역직렬화 인젝셕
Noncompliant Code Example
public class RequestProcessor {
protected void processRequest(HttpServletRequest request) {
ServletInputStream sis = request.getInputStream();
ObjectInputStream ois = new ObjectInputStream(sis);
Object obj = ois.readObject(); // Noncompliant
}
}
Compliant Solution
public class SecureObjectInputStream extends ObjectInputStream {
// Constructor here
@Override
protected Class<?> resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException {
// Only deserialize instances of AllowedClass
if (!osc.getName().equals(AllowedClass.class.getName())) {
throw new InvalidClassException("Unauthorized deserialization", osc.getName());
}
return super.resolveClass(osc);
}
}
public class RequestProcessor {
protected void processRequest(HttpServletRequest request) {
ServletInputStream sis = request.getInputStream();
SecureObjectInputStream sois = new SecureObjectInputStream(sis);
Object obj = sois.readObject();
}
}
'Secure Coding' 카테고리의 다른 글
| XPath 인젝션 공격 (0) | 2021.09.17 |
|---|---|
| 데이터베이스에 연결 시 암호 보안 (0) | 2021.09.17 |
| 데이터베이스 쿼리 인젝션 공격 (0) | 2021.09.17 |
| Reflected cross-site scripting (XSS) 공격 (0) | 2021.09.17 |
| [java] Dynamic code execution should not be vulnerable to injection attacks (0) | 2021.09.17 |
댓글