialFilter=!untrustedmodule/.**;maxarray=500 

// white-list classes from package com.myorg.trusted,
// but not necessarily from its subpackages.
jdk.serialFilter=com.myorg.trusted.* 

If more flexibility is needed, developers can specify their own actions and checks implementing their own ObjectInputFilter and then applying it to an existing ObjectInputStream using setObjectInputFilter. An ObjectInputFilter can use the information available at ObjectInputFilter.FilterInfo to decide whether the object currently being deserialised can be accepted, needs to be rejected, or whether the filter doesn't have enough information to make a decision; in the latter case, the custom filter can leave the status as undecided and delegate the decision to another user-defined filter or to the default system one.

Finally, if developers wish to use their own mechanism for all deserialisations, a user-defined filter can be assigned as the system default using ObjectInputFilter.Config.setSerialFilter.

As initially stated, developers won't need to wait until Java 9 to start applying filters to serialisation; JEP 290 is available in Java 8 update 121, Java 7 update 131, and Java 6 update 141.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and dont miss out on content that matters to you

BT