From 8b115f4c8a75956caf964ae1d14dbe8a3f78cfaa Mon Sep 17 00:00:00 2001 From: Liam Garvie Date: Thu, 13 May 2021 20:48:03 +0100 Subject: [PATCH 1/4] BAEL-4946 added in code for java deserialization vulnerabilities article --- .../vulnerabilities/BadThing.java | 28 ++++++++++++++ .../vulnerabilities/MyCustomAttackObject.java | 14 +++++++ .../vulnerabilities/BadThingTest.java | 38 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java create mode 100644 core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java create mode 100644 core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java diff --git a/core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java b/core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java new file mode 100644 index 0000000000..ce13a9c372 --- /dev/null +++ b/core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java @@ -0,0 +1,28 @@ +package com.baeldung.deserialization.vulnerabilities; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.io.Serializable; +import java.lang.reflect.Method; + +public class BadThing implements Serializable { + private static final long serialVersionUID = 0L; + + Object looselyDefinedThing; + String methodName; + + private void readObject(ObjectInputStream ois) throws ClassNotFoundException, IOException { + ois.defaultReadObject(); + try { + Method method = looselyDefinedThing.getClass().getMethod(methodName); + method.invoke(looselyDefinedThing); + } catch (Exception e) { + // handle error... + } + } + + private void writeObject(ObjectOutputStream oos) throws IOException { + oos.defaultWriteObject(); + } +} diff --git a/core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java b/core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java new file mode 100644 index 0000000000..9b4e2d4b76 --- /dev/null +++ b/core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java @@ -0,0 +1,14 @@ +package com.baeldung.deserialization.vulnerabilities; + +import java.io.IOException; +import java.io.Serializable; + +public class MyCustomAttackObject implements Serializable { + public static void methodThatTriggersAttack() { + try { + Runtime.getRuntime().exec("echo \"Oh, no! I've been hacked\""); + } catch (IOException e) { + // handle error... + } + } +} diff --git a/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java b/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java new file mode 100644 index 0000000000..1d12403bec --- /dev/null +++ b/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java @@ -0,0 +1,38 @@ +package com.baeldung.deserialization.vulnerabilities; + +import org.junit.Test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.InputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; + +public class BadThingTest { + + @Test + public void testCodeExecution() throws Exception { + BadThing bt = new BadThing(); + + bt.looselyDefinedThing = new MyCustomAttackObject(); + bt.methodName = "methodThatTriggersAttack"; + + byte[] serializedObject = serialize(bt); + + try (InputStream bis = new ByteArrayInputStream(serializedObject); + ObjectInputStream ois = new ObjectInputStream(bis)) { + + ois.readObject(); // malicious code is run + } + } + + private static byte[] serialize(Object object) throws Exception { + try (ByteArrayOutputStream bos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(bos)) { + + oos.writeObject(object); + oos.flush(); + return bos.toByteArray(); + } + } +} \ No newline at end of file From ab5b85c81c7587485b59b7d89c9fa3ac05a6eddf Mon Sep 17 00:00:00 2001 From: Liam Garvie Date: Thu, 13 May 2021 21:17:37 +0100 Subject: [PATCH 2/4] BAEL-4946 added in code for java deserialization vulnerabilities article --- .../baeldung/deserialization/vulnerabilities/BadThingTest.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java b/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java index 1d12403bec..e533a07c3d 100644 --- a/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java +++ b/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java @@ -1,6 +1,7 @@ package com.baeldung.deserialization.vulnerabilities; import org.junit.Test; +import org.junit.jupiter.api.DisplayName; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; @@ -11,6 +12,7 @@ import java.io.ObjectOutputStream; public class BadThingTest { @Test + @DisplayName("When a BadThing object is deserialized, then code execution in MyCustomAttackObject is run.") public void testCodeExecution() throws Exception { BadThing bt = new BadThing(); From 06aa7787bf8b8f89aaca1e94a24d37553ec8df44 Mon Sep 17 00:00:00 2001 From: Liam Garvie Date: Thu, 13 May 2021 21:19:33 +0100 Subject: [PATCH 3/4] BAEL-4946 added in code for java deserialization vulnerabilities article --- .../{BadThingTest.java => BadThingUnitTest.java} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/{BadThingTest.java => BadThingUnitTest.java} (97%) diff --git a/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java b/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java similarity index 97% rename from core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java rename to core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java index e533a07c3d..5db51ba132 100644 --- a/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingTest.java +++ b/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java @@ -9,7 +9,7 @@ import java.io.InputStream; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; -public class BadThingTest { +public class BadThingUnitTest { @Test @DisplayName("When a BadThing object is deserialized, then code execution in MyCustomAttackObject is run.") From ef8ca205411a55c37fd6cc8602893ade61169ddd Mon Sep 17 00:00:00 2001 From: Liam Garvie Date: Wed, 19 May 2021 08:47:02 +0100 Subject: [PATCH 4/4] BAEL-4946 moved deserialization vulnerabilities code to a new package --- .../com/baeldung/deserialization/vulnerabilities/BadThing.java | 0 .../deserialization/vulnerabilities/MyCustomAttackObject.java | 0 .../deserialization/vulnerabilities/BadThingUnitTest.java | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename core-java-modules/{core-java => core-java-io-4}/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java (100%) rename core-java-modules/{core-java => core-java-io-4}/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java (100%) rename core-java-modules/{core-java => core-java-io-4}/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java (92%) diff --git a/core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java b/core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java similarity index 100% rename from core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java rename to core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/BadThing.java diff --git a/core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java b/core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java similarity index 100% rename from core-java-modules/core-java/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java rename to core-java-modules/core-java-io-4/src/main/java/com/baeldung/deserialization/vulnerabilities/MyCustomAttackObject.java diff --git a/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java b/core-java-modules/core-java-io-4/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java similarity index 92% rename from core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java rename to core-java-modules/core-java-io-4/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java index 5db51ba132..ea2180d178 100644 --- a/core-java-modules/core-java/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java +++ b/core-java-modules/core-java-io-4/src/test/java/com/baeldung/deserialization/vulnerabilities/BadThingUnitTest.java @@ -13,7 +13,7 @@ public class BadThingUnitTest { @Test @DisplayName("When a BadThing object is deserialized, then code execution in MyCustomAttackObject is run.") - public void testCodeExecution() throws Exception { + public void givenABadThingObject_whenItsDeserialized_thenExecutionIsRun() throws Exception { BadThing bt = new BadThing(); bt.looselyDefinedThing = new MyCustomAttackObject();