diff --git a/core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java b/core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java new file mode 100644 index 0000000000..ce13a9c372 --- /dev/null +++ b/core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java @@ -0,0 +1,28 @@ +package com.baeldung.deserialization.vulnerabilities; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.io.Serializable; +import java.lang.reflect.Method; + +public class BadThing implements Serializable { + private static final long serialVersionUID = 0L; + + Object looselyDefinedThing; + String methodName; + + private void readObject(ObjectInputStream ois) throws ClassNotFoundException, IOException { + ois.defaultReadObject(); + try { + Method method = looselyDefinedThing.getClass().getMethod(methodName); + method.invoke(looselyDefinedThing); + } catch (Exception e) { + // handle error... + } + } + + private void writeObject(ObjectOutputStream oos) throws IOException { + oos.defaultWriteObject(); + } +} diff --git a/core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java b/core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java new file mode 100644 index 0000000000..9b4e2d4b76 --- /dev/null +++ b/core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java @@ -0,0 +1,14 @@ +package com.baeldung.deserialization.vulnerabilities; + +import java.io.IOException; +import java.io.Serializable; + +public class MyCustomAttackObject implements Serializable { + public static void methodThatTriggersAttack() { + try { + Runtime.getRuntime().exec("echo \"Oh, no! I've been hacked\""); + } catch (IOException e) { + // handle error... + } + } +} diff --git a/core-java-modules/core-java-io-4/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java b/core-java-modules/core-java-io-4/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java new file mode 100644 index 0000000000..ea2180d178 --- /dev/null +++ b/core-java-modules/core-java-io-4/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java @@ -0,0 +1,40 @@ +package com.baeldung.deserialization.vulnerabilities; + +import org.junit.Test; +import org.junit.jupiter.api.DisplayName; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.InputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; + +public class BadThingUnitTest { + + @Test + @DisplayName("When a BadThing object is deserialized, then code execution in MyCustomAttackObject is run.") + public void givenABadThingObject_whenItsDeserialized_thenExecutionIsRun() throws Exception { + BadThing bt = new BadThing(); + + bt.looselyDefinedThing = new MyCustomAttackObject(); + bt.methodName = "methodThatTriggersAttack"; + + byte[] serializedObject = serialize(bt); + + try (InputStream bis = new ByteArrayInputStream(serializedObject); + ObjectInputStream ois = new ObjectInputStream(bis)) { + + ois.readObject(); // malicious code is run + } + } + + private static byte[] serialize(Object object) throws Exception { + try (ByteArrayOutputStream bos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(bos)) { + + oos.writeObject(object); + oos.flush(); + return bos.toByteArray(); + } + } +} \ No newline at end of file