From 8906c2ddbe2f22887eb3dcbddd7976d8637bfd40 Mon Sep 17 00:00:00 2001
From: Dawid Weiss <dweiss@apache.org>
Date: Tue, 17 Dec 2019 13:39:10 +0100
Subject: [PATCH] Merge forbidden APIs rules.

---
 gradle/validation/forbidden-apis/defaults.all.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gradle/validation/forbidden-apis/defaults.all.txt b/gradle/validation/forbidden-apis/defaults.all.txt
index 0a81d03e8a3..1e9a706366b 100644
--- a/gradle/validation/forbidden-apis/defaults.all.txt
+++ b/gradle/validation/forbidden-apis/defaults.all.txt
@@ -58,3 +58,7 @@ java.lang.Float#<init>(double)
 java.lang.Float#<init>(java.lang.String)
 java.lang.Double#<init>(double)
 java.lang.Double#<init>(java.lang.String)
+
+@defaultMessage Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!
+java.io.ObjectInputStream
+java.io.ObjectOutputStream